diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 503a13111b6..e59e3c7612e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -439,6 +439,27 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in traefik module. {issue}16183[16183] {pull}19379[19379] - Improve ECS categorization field mappings in azure module. {issue}16155[16155] {pull}19376[19376] - Add text & flattened versions of fields with unknown subfields in aws cloudtrail fileset. {issue}18866[18866] {pull}19121[19121] +- Add experimental dataset tomcat/log for Apache TomCat logs {pull}19713[19713] +- Add experimental dataset netscout/sightline for Netscout Arbor Sightline logs {pull}19713[19713] +- Add experimental dataset barracuda/waf for Barracuda Web Application Firewall logs {pull}19713[19713] +- Add experimental dataset f5/bigipapm for F5 Big-IP Access Policy Manager logs {pull}19713[19713] +- Add experimental dataset bluecoat/director for Bluecoat Director logs {pull}19713[19713] +- Add experimental dataset cisco/nexus for Cisco Nexus logs {pull}19713[19713] +- Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs {pull}19713[19713] +- Add experimental dataset cylance/protect for Cylance Protect logs {pull}19713[19713] +- Add experimental dataset f5/firepass for F5 FirePass SSL VPN logs {pull}19713[19713] +- Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs {pull}19713[19713] +- Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs {pull}19713[19713] +- Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs {pull}19713[19713] +- Add experimental dataset juniper/junos for Juniper Junos OS logs {pull}19713[19713] +- Add experimental dataset kaspersky/av for Kaspersky Anti-Virus logs {pull}19713[19713] +- Add experimental dataset microsoft/dhcp for Microsoft DHCP Server logs {pull}19713[19713] +- Add experimental dataset tenable/nessus_security for Tenable Nessus Security Scanner logs {pull}19713[19713] +- Add experimental dataset rapid7/nexpose for Rapid7 Nexpose logs {pull}19713[19713] +- Add experimental dataset radware/defensepro for Radware DefensePro logs {pull}19713[19713] +- Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs {pull}19713[19713] +- Add experimental dataset squid/log for Squid Proxy Server logs {pull}19713[19713] +- Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index aa33db1c611..2e97c5c150e 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -18,18 +18,23 @@ grouped in the following categories: * <> * <> * <> +* <> * <> +* <> * <> * <> * <> * <> +* <> * <> * <> * <> +* <> * <> * <> * <> * <> +* <> * <> * <> * <> @@ -38,19 +43,25 @@ grouped in the following categories: * <> * <> * <> +* <> +* <> * <> * <> +* <> * <> +* <> * <> * <> * <> * <> +* <> * <> * <> * <> * <> * <> * <> +* <> * <> * <> * <> @@ -59,13 +70,20 @@ grouped in the following categories: * <> * <> * <> +* <> +* <> * <> * <> * <> +* <> +* <> * <> * <> +* <> +* <> * <> * <> +* <> -- [[exported-fields-activemq]] @@ -3267,19650 +3285,17624 @@ type: keyword -- -[[exported-fields-beat-common]] -== Beat fields +[[exported-fields-barracuda]] +== Barracuda Web Application Firewall fields -Contains common beat fields available in all event types. +barracuda fields. -*`agent.hostname`*:: +*`network.interface.name`*:: + -- -Deprecated - use agent.name or agent.id to identify an agent. - +Name of the network interface where the traffic has been observed. -type: alias -alias to: agent.name +type: keyword -- -*`beat.timezone`*:: + + +*`rsa.internal.msg`*:: + -- -type: alias +This key is used to capture the raw message that comes into the Log Decoder -alias to: event.timezone +type: keyword -- -*`fields`*:: +*`rsa.internal.messageid`*:: + -- -Contains user configurable fields. - - -type: object +type: keyword -- -*`beat.name`*:: +*`rsa.internal.event_desc`*:: + -- -type: alias - -alias to: host.name +type: keyword -- -*`beat.hostname`*:: +*`rsa.internal.message`*:: + -- -type: alias +This key captures the contents of instant messages -alias to: agent.name +type: keyword -- -*`timeseries.instance`*:: +*`rsa.internal.time`*:: + -- -Time series instance id +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -[[exported-fields-cef]] -== Decode CEF processor fields fields - -Common Event Format (CEF) data. - +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. +type: long -[float] -=== cef +-- -By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data. +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`cef.version`*:: +*`rsa.internal.msg_vid`*:: + -- -Version of the CEF specification used by the message. - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.device.vendor`*:: +*`rsa.internal.data`*:: + -- -Vendor of the device that produced the message. - +Deprecated key defined only in table map. type: keyword -- -*`cef.device.product`*:: +*`rsa.internal.obj_server`*:: + -- -Product of the device that produced the message. - +Deprecated key defined only in table map. type: keyword -- -*`cef.device.version`*:: +*`rsa.internal.obj_val`*:: + -- -Version of the product that produced the message. - +Deprecated key defined only in table map. type: keyword -- -*`cef.device.event_class_id`*:: +*`rsa.internal.resource`*:: + -- -Unique identifier of the event type. - +Deprecated key defined only in table map. type: keyword -- -*`cef.severity`*:: +*`rsa.internal.obj_id`*:: + -- -Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. - +Deprecated key defined only in table map. type: keyword -example: Very-High - -- -*`cef.name`*:: +*`rsa.internal.statement`*:: + -- -Short description of the event. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== extensions - -Collection of key-value pairs carried in the CEF extension field. +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`cef.extensions.agentAddress`*:: +*`rsa.internal.entry`*:: + -- -The IP address of the ArcSight connector that processed the event. +Deprecated key defined only in table map. -type: ip +type: keyword -- -*`cef.extensions.agentDnsDomain`*:: +*`rsa.internal.hcode`*:: + -- -The DNS domain name of the ArcSight connector that processed the event. +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.agentHostName`*:: +*`rsa.internal.inode`*:: + -- -The hostname of the ArcSight connector that processed the event. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cef.extensions.agentId`*:: +*`rsa.internal.resource_class`*:: + -- -The agent ID of the ArcSight connector that processed the event. +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.agentMacAddress`*:: +*`rsa.internal.dead`*:: + -- -The MAC address of the ArcSight connector that processed the event. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cef.extensions.agentNtDomain`*:: +*`rsa.internal.feed_desc`*:: + -- -None +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentReceiptTime`*:: +*`rsa.internal.feed_name`*:: + -- -The time at which information about the event was received by the ArcSight connector. +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: date +type: keyword -- -*`cef.extensions.agentTimeZone`*:: +*`rsa.internal.cid`*:: + -- -The agent time zone of the ArcSight connector that processed the event. +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentTranslatedAddress`*:: +*`rsa.internal.device_class`*:: + -- -None +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`cef.extensions.agentTranslatedZoneExternalID`*:: +*`rsa.internal.device_group`*:: + -- -None +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentTranslatedZoneURI`*:: +*`rsa.internal.device_host`*:: + -- -None +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentType`*:: +*`rsa.internal.device_ip`*:: + -- -The agent type of the ArcSight connector that processed the event +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`cef.extensions.agentVersion`*:: +*`rsa.internal.device_ipv6`*:: + -- -The version of the ArcSight connector that processed the event. +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`cef.extensions.agentZoneExternalID`*:: +*`rsa.internal.device_type`*:: + -- -None +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentZoneURI`*:: +*`rsa.internal.device_type_id`*:: + -- -None +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cef.extensions.applicationProtocol`*:: +*`rsa.internal.did`*:: + -- -Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.baseEventCount`*:: +*`rsa.internal.entropy_req`*:: + -- -A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`cef.extensions.bytesIn`*:: +*`rsa.internal.entropy_res`*:: + -- -Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`cef.extensions.bytesOut`*:: +*`rsa.internal.event_name`*:: + -- -Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. +Deprecated key defined only in table map. -type: long +type: keyword -- -*`cef.extensions.customerExternalID`*:: +*`rsa.internal.feed_category`*:: + -- -None +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.customerURI`*:: +*`rsa.internal.forward_ip`*:: + -- -None +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`cef.extensions.destinationAddress`*:: +*`rsa.internal.forward_ipv6`*:: + -- -Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: ip -- -*`cef.extensions.destinationDnsDomain`*:: +*`rsa.internal.header_id`*:: + -- -The DNS domain part of the complete fully qualified domain name (FQDN). +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.destinationGeoLatitude`*:: +*`rsa.internal.lc_cid`*:: + -- -The latitudinal value from which the destination's IP address belongs. +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: keyword -- -*`cef.extensions.destinationGeoLongitude`*:: +*`rsa.internal.lc_ctime`*:: + -- -The longitudinal value from which the destination's IP address belongs. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: date -- -*`cef.extensions.destinationHostName`*:: +*`rsa.internal.mcb_req`*:: + -- -Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`cef.extensions.destinationMacAddress`*:: +*`rsa.internal.mcb_res`*:: + -- -Six colon-seperated hexadecimal numbers. +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`cef.extensions.destinationNtDomain`*:: +*`rsa.internal.mcbc_req`*:: + -- -The Windows domain name of the destination address. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`cef.extensions.destinationPort`*:: +*`rsa.internal.mcbc_res`*:: + -- -The valid port numbers are between 0 and 65535. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams type: long -- -*`cef.extensions.destinationProcessId`*:: +*`rsa.internal.medium`*:: + -- -Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session type: long -- -*`cef.extensions.destinationProcessName`*:: +*`rsa.internal.node_name`*:: + -- -The name of the event's destination process. +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.destinationServiceName`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -The service targeted by this event. +This key denotes that event is endpoint related type: keyword -- -*`cef.extensions.destinationTranslatedAddress`*:: +*`rsa.internal.parse_error`*:: + -- -Identifies the translated destination that the event refers to in an IP network. +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`cef.extensions.destinationTranslatedPort`*:: +*`rsa.internal.payload_req`*:: + -- -Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`cef.extensions.destinationTranslatedZoneExternalID`*:: +*`rsa.internal.payload_res`*:: + -- -None +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`cef.extensions.destinationTranslatedZoneURI`*:: +*`rsa.internal.process_vid_dst`*:: + -- -The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`cef.extensions.destinationUserId`*:: +*`rsa.internal.process_vid_src`*:: + -- -Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`cef.extensions.destinationUserName`*:: +*`rsa.internal.rid`*:: + -- -Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`cef.extensions.destinationUserPrivileges`*:: +*`rsa.internal.session_split`*:: + -- -The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.destinationZoneExternalID`*:: +*`rsa.internal.site`*:: + -- -None +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.destinationZoneURI`*:: +*`rsa.internal.size`*:: + -- -The URI for the Zone that the destination asset has been assigned to in ArcSight. +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`cef.extensions.deviceAction`*:: +*`rsa.internal.sourcefile`*:: + -- -Action taken by the device. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.deviceAddress`*:: +*`rsa.internal.ubc_req`*:: + -- -Identifies the device address that an event refers to in an IP network. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: ip +type: long -- -*`cef.extensions.deviceCustomFloatingPoint1Label`*:: +*`rsa.internal.ubc_res`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`cef.extensions.deviceCustomFloatingPoint3Label`*:: +*`rsa.internal.word`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint4Label`*:: + +*`rsa.time.event_time`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`cef.extensions.deviceCustomDate1`*:: +*`rsa.time.duration_time`*:: + -- -One of two timestamp fields available to map fields that do not apply to any other in this dictionary. +This key is used to capture the normalized duration/lifetime in seconds. -type: date +type: double -- -*`cef.extensions.deviceCustomDate1Label`*:: +*`rsa.time.event_time_str`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`cef.extensions.deviceCustomDate2`*:: +*`rsa.time.starttime`*:: + -- -One of two timestamp fields available to map fields that do not apply to any other in this dictionary. +This key is used to capture the Start time mentioned in a session in a standard form type: date -- -*`cef.extensions.deviceCustomDate2Label`*:: +*`rsa.time.month`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint1`*:: +*`rsa.time.day`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. - -type: double +type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint2`*:: +*`rsa.time.endtime`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. +This key is used to capture the End time mentioned in a session in a standard form -type: double +type: date -- -*`cef.extensions.deviceCustomFloatingPoint2Label`*:: +*`rsa.time.timezone`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the timezone of the Event Time type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint3`*:: +*`rsa.time.duration_str`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. +A text string version of the duration -type: double +type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint4`*:: +*`rsa.time.date`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. +type: keyword -type: double +-- +*`rsa.time.year`*:: ++ -- +type: keyword -*`cef.extensions.deviceCustomIPv6Address1`*:: +-- + +*`rsa.time.recorded_time`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: ip +type: date -- -*`cef.extensions.deviceCustomIPv6Address1Label`*:: +*`rsa.time.datetime`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomIPv6Address2`*:: +*`rsa.time.effective_time`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: ip +type: date -- -*`cef.extensions.deviceCustomIPv6Address2Label`*:: +*`rsa.time.expire_time`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`cef.extensions.deviceCustomIPv6Address3`*:: +*`rsa.time.process_time`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. +Deprecated, use duration.time -type: ip +type: keyword -- -*`cef.extensions.deviceCustomIPv6Address3Label`*:: +*`rsa.time.hour`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomIPv6Address4`*:: +*`rsa.time.min`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - -type: ip +type: keyword -- -*`cef.extensions.deviceCustomIPv6Address4Label`*:: +*`rsa.time.timestamp`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomNumber1`*:: +*`rsa.time.event_queue_time`*:: + -- -One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key is the Time that the event was queued. -type: long +type: date -- -*`cef.extensions.deviceCustomNumber1Label`*:: +*`rsa.time.p_time1`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomNumber2`*:: +*`rsa.time.tzone`*:: + -- -One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - -type: long +type: keyword -- -*`cef.extensions.deviceCustomNumber2Label`*:: +*`rsa.time.eventtime`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomNumber3`*:: +*`rsa.time.gmtdate`*:: + -- -One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - -type: long +type: keyword -- -*`cef.extensions.deviceCustomNumber3Label`*:: +*`rsa.time.gmttime`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString1`*:: +*`rsa.time.p_date`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - type: keyword -- -*`cef.extensions.deviceCustomString1Label`*:: +*`rsa.time.p_month`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString2`*:: +*`rsa.time.p_time`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - type: keyword -- -*`cef.extensions.deviceCustomString2Label`*:: +*`rsa.time.p_time2`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString3`*:: +*`rsa.time.p_year`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - type: keyword -- -*`cef.extensions.deviceCustomString3Label`*:: +*`rsa.time.expire_time_str`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`cef.extensions.deviceCustomString4`*:: +*`rsa.time.stamp`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +Deprecated key defined only in table map. -type: keyword +type: date -- -*`cef.extensions.deviceCustomString4Label`*:: + +*`rsa.misc.action`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString5`*:: +*`rsa.misc.result`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`cef.extensions.deviceCustomString5Label`*:: +*`rsa.misc.severity`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the severity given the session type: keyword -- -*`cef.extensions.deviceCustomString6`*:: +*`rsa.misc.event_type`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key captures the event category type as specified by the event source. type: keyword -- -*`cef.extensions.deviceCustomString6Label`*:: +*`rsa.misc.reference_id`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture an event id from the session directly type: keyword -- -*`cef.extensions.deviceDirection`*:: +*`rsa.misc.version`*:: + -- -Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. +This key captures Version of the application or OS which is generating the event. -type: long +type: keyword -- -*`cef.extensions.deviceDnsDomain`*:: +*`rsa.misc.disposition`*:: + -- -The DNS domain part of the complete fully qualified domain name (FQDN). +This key captures the The end state of an action. type: keyword -- -*`cef.extensions.deviceEventCategory`*:: +*`rsa.misc.result_code`*:: + -- -Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`cef.extensions.deviceExternalId`*:: +*`rsa.misc.category`*:: + -- -A name that uniquely identifies the device generating this event. +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`cef.extensions.deviceFacility`*:: +*`rsa.misc.obj_name`*:: + -- -The facility generating this event. For example, Syslog has an explicit facility associated with every event. +This is used to capture name of object type: keyword -- -*`cef.extensions.deviceFlexNumber1`*:: +*`rsa.misc.obj_type`*:: + -- -One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This is used to capture type of object -type: long +type: keyword -- -*`cef.extensions.deviceFlexNumber1Label`*:: +*`rsa.misc.event_source`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key captures Source of the event that’s not a hostname type: keyword -- -*`cef.extensions.deviceFlexNumber2`*:: +*`rsa.misc.log_session_id`*:: + -- -One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -*`cef.extensions.deviceFlexNumber2Label`*:: +*`rsa.misc.group`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key captures the Group Name value type: keyword -- -*`cef.extensions.deviceHostName`*:: +*`rsa.misc.policy_name`*:: + -- -The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. +This key is used to capture the Policy Name only. type: keyword -- -*`cef.extensions.deviceInboundInterface`*:: +*`rsa.misc.rule_name`*:: + -- -Interface on which the packet or data entered the device. +This key captures the Rule Name type: keyword -- -*`cef.extensions.deviceMacAddress`*:: +*`rsa.misc.context`*:: + -- -Six colon-separated hexadecimal numbers. +This key captures Information which adds additional context to the event. type: keyword -- -*`cef.extensions.deviceNtDomain`*:: +*`rsa.misc.change_new`*:: + -- -The Windows domain name of the device address. +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`cef.extensions.deviceOutboundInterface`*:: +*`rsa.misc.space`*:: + -- -Interface on which the packet or data left the device. - type: keyword -- -*`cef.extensions.devicePayloadId`*:: +*`rsa.misc.client`*:: + -- -Unique identifier for the payload associated with the event. +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`cef.extensions.deviceProcessId`*:: +*`rsa.misc.msgIdPart1`*:: + -- -Provides the ID of the process on the device generating the event. - -type: long +type: keyword -- -*`cef.extensions.deviceProcessName`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Process name associated with the event. An example might be the process generating the syslog entry in UNIX. - type: keyword -- -*`cef.extensions.deviceReceiptTime`*:: +*`rsa.misc.change_old`*:: + -- -The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) +This key is used to capture the old value of the attribute that’s changing in a session -type: date +type: keyword -- -*`cef.extensions.deviceTimeZone`*:: +*`rsa.misc.operation_id`*:: + -- -The time zone for the device generating the event. +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`cef.extensions.deviceTranslatedAddress`*:: +*`rsa.misc.event_state`*:: + -- -Identifies the translated device address that the event refers to in an IP network. +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -type: ip +type: keyword -- -*`cef.extensions.deviceTranslatedZoneExternalID`*:: +*`rsa.misc.group_object`*:: + -- -None +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`cef.extensions.deviceTranslatedZoneURI`*:: +*`rsa.misc.node`*:: + -- -The URI for the Translated Zone that the device asset has been assigned to in ArcSight. +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`cef.extensions.deviceZoneExternalID`*:: +*`rsa.misc.rule`*:: + -- -None +This key captures the Rule number type: keyword -- -*`cef.extensions.deviceZoneURI`*:: +*`rsa.misc.device_name`*:: + -- -Thee URI for the Zone that the device asset has been assigned to in ArcSight. +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`cef.extensions.endTime`*:: +*`rsa.misc.param`*:: + -- -The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. +This key is the parameters passed as part of a command or application, etc. -type: date +type: keyword -- -*`cef.extensions.eventId`*:: +*`rsa.misc.change_attrib`*:: + -- -This is a unique ID that ArcSight assigns to each event. +This key is used to capture the name of the attribute that’s changing in a session -type: long +type: keyword -- -*`cef.extensions.eventOutcome`*:: +*`rsa.misc.event_computer`*:: + -- -Displays the outcome, usually as 'success' or 'failure'. +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`cef.extensions.externalId`*:: +*`rsa.misc.reference_id1`*:: + -- -The ID used by an originating device. They are usually increasing numbers, associated with events. +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`cef.extensions.fileCreateTime`*:: +*`rsa.misc.event_log`*:: + -- -Time when the file was created. +This key captures the Name of the event log -type: date +type: keyword -- -*`cef.extensions.fileHash`*:: +*`rsa.misc.OS`*:: + -- -Hash of a file. +This key captures the Name of the Operating System type: keyword -- -*`cef.extensions.fileId`*:: +*`rsa.misc.terminal`*:: + -- -An ID associated with a file could be the inode. +This key captures the Terminal Names only type: keyword -- -*`cef.extensions.fileModificationTime`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Time when the file was last modified. - -type: date +type: keyword -- -*`cef.extensions.filename`*:: +*`rsa.misc.filter`*:: + -- -Name of the file only (without its path). +This key captures Filter used to reduce result set type: keyword -- -*`cef.extensions.filePath`*:: +*`rsa.misc.serial_number`*:: + -- -Full path to the file, including file name itself. +This key is the Serial number associated with a physical asset. type: keyword -- -*`cef.extensions.filePermission`*:: +*`rsa.misc.checksum`*:: + -- -Permissions of the file. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`cef.extensions.fileSize`*:: +*`rsa.misc.event_user`*:: + -- -Size of the file. +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. -type: long +type: keyword -- -*`cef.extensions.fileType`*:: +*`rsa.misc.virusname`*:: + -- -Type of file (pipe, socket, etc.) +This key captures the name of the virus type: keyword -- -*`cef.extensions.flexDate1`*:: +*`rsa.misc.content_type`*:: + -- -A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. +This key is used to capture Content Type only. -type: date +type: keyword -- -*`cef.extensions.flexDate1Label`*:: +*`rsa.misc.group_id`*:: + -- -The label field is a string and describes the purpose of the flex field. +This key captures Group ID Number (related to the group name) type: keyword -- -*`cef.extensions.flexString1`*:: +*`rsa.misc.policy_id`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`cef.extensions.flexString2`*:: +*`rsa.misc.vsys`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. +This key captures Virtual System Name type: keyword -- -*`cef.extensions.flexString1Label`*:: +*`rsa.misc.connection_id`*:: + -- -The label field is a string and describes the purpose of the flex field. +This key captures the Connection ID type: keyword -- -*`cef.extensions.flexString2Label`*:: +*`rsa.misc.reference_id2`*:: + -- -The label field is a string and describes the purpose of the flex field. +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`cef.extensions.message`*:: +*`rsa.misc.sensor`*:: + -- -An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`cef.extensions.oldFileCreateTime`*:: +*`rsa.misc.sig_id`*:: + -- -Time when old file was created. +This key captures IDS/IPS Int Signature ID -type: date +type: long -- -*`cef.extensions.oldFileHash`*:: +*`rsa.misc.port_name`*:: + -- -Hash of the old file. +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`cef.extensions.oldFileId`*:: +*`rsa.misc.rule_group`*:: + -- -An ID associated with the old file could be the inode. +This key captures the Rule group name type: keyword -- -*`cef.extensions.oldFileModificationTime`*:: +*`rsa.misc.risk_num`*:: + -- -Time when old file was last modified. +This key captures a Numeric Risk value -type: date +type: double -- -*`cef.extensions.oldFileName`*:: +*`rsa.misc.trigger_val`*:: + -- -Name of the old file. +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`cef.extensions.oldFilePath`*:: +*`rsa.misc.log_session_id1`*:: + -- -Full path to the old file, including the file name itself. +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`cef.extensions.oldFilePermission`*:: +*`rsa.misc.comp_version`*:: + -- -Permissions of the old file. +This key captures the Version level of a sub-component of a product. type: keyword -- -*`cef.extensions.oldFileSize`*:: +*`rsa.misc.content_version`*:: + -- -Size of the old file. +This key captures Version level of a signature or database content. -type: long +type: keyword -- -*`cef.extensions.oldFileType`*:: +*`rsa.misc.hardware_id`*:: + -- -Type of the old file (pipe, socket, etc.) +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`cef.extensions.rawEvent`*:: +*`rsa.misc.risk`*:: + -- -None +This key captures the non-numeric risk value type: keyword -- -*`cef.extensions.Reason`*:: +*`rsa.misc.event_id`*:: + -- -The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234". - type: keyword -- -*`cef.extensions.requestClientApplication`*:: +*`rsa.misc.reason`*:: + -- -The User-Agent associated with the request. - type: keyword -- -*`cef.extensions.requestContext`*:: +*`rsa.misc.status`*:: + -- -Description of the content from which the request originated (for example, HTTP Referrer) - type: keyword -- -*`cef.extensions.requestCookies`*:: +*`rsa.misc.mail_id`*:: + -- -Cookies associated with the request. +This key is used to capture the mailbox id/name type: keyword -- -*`cef.extensions.requestMethod`*:: +*`rsa.misc.rule_uid`*:: + -- -The HTTP method used to access a URL. +This key is the Unique Identifier for a rule. type: keyword -- -*`cef.extensions.requestUrl`*:: +*`rsa.misc.trigger_desc`*:: + -- -In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`cef.extensions.sourceAddress`*:: +*`rsa.misc.inout`*:: + -- -Identifies the source that an event refers to in an IP network. - -type: ip +type: keyword -- -*`cef.extensions.sourceDnsDomain`*:: +*`rsa.misc.p_msgid`*:: + -- -The DNS domain part of the complete fully qualified domain name (FQDN). - type: keyword -- -*`cef.extensions.sourceGeoLatitude`*:: +*`rsa.misc.data_type`*:: + -- -None - -type: double +type: keyword -- -*`cef.extensions.sourceGeoLongitude`*:: +*`rsa.misc.msgIdPart4`*:: + -- -None - -type: double +type: keyword -- -*`cef.extensions.sourceHostName`*:: +*`rsa.misc.error`*:: + -- -Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'. - +This key captures All non successful Error codes or responses type: keyword -- -*`cef.extensions.sourceMacAddress`*:: +*`rsa.misc.index`*:: + -- -Six colon-separated hexadecimal numbers. - type: keyword -example: 00:0d:60:af:1b:61 - -- -*`cef.extensions.sourceNtDomain`*:: +*`rsa.misc.listnum`*:: + -- -The Windows domain name for the source address. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`cef.extensions.sourcePort`*:: +*`rsa.misc.ntype`*:: + -- -The valid port numbers are 0 to 65535. - -type: long +type: keyword -- -*`cef.extensions.sourceProcessId`*:: +*`rsa.misc.observed_val`*:: + -- -The ID of the source process associated with the event. +This key captures the Value observed (from the perspective of the device generating the log). -type: long +type: keyword -- -*`cef.extensions.sourceProcessName`*:: +*`rsa.misc.policy_value`*:: + -- -The name of the event's source process. +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`cef.extensions.sourceServiceName`*:: +*`rsa.misc.pool_name`*:: + -- -The service that is responsible for generating this event. +This key captures the name of a resource pool type: keyword -- -*`cef.extensions.sourceTranslatedAddress`*:: +*`rsa.misc.rule_template`*:: + -- -Identifies the translated source that the event refers to in an IP network. +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -type: ip +type: keyword -- -*`cef.extensions.sourceTranslatedPort`*:: +*`rsa.misc.count`*:: + -- -A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. - -type: long +type: keyword -- -*`cef.extensions.sourceTranslatedZoneExternalID`*:: +*`rsa.misc.number`*:: + -- -None - type: keyword -- -*`cef.extensions.sourceTranslatedZoneURI`*:: +*`rsa.misc.sigcat`*:: + -- -The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. - type: keyword -- -*`cef.extensions.sourceUserId`*:: +*`rsa.misc.type`*:: + -- -Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - type: keyword -- -*`cef.extensions.sourceUserName`*:: +*`rsa.misc.comments`*:: + -- -Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. +Comment information provided in the log message type: keyword -- -*`cef.extensions.sourceUserPrivileges`*:: +*`rsa.misc.doc_number`*:: + -- -The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". +This key captures File Identification number -type: keyword +type: long -- -*`cef.extensions.sourceZoneExternalID`*:: +*`rsa.misc.expected_val`*:: + -- -None +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`cef.extensions.sourceZoneURI`*:: +*`rsa.misc.job_num`*:: + -- -The URI for the Zone that the source asset has been assigned to in ArcSight. +This key captures the Job Number type: keyword -- -*`cef.extensions.startTime`*:: +*`rsa.misc.spi_dst`*:: + -- -The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) +Destination SPI Index -type: date +type: keyword -- -*`cef.extensions.transportProtocol`*:: +*`rsa.misc.spi_src`*:: + -- -Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. +Source SPI Index type: keyword -- -*`cef.extensions.type`*:: +*`rsa.misc.code`*:: + -- -0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). - -type: long +type: keyword -- -*`cef.extensions.categoryDeviceType`*:: +*`rsa.misc.agent_id`*:: + -- -Device type. Examples - Proxy, IDS, Web Server +This key is used to capture agent id type: keyword -- -*`cef.extensions.categoryObject`*:: +*`rsa.misc.message_body`*:: + -- -Object that the event is about. For example it can be an operating sytem, database, file, etc. +This key captures the The contents of the message body. type: keyword -- -*`cef.extensions.categoryBehavior`*:: +*`rsa.misc.phone`*:: + -- -Action or a behavior associated with an event. It's what is being done to the object. - type: keyword -- -*`cef.extensions.categoryTechnique`*:: +*`rsa.misc.sig_id_str`*:: + -- -Technique being used (e.g. /DoS). +This key captures a string object of the sigid variable. type: keyword -- -*`cef.extensions.categoryDeviceGroup`*:: +*`rsa.misc.cmd`*:: + -- -General device group like Firewall. - type: keyword -- -*`cef.extensions.categorySignificance`*:: +*`rsa.misc.misc`*:: + -- -Characterization of the importance of the event. - type: keyword -- -*`cef.extensions.categoryOutcome`*:: +*`rsa.misc.name`*:: + -- -Outcome of the event (e.g. sucess, failure, or attempt). - type: keyword -- -*`cef.extensions.managerReceiptTime`*:: +*`rsa.misc.cpu`*:: + -- -When the Arcsight ESM received the event. +This key is the CPU time used in the execution of the event being recorded. -type: date +type: long -- -*`source.service.name`*:: +*`rsa.misc.event_desc`*:: + -- -Service that is the source of the event. +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`destination.service.name`*:: +*`rsa.misc.sig_id1`*:: + -- -Service that is the target of the event. +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -[[exported-fields-cef-module]] -== CEF fields - -Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. - - - -[float] -=== forcepoint - -Fields for Forcepoint Custom String mappings - - - -*`forcepoint.virus_id`*:: +*`rsa.misc.im_buddyid`*:: + -- -Virus ID - - type: keyword -- -[float] -=== checkpoint - -Fields for Check Point custom string mappings. - +*`rsa.misc.im_client`*:: ++ +-- +type: keyword +-- -*`checkpoint.app_risk`*:: +*`rsa.misc.im_userid`*:: + -- -Application risk. - type: keyword -- -*`checkpoint.app_severity`*:: +*`rsa.misc.pid`*:: + -- -Application threat severity. - type: keyword -- -*`checkpoint.app_sig_id`*:: +*`rsa.misc.priority`*:: + -- -The signature ID which the application was detected by. - type: keyword -- -*`checkpoint.auth_method`*:: +*`rsa.misc.context_subject`*:: + -- -Password authentication protocol used. +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`checkpoint.category`*:: +*`rsa.misc.context_target`*:: + -- -Category. - type: keyword -- -*`checkpoint.confidence_level`*:: +*`rsa.misc.cve`*:: + -- -Confidence level determined. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -type: integer +type: keyword -- -*`checkpoint.connectivity_state`*:: +*`rsa.misc.fcatnum`*:: + -- -Connectivity state. +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`checkpoint.cookie`*:: +*`rsa.misc.library`*:: + -- -IKE cookie. +This key is used to capture library information in mainframe devices type: keyword -- -*`checkpoint.dst_phone_number`*:: +*`rsa.misc.parent_node`*:: + -- -Destination IP-Phone. +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`checkpoint.email_control`*:: +*`rsa.misc.risk_info`*:: + -- -Engine name. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.email_id`*:: +*`rsa.misc.tcp_flags`*:: + -- -Internal email ID. +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- -*`checkpoint.email_recipients_num`*:: +*`rsa.misc.tos`*:: + -- -Number of recipients. +This key describes the type of service type: long -- -*`checkpoint.email_session_id`*:: +*`rsa.misc.vm_target`*:: + -- -Internal email session ID. +VMWare Target **VMWARE** only varaible. type: keyword -- -*`checkpoint.email_spool_id`*:: +*`rsa.misc.workspace`*:: + -- -Internal email spool ID. +This key captures Workspace Description type: keyword -- -*`checkpoint.email_subject`*:: +*`rsa.misc.command`*:: + -- -Email subject. - type: keyword -- -*`checkpoint.event_count`*:: +*`rsa.misc.event_category`*:: + -- -Number of events associated with the log. - -type: long +type: keyword -- -*`checkpoint.frequency`*:: +*`rsa.misc.facilityname`*:: + -- -Scan frequency. - type: keyword -- -*`checkpoint.icmp_type`*:: +*`rsa.misc.forensic_info`*:: + -- -ICMP type. - -type: long +type: keyword -- -*`checkpoint.icmp_code`*:: +*`rsa.misc.jobname`*:: + -- -ICMP code. - -type: long +type: keyword -- -*`checkpoint.identity_type`*:: +*`rsa.misc.mode`*:: + -- -Identity type. - type: keyword -- -*`checkpoint.incident_extension`*:: +*`rsa.misc.policy`*:: + -- -Format of original data. - type: keyword -- -*`checkpoint.integrity_av_invoke_type`*:: +*`rsa.misc.policy_waiver`*:: + -- -Scan invoke type. - type: keyword -- -*`checkpoint.malware_family`*:: +*`rsa.misc.second`*:: + -- -Malware family. - type: keyword -- -*`checkpoint.peer_gateway`*:: +*`rsa.misc.space1`*:: + -- -Main IP of the peer Security Gateway. - -type: ip +type: keyword -- -*`checkpoint.performance_impact`*:: +*`rsa.misc.subcategory`*:: + -- -Protection performance impact. +type: keyword -type: integer +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword -- -*`checkpoint.protection_id`*:: +*`rsa.misc.alert_id`*:: + -- -Protection malware ID. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.protection_name`*:: +*`rsa.misc.checksum_dst`*:: + -- -Specific signature name of the attack. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`checkpoint.protection_type`*:: +*`rsa.misc.checksum_src`*:: + -- -Type of protection used to detect the attack. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`checkpoint.scan_result`*:: +*`rsa.misc.fresult`*:: + -- -Scan result. +This key captures the Filter Result -type: keyword +type: long -- -*`checkpoint.sensor_mode`*:: +*`rsa.misc.payload_dst`*:: + -- -Sensor mode. +This key is used to capture destination payload type: keyword -- -*`checkpoint.severity`*:: +*`rsa.misc.payload_src`*:: + -- -Threat severity. +This key is used to capture source payload type: keyword -- -*`checkpoint.spyware_name`*:: +*`rsa.misc.pool_id`*:: + -- -Spyware name. +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`checkpoint.spyware_status`*:: +*`rsa.misc.process_id_val`*:: + -- -Spyware status. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`checkpoint.subs_exp`*:: +*`rsa.misc.risk_num_comm`*:: + -- -The expiration date of the subscription. +This key captures Risk Number Community -type: date +type: double -- -*`checkpoint.tcp_flags`*:: +*`rsa.misc.risk_num_next`*:: + -- -TCP packet flags. +This key captures Risk Number NextGen -type: keyword +type: double -- -*`checkpoint.termination_reason`*:: +*`rsa.misc.risk_num_sand`*:: + -- -Termination reason. +This key captures Risk Number SandBox -type: keyword +type: double -- -*`checkpoint.update_status`*:: +*`rsa.misc.risk_num_static`*:: + -- -Update status. +This key captures Risk Number Static -type: keyword +type: double -- -*`checkpoint.user_status`*:: +*`rsa.misc.risk_suspicious`*:: + -- -User response. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.uuid`*:: +*`rsa.misc.risk_warning`*:: + -- -External ID. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.virus_name`*:: +*`rsa.misc.snmp_oid`*:: + -- -Virus name. +SNMP Object Identifier type: keyword -- -*`checkpoint.voip_log_type`*:: +*`rsa.misc.sql`*:: + -- -VoIP log types. +This key captures the SQL query type: keyword -- -[float] -=== cef.extensions - -Extra vendor-specific extensions. +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details +type: keyword +-- -*`cef.extensions.cp_app_risk`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`cef.extensions.cp_severity`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`cef.extensions.ifname`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`cef.extensions.inzone`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`cef.extensions.layer_uuid`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`cef.extensions.layer_name`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`cef.extensions.logid`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`cef.extensions.loguid`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`cef.extensions.match_id`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`cef.extensions.nat_addtnl_rulenum`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`cef.extensions.nat_rulenum`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`cef.extensions.origin`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`cef.extensions.originsicname`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`cef.extensions.outzone`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`cef.extensions.parent_rule`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`cef.extensions.product`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`cef.extensions.rule_action`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`cef.extensions.rule_uid`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`cef.extensions.sequencenum`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`cef.extensions.service_id`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`cef.extensions.version`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -[[exported-fields-checkpoint]] -== Checkpoint fields - -Some checkpoint module - - - -[float] -=== checkpoint - -Module for parsing Checkpoint syslog. - - - -*`checkpoint.confidence_level`*:: +*`rsa.misc.clustermembers`*:: + -- -Confidence level determined by ThreatCloud. - - -type: integer +type: keyword -- -*`checkpoint.calc_desc`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Log description. - - type: keyword -- -*`checkpoint.dst_country`*:: +*`rsa.misc.cn_asn_src`*:: + -- -Destination country. - - type: keyword -- -*`checkpoint.dst_user_name`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -Connected user name on the destination IP. - - type: keyword -- -*`checkpoint.email_id`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -Email number in smtp connection. - - type: keyword -- -*`checkpoint.email_subject`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -Original email subject. - - type: keyword -- -*`checkpoint.email_session_id`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -Connection uuid. - - type: keyword -- -*`checkpoint.event_count`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Number of events associated with the log. - - -type: long +type: keyword -- -*`checkpoint.sys_message`*:: +*`rsa.misc.cn_engine_type`*:: + -- -System messages - - type: keyword -- -*`checkpoint.logid`*:: +*`rsa.misc.cn_f_switch`*:: + -- -System messages - - type: keyword -- -*`checkpoint.failure_impact`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -The impact of update service failure. - - type: keyword -- -*`checkpoint.id`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -Override application ID. - - -type: integer +type: keyword -- -*`checkpoint.information`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -Policy installation status for a specific blade. - - type: keyword -- -*`checkpoint.layer_name`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Layer name. - - type: keyword -- -*`checkpoint.layer_uuid`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -Layer UUID. - - type: keyword -- -*`checkpoint.log_id`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -Unique identity for logs. - - -type: integer +type: keyword -- -*`checkpoint.malware_family`*:: +*`rsa.misc.cn_invalid`*:: + -- -Additional information on protection. - - type: keyword -- -*`checkpoint.origin_sic_name`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -Machine SIC. - - type: keyword -- -*`checkpoint.policy_mgmt`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -Name of the Management Server that manages this Security Gateway. - - type: keyword -- -*`checkpoint.policy_name`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Name of the last policy that this Security Gateway fetched. - - type: keyword -- -*`checkpoint.protection_id`*:: +*`rsa.misc.cn_log_did`*:: + -- -Protection malware id. - - type: keyword -- -*`checkpoint.protection_name`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Specific signature name of the attack. - - type: keyword -- -*`checkpoint.protection_type`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Type of protection used to detect the attack. - - type: keyword -- -*`checkpoint.protocol`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Protocol detected on the connection. - - type: keyword -- -*`checkpoint.proxy_src_ip`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -Sender source IP (even when using proxy). - - -type: ip +type: keyword -- -*`checkpoint.rule`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -Matched rule number. - - -type: integer +type: keyword -- -*`checkpoint.rule_action`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -Action of the matched rule in the access policy. - - type: keyword -- -*`checkpoint.scan_direction`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -Scan direction. - - type: keyword -- -*`checkpoint.session_id`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -Log uuid. - - type: keyword -- -*`checkpoint.source_os`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -OS which generated the attack. - - type: keyword -- -*`checkpoint.src_country`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -Country name, derived from connection source IP address. - - type: keyword -- -*`checkpoint.src_user_name`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -User name connected to source IP - - type: keyword -- -*`checkpoint.ticket_id`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -Unique ID per file. - - type: keyword -- -*`checkpoint.tls_server_host_name`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -SNI/CN from encrypted TLS connection used by URLF for categorization. - - type: keyword -- -*`checkpoint.verdict`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -TE engine verdict Possible values: Malicious/Benign/Error. - - type: keyword -- -*`checkpoint.user`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -Source user name. - - type: keyword -- -*`checkpoint.vendor_list`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -The vendor name that provided the verdict for a malicious URL. - - type: keyword -- -*`checkpoint.web_server_type`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -Web server detected in the HTTP response. - - type: keyword -- -*`checkpoint.client_name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -Client Application or Software Blade that detected the event. - - type: keyword -- -*`checkpoint.client_version`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -Build version of SandBlast Agent client installed on the computer. - - type: keyword -- -*`checkpoint.extension_version`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -Build version of the SandBlast Agent browser extension. - - type: keyword -- -*`checkpoint.host_time`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -Local time on the endpoint computer. - - type: keyword -- -*`checkpoint.installed_products`*:: +*`rsa.misc.cn_sampint`*:: + -- -List of installed Endpoint Software Blades. - - type: keyword -- -*`checkpoint.cc`*:: +*`rsa.misc.cn_seqctr`*:: + -- -The Carbon Copy address of the email. - - type: keyword -- -*`checkpoint.parent_process_username`*:: +*`rsa.misc.cn_spackets`*:: + -- -Owner username of the parent process of the process that triggered the attack. +type: keyword +-- +*`rsa.misc.cn_src_tos`*:: ++ +-- type: keyword -- -*`checkpoint.process_username`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -Owner username of the process that triggered the attack. +type: keyword +-- +*`rsa.misc.cn_sysuptime`*:: ++ +-- type: keyword -- -*`checkpoint.audit_status`*:: +*`rsa.misc.cn_template_id`*:: + -- -Audit Status. Can be Success or Failure. +type: keyword +-- +*`rsa.misc.cn_totbytsexp`*:: ++ +-- type: keyword -- -*`checkpoint.objecttable`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -Table of affected objects. +type: keyword +-- +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- type: keyword -- -*`checkpoint.objecttype`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -The type of the affected object. +type: keyword +-- +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- type: keyword -- -*`checkpoint.operation_number`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -The operation nuber. +type: keyword +-- +*`rsa.misc.comp_class`*:: ++ +-- type: keyword -- -*`checkpoint.email_recipients_num`*:: +*`rsa.misc.comp_name`*:: + -- -Amount of recipients whom the mail was sent to. - - -type: integer +type: keyword -- -*`checkpoint.suppressed_logs`*:: +*`rsa.misc.comp_rbytes`*:: + -- -Aggregated connections for five minutes on the same source, destination and port. - - -type: integer +type: keyword -- -*`checkpoint.blade_name`*:: +*`rsa.misc.comp_sbytes`*:: + -- -Blade name. - - type: keyword -- -*`checkpoint.status`*:: +*`rsa.misc.cpu_data`*:: + -- -Ok/Warning/Error. - - type: keyword -- -*`checkpoint.short_desc`*:: +*`rsa.misc.criticality`*:: + -- -Short description of the process that was executed. - - type: keyword -- -*`checkpoint.long_desc`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -More information on the process (usually describing error reason in failure). - - type: keyword -- -*`checkpoint.scan_hosts_hour`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Number of unique hosts during the last hour. - - -type: integer +type: keyword -- -*`checkpoint.scan_hosts_day`*:: +*`rsa.misc.cs_av_other`*:: + -- -Number of unique hosts during the last day. - - -type: integer +type: keyword -- -*`checkpoint.scan_hosts_week`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Number of unique hosts during the last week. - - -type: integer +type: keyword -- -*`checkpoint.unique_detected_hour`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Detected virus for a specific host during the last hour. - - -type: integer +type: keyword -- -*`checkpoint.unique_detected_day`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Detected virus for a specific host during the last day. - - -type: integer +type: keyword -- -*`checkpoint.unique_detected_week`*:: +*`rsa.misc.cs_bit9status`*:: + -- -Detected virus for a specific host during the last week. - - -type: integer +type: keyword -- -*`checkpoint.scan_mail`*:: +*`rsa.misc.cs_context`*:: + -- -Number of emails that were scanned by "AB malicious activity" engine. - - -type: integer +type: keyword -- -*`checkpoint.additional_ip`*:: +*`rsa.misc.cs_control`*:: + -- -DNS host name. - - type: keyword -- -*`checkpoint.description`*:: +*`rsa.misc.cs_data`*:: + -- -Additional explanation how the security gateway enforced the connection. - - type: keyword -- -*`checkpoint.email_spam_category`*:: +*`rsa.misc.cs_datecret`*:: + -- -Email categories. Possible values: spam/not spam/phishing. - - type: keyword -- -*`checkpoint.email_control_analysis`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -Message classification, received from spam vendor engine. - - type: keyword -- -*`checkpoint.scan_results`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -"Infected"/description of a failure. - - type: keyword -- -*`checkpoint.original_queue_id`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -Original postfix email queue id. - - type: keyword -- -*`checkpoint.risk`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -Risk level we got from the engine. - - type: keyword -- -*`checkpoint.observable_name`*:: +*`rsa.misc.cs_filetype`*:: + -- -IOC observable signature name. - - type: keyword -- -*`checkpoint.observable_id`*:: +*`rsa.misc.cs_fld`*:: + -- -IOC observable signature id. - - type: keyword -- -*`checkpoint.observable_comment`*:: +*`rsa.misc.cs_if_desc`*:: + -- -IOC observable signature description. - - type: keyword -- -*`checkpoint.indicator_name`*:: +*`rsa.misc.cs_if_name`*:: + -- -IOC indicator name. - - type: keyword -- -*`checkpoint.indicator_description`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -IOC indicator description. - - type: keyword -- -*`checkpoint.indicator_reference`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -IOC indicator reference. - - type: keyword -- -*`checkpoint.indicator_uuid`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -IOC indicator uuid. - - type: keyword -- -*`checkpoint.app_desc`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Application description. - - type: keyword -- -*`checkpoint.app_id`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Application ID. - - -type: integer +type: keyword -- -*`checkpoint.app_sig_id`*:: +*`rsa.misc.cs_loginname`*:: + -- -IOC indicator description. - - type: keyword -- -*`checkpoint.certificate_resource`*:: +*`rsa.misc.cs_modulescore`*:: + -- -HTTPS resource Possible values: SNI or domain name (DN). - - type: keyword -- -*`checkpoint.certificate_validation`*:: +*`rsa.misc.cs_modulesign`*:: + -- -Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. - - type: keyword -- -*`checkpoint.browse_time`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Application session browse time. - - type: keyword -- -*`checkpoint.limit_requested`*:: +*`rsa.misc.cs_payload`*:: + -- -Indicates whether data limit was requested for the session. - - -type: integer +type: keyword -- -*`checkpoint.limit_applied`*:: +*`rsa.misc.cs_registrant`*:: + -- -Indicates whether the session was actually date limited. - - -type: integer +type: keyword -- -*`checkpoint.dropped_total`*:: +*`rsa.misc.cs_registrar`*:: + -- -Amount of dropped packets (both incoming and outgoing). - - -type: integer +type: keyword -- -*`checkpoint.client_type_os`*:: +*`rsa.misc.cs_represult`*:: + -- -Client OS detected in the HTTP request. - - type: keyword -- -*`checkpoint.name`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Application name. - - type: keyword -- -*`checkpoint.properties`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Application categories. - - type: keyword -- -*`checkpoint.sig_id`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -Application's signature ID which how it was detected by. - - type: keyword -- -*`checkpoint.desc`*:: +*`rsa.misc.cs_streams`*:: + -- -Override application description. - - type: keyword -- -*`checkpoint.referrer_self_uid`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -UUID of the current log. - - type: keyword -- -*`checkpoint.referrer_parent_uid`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Log UUID of the referring application. - - type: keyword -- -*`checkpoint.needs_browse_time`*:: +*`rsa.misc.cs_whois_server`*:: + -- -Browse time required for the connection. - - -type: integer +type: keyword -- -*`checkpoint.cluster_info`*:: +*`rsa.misc.cs_yararesult`*:: + -- -Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. - - type: keyword -- -*`checkpoint.sync`*:: +*`rsa.misc.description`*:: + -- -Sync status and the reason (stable, at risk). - - type: keyword -- -*`checkpoint.file_direction`*:: +*`rsa.misc.devvendor`*:: + -- -File direction. Possible options: upload/download. - - type: keyword -- -*`checkpoint.invalid_file_size`*:: +*`rsa.misc.distance`*:: + -- -File_size field is valid only if this field is set to 0. - - -type: integer +type: keyword -- -*`checkpoint.top_archive_file_name`*:: +*`rsa.misc.dstburb`*:: + -- -In case of archive file: the file that was sent/received. - - type: keyword -- -*`checkpoint.data_type_name`*:: +*`rsa.misc.edomain`*:: + -- -Data type in rulebase that was matched. - - type: keyword -- -*`checkpoint.specific_data_type_name`*:: +*`rsa.misc.edomaub`*:: + -- -Compound/Group scenario, data type that was matched. - - type: keyword -- -*`checkpoint.word_list`*:: +*`rsa.misc.euid`*:: + -- -Words matched by data type. - - type: keyword -- -*`checkpoint.info`*:: +*`rsa.misc.facility`*:: + -- -Special log message. - - type: keyword -- -*`checkpoint.outgoing_url`*:: +*`rsa.misc.finterface`*:: + -- -URL related to this log (for HTTP). - - type: keyword -- -*`checkpoint.dlp_rule_name`*:: +*`rsa.misc.flags`*:: + -- -Matched rule name. - - type: keyword -- -*`checkpoint.dlp_recipients`*:: +*`rsa.misc.gaddr`*:: + -- -Mail recipients. - - type: keyword -- -*`checkpoint.dlp_subject`*:: +*`rsa.misc.id3`*:: + -- -Mail subject. - - type: keyword -- -*`checkpoint.dlp_word_list`*:: +*`rsa.misc.im_buddyname`*:: + -- -Phrases matched by data type. - - type: keyword -- -*`checkpoint.dlp_template_score`*:: +*`rsa.misc.im_croomid`*:: + -- -Template data type match score. - - type: keyword -- -*`checkpoint.message_size`*:: +*`rsa.misc.im_croomtype`*:: + -- -Mail/post size. - - -type: integer +type: keyword -- -*`checkpoint.dlp_incident_uid`*:: +*`rsa.misc.im_members`*:: + -- -Unique ID of the matched rule. - - type: keyword -- -*`checkpoint.dlp_related_incident_uid`*:: +*`rsa.misc.im_username`*:: + -- -Other ID related to this one. - - type: keyword -- -*`checkpoint.dlp_data_type_name`*:: +*`rsa.misc.ipkt`*:: + -- -Matched data type. - - type: keyword -- -*`checkpoint.dlp_data_type_uid`*:: +*`rsa.misc.ipscat`*:: + -- -Unique ID of the matched data type. - - type: keyword -- -*`checkpoint.dlp_violation_description`*:: +*`rsa.misc.ipspri`*:: + -- -Violation descriptions described in the rulebase. - - type: keyword -- -*`checkpoint.dlp_relevant_data_types`*:: +*`rsa.misc.latitude`*:: + -- -In case of Compound/Group: the inner data types that were matched. - - type: keyword -- -*`checkpoint.dlp_action_reason`*:: +*`rsa.misc.linenum`*:: + -- -Action chosen reason. - - type: keyword -- -*`checkpoint.dlp_categories`*:: +*`rsa.misc.list_name`*:: + -- -Data type category. - - type: keyword -- -*`checkpoint.dlp_transint`*:: +*`rsa.misc.load_data`*:: + -- -HTTP/SMTP/FTP. - - type: keyword -- -*`checkpoint.duplicate`*:: +*`rsa.misc.location_floor`*:: + -- -Log marked as duplicated, when mail is split and the Security Gateway sees it twice. - - type: keyword -- -*`checkpoint.incident_extension`*:: +*`rsa.misc.location_mark`*:: + -- -Matched data type. - - type: keyword -- -*`checkpoint.matched_file`*:: +*`rsa.misc.log_id`*:: + -- -Unique ID of the matched data type. - - type: keyword -- -*`checkpoint.matched_file_text_segments`*:: +*`rsa.misc.log_type`*:: + -- -Fingerprint: number of text segments matched by this traffic. - - -type: integer +type: keyword -- -*`checkpoint.matched_file_percentage`*:: +*`rsa.misc.logid`*:: + -- -Fingerprint: match percentage of the traffic. - - -type: integer +type: keyword -- -*`checkpoint.dlp_additional_action`*:: +*`rsa.misc.logip`*:: + -- -Watermark/None. - - type: keyword -- -*`checkpoint.dlp_watermark_profile`*:: +*`rsa.misc.logname`*:: + -- -Watermark which was applied. - - type: keyword -- -*`checkpoint.dlp_repository_id`*:: +*`rsa.misc.longitude`*:: + -- -ID of scanned repository. - - type: keyword -- -*`checkpoint.dlp_repository_root_path`*:: +*`rsa.misc.lport`*:: + -- -Repository path. - - type: keyword -- -*`checkpoint.scan_id`*:: +*`rsa.misc.mbug_data`*:: + -- -Sequential number of scan. - - type: keyword -- -*`checkpoint.special_properties`*:: +*`rsa.misc.misc_name`*:: + -- -If this field is set to '1' the log will not be shown (in use for monitoring scan progress). - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_total_size`*:: +*`rsa.misc.msg_type`*:: + -- -Repository size. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_files_number`*:: +*`rsa.misc.msgid`*:: + -- -Number of files in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_scanned_files_number`*:: +*`rsa.misc.netsessid`*:: + -- -Number of scanned files in repository. - - -type: integer +type: keyword -- -*`checkpoint.duration`*:: +*`rsa.misc.num`*:: + -- -Scan duration. - - type: keyword -- -*`checkpoint.dlp_fingerprint_long_status`*:: +*`rsa.misc.number1`*:: + -- -Scan status - long format. - - type: keyword -- -*`checkpoint.dlp_fingerprint_short_status`*:: +*`rsa.misc.number2`*:: + -- -Scan status - short format. - - type: keyword -- -*`checkpoint.dlp_repository_directories_number`*:: +*`rsa.misc.nwwn`*:: + -- -Number of directories in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_unreachable_directories_number`*:: +*`rsa.misc.object`*:: + -- -Number of directories the Security Gateway was unable to read. - - -type: integer +type: keyword -- -*`checkpoint.dlp_fingerprint_files_number`*:: +*`rsa.misc.operation`*:: + -- -Number of successfully scanned files in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_skipped_files_number`*:: +*`rsa.misc.opkt`*:: + -- -Skipped number of files because of configuration. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_scanned_directories_number`*:: +*`rsa.misc.orig_from`*:: + -- -Amount of directories scanned. - - -type: integer +type: keyword -- -*`checkpoint.number_of_errors`*:: +*`rsa.misc.owner_id`*:: + -- -Number of files that were not scanned due to an error. - - -type: integer +type: keyword -- -*`checkpoint.next_scheduled_scan_date`*:: +*`rsa.misc.p_action`*:: + -- -Next scan scheduled time according to time object. - - type: keyword -- -*`checkpoint.dlp_repository_scanned_total_size`*:: +*`rsa.misc.p_filter`*:: + -- -Size scanned. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_reached_directories_number`*:: +*`rsa.misc.p_group_object`*:: + -- -Number of scanned directories in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_not_scanned_directories_percentage`*:: +*`rsa.misc.p_id`*:: + -- -Percentage of directories the Security Gateway was unable to read. - - -type: integer +type: keyword -- -*`checkpoint.speed`*:: +*`rsa.misc.p_msgid1`*:: + -- -Current scan speed. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_scan_progress`*:: +*`rsa.misc.p_msgid2`*:: + -- -Scan percentage. - - -type: integer +type: keyword -- -*`checkpoint.sub_policy_name`*:: +*`rsa.misc.p_result1`*:: + -- -Layer name. - - type: keyword -- -*`checkpoint.sub_policy_uid`*:: +*`rsa.misc.password_chg`*:: + -- -Layer uid. - - type: keyword -- -*`checkpoint.fw_message`*:: +*`rsa.misc.password_expire`*:: + -- -Used for various firewall errors. - - type: keyword -- -*`checkpoint.message`*:: +*`rsa.misc.permgranted`*:: + -- -ISP link has failed. - - type: keyword -- -*`checkpoint.isp_link`*:: +*`rsa.misc.permwanted`*:: + -- -Name of ISP link. - - type: keyword -- -*`checkpoint.fw_subproduct`*:: +*`rsa.misc.pgid`*:: + -- -Can be vpn/non vpn. - - type: keyword -- -*`checkpoint.sctp_error`*:: +*`rsa.misc.policyUUID`*:: + -- -Error information, what caused sctp to fail on out_of_state. - - type: keyword -- -*`checkpoint.chunk_type`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Chunck of the sctp stream. - - type: keyword -- -*`checkpoint.sctp_association_state`*:: +*`rsa.misc.program`*:: + -- -The bad state you were trying to update to. - - type: keyword -- -*`checkpoint.tcp_packet_out_of_state`*:: +*`rsa.misc.real_data`*:: + -- -State violation. +type: keyword +-- +*`rsa.misc.rec_asp_device`*:: ++ +-- type: keyword -- -*`checkpoint.tcp_flags`*:: +*`rsa.misc.rec_asp_num`*:: + -- -TCP packet flags (SYN, ACK, etc.,). +type: keyword +-- +*`rsa.misc.rec_library`*:: ++ +-- type: keyword -- -*`checkpoint.connectivity_level`*:: +*`rsa.misc.recordnum`*:: + -- -Log for a new connection in wire mode. +type: keyword +-- +*`rsa.misc.ruid`*:: ++ +-- type: keyword -- -*`checkpoint.ip_option`*:: +*`rsa.misc.sburb`*:: + -- -IP option that was dropped. - - -type: integer +type: keyword -- -*`checkpoint.tcp_state`*:: +*`rsa.misc.sdomain_fld`*:: + -- -Log reinting a tcp state change. - - type: keyword -- -*`checkpoint.expire_time`*:: +*`rsa.misc.sec`*:: + -- -Connection closing time. - - type: keyword -- -*`checkpoint.icmp_type`*:: +*`rsa.misc.sensorname`*:: + -- -In case a connection is ICMP, type info will be added to the log. - - -type: integer +type: keyword -- -*`checkpoint.icmp_code`*:: +*`rsa.misc.seqnum`*:: + -- -In case a connection is ICMP, code info will be added to the log. - - -type: integer +type: keyword -- -*`checkpoint.rpc_prog`*:: +*`rsa.misc.session`*:: + -- -Log for new RPC state - prog values. - - -type: integer +type: keyword -- -*`checkpoint.dce-rpc_interface_uuid`*:: +*`rsa.misc.sessiontype`*:: + -- -Log for new RPC state - UUID values - - type: keyword -- -*`checkpoint.elapsed`*:: +*`rsa.misc.sigUUID`*:: + -- -Time passed since start time. - - type: keyword -- -*`checkpoint.icmp`*:: +*`rsa.misc.spi`*:: + -- -Number of packets, received by the client. - - type: keyword -- -*`checkpoint.capture_uuid`*:: +*`rsa.misc.srcburb`*:: + -- -UUID generated for the capture. Used when enabling the capture when logging. - - type: keyword -- -*`checkpoint.diameter_app_ID`*:: +*`rsa.misc.srcdom`*:: + -- -The ID of diameter application. - - -type: integer +type: keyword -- -*`checkpoint.diameter_cmd_code`*:: +*`rsa.misc.srcservice`*:: + -- -Diameter not allowed application command id. - - -type: integer +type: keyword -- -*`checkpoint.diameter_msg_type`*:: +*`rsa.misc.state`*:: + -- -Diameter message type. +type: keyword +-- +*`rsa.misc.status1`*:: ++ +-- type: keyword -- -*`checkpoint.cp_message`*:: +*`rsa.misc.svcno`*:: + -- -Used to log a general message. +type: keyword +-- -type: integer +*`rsa.misc.system`*:: ++ +-- +type: keyword -- -*`checkpoint.log_delay`*:: +*`rsa.misc.tbdstr1`*:: + -- -Time left before deleting template. +type: keyword +-- -type: integer +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword -- -*`checkpoint.attack_status`*:: +*`rsa.misc.tgtdomain`*:: + -- -In case of a malicious event on an endpoint computer, the status of the attack. +type: keyword +-- +*`rsa.misc.threshold`*:: ++ +-- type: keyword -- -*`checkpoint.impacted_files`*:: +*`rsa.misc.type1`*:: + -- -In case of an infection on an endpoint computer, the list of files that the malware impacted. +type: keyword +-- +*`rsa.misc.udb_class`*:: ++ +-- type: keyword -- -*`checkpoint.remediated_files`*:: +*`rsa.misc.url_fld`*:: + -- -In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. +type: keyword +-- +*`rsa.misc.user_div`*:: ++ +-- type: keyword -- -*`checkpoint.triggered_by`*:: +*`rsa.misc.userid`*:: + -- -The name of the mechanism that triggered the Software Blade to enforce a protection. +type: keyword +-- +*`rsa.misc.username_fld`*:: ++ +-- type: keyword -- -*`checkpoint.https_inspection_rule_id`*:: +*`rsa.misc.utcstamp`*:: + -- -ID of the matched rule. +type: keyword +-- +*`rsa.misc.v_instafname`*:: ++ +-- type: keyword -- -*`checkpoint.https_inspection_rule_name`*:: +*`rsa.misc.virt_data`*:: + -- -Name of the matched rule. +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`checkpoint.app_properties`*:: +*`rsa.misc.autorun_type`*:: + -- -List of all found categories. - +This is used to capture Auto Run type type: keyword -- -*`checkpoint.https_validation`*:: +*`rsa.misc.cc_number`*:: + -- -Precise error, describing HTTPS inspection failure. +Valid Credit Card Numbers only - -type: keyword +type: long -- -*`checkpoint.https_inspection_action`*:: +*`rsa.misc.content`*:: + -- -HTTPS inspection action (Inspect/Bypass/Error). - +This key captures the content type from protocol headers type: keyword -- -*`checkpoint.icap_service_id`*:: +*`rsa.misc.ein_number`*:: + -- -Service ID, can work with multiple servers, treated as services. +Employee Identification Numbers only - -type: integer +type: long -- -*`checkpoint.icap_server_name`*:: +*`rsa.misc.found`*:: + -- -Server name. - +This is used to capture the results of regex match type: keyword -- -*`checkpoint.internal_error`*:: +*`rsa.misc.language`*:: + -- -Internal error, for troubleshooting - +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`checkpoint.icap_more_info`*:: +*`rsa.misc.lifetime`*:: + -- -Free text for verdict. - +This key is used to capture the session lifetime in seconds. -type: integer +type: long -- -*`checkpoint.reply_status`*:: +*`rsa.misc.link`*:: + -- -ICAP reply status code, e.g. 200 or 204. +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: keyword -- -*`checkpoint.icap_server_service`*:: +*`rsa.misc.match`*:: + -- -Service name, as given in the ICAP URI - +This key is for regex match name from search.ini type: keyword -- -*`checkpoint.mirror_and_decrypt_type`*:: +*`rsa.misc.param_dst`*:: + -- -Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). - +This key captures the command line/launch argument of the target process or file type: keyword -- -*`checkpoint.interface_name`*:: +*`rsa.misc.param_src`*:: + -- -Designated interface for mirror And decrypt. - +This key captures source parameter type: keyword -- -*`checkpoint.session_uid`*:: +*`rsa.misc.search_text`*:: + -- -HTTP session-id. - +This key captures the Search Text used type: keyword -- -*`checkpoint.broker_publisher`*:: +*`rsa.misc.sig_name`*:: + -- -IP address of the broker publisher who shared the session information. - +This key is used to capture the Signature Name only. -type: ip +type: keyword -- -*`checkpoint.src_user_dn`*:: +*`rsa.misc.snmp_value`*:: + -- -User distinguished name connected to source IP. - +SNMP set request value type: keyword -- -*`checkpoint.proxy_user_name`*:: +*`rsa.misc.streams`*:: + -- -User name connected to proxy IP. - +This key captures number of streams in session -type: keyword +type: long -- -*`checkpoint.proxy_machine_name`*:: + +*`rsa.db.index`*:: + -- -Machine name connected to proxy IP. - +This key captures IndexID of the index. -type: integer +type: keyword -- -*`checkpoint.proxy_user_dn`*:: +*`rsa.db.instance`*:: + -- -User distinguished name connected to proxy IP. - +This key is used to capture the database server instance name type: keyword -- -*`checkpoint.query`*:: +*`rsa.db.database`*:: + -- -DNS query. - +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`checkpoint.dns_query`*:: +*`rsa.db.transact_id`*:: + -- -DNS query. - +This key captures the SQL transantion ID of the current session type: keyword -- -*`checkpoint.inspection_item`*:: +*`rsa.db.permissions`*:: + -- -Blade element performed inspection. - +This key captures permission or privilege level assigned to a resource. type: keyword -- -*`checkpoint.performance_impact`*:: +*`rsa.db.table_name`*:: + -- -Protection performance impact. +This key is used to capture the table name - -type: integer +type: keyword -- -*`checkpoint.inspection_category`*:: +*`rsa.db.db_id`*:: + -- -Inspection category: protocol anomaly, signature etc. - +This key is used to capture the unique identifier for a database type: keyword -- -*`checkpoint.inspection_profile`*:: +*`rsa.db.db_pid`*:: + -- -Profile which the activated protection belongs to. +This key captures the process id of a connection with database server - -type: keyword +type: long -- -*`checkpoint.summary`*:: +*`rsa.db.lread`*:: + -- -Summary message of a non-compliant DNS traffic drops or detects. - +This key is used for the number of logical reads -type: keyword +type: long -- -*`checkpoint.question_rdata`*:: +*`rsa.db.lwrite`*:: + -- -List of question records domains. +This key is used for the number of logical writes - -type: keyword +type: long -- -*`checkpoint.answer_rdata`*:: +*`rsa.db.pread`*:: + -- -List of answer resource records to the questioned domains. - +This key is used for the number of physical writes -type: keyword +type: long -- -*`checkpoint.authority_rdata`*:: + +*`rsa.network.alias_host`*:: + -- -List of authoritative servers. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- -*`checkpoint.additional_rdata`*:: +*`rsa.network.domain`*:: + -- -List of additional resource records. - - type: keyword -- -*`checkpoint.files_names`*:: +*`rsa.network.host_dst`*:: + -- -List of files requested by FTP. - +This key should only be used when it’s a Destination Hostname type: keyword -- -*`checkpoint.ftp_user`*:: +*`rsa.network.network_service`*:: + -- -FTP username. - +This is used to capture layer 7 protocols/service names type: keyword -- -*`checkpoint.mime_from`*:: +*`rsa.network.interface`*:: + -- -Sender's address. - +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`checkpoint.mime_to`*:: +*`rsa.network.network_port`*:: + -- -List of receiver address. - +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`checkpoint.bcc`*:: +*`rsa.network.eth_host`*:: + -- -List of BCC addresses. - +Deprecated, use alias.mac type: keyword -- -*`checkpoint.content_type`*:: +*`rsa.network.sinterface`*:: + -- -Mail content type. Possible values: application/msword, text/html, image/gif etc. - +This key should only be used when it’s a Source Interface type: keyword -- -*`checkpoint.user_agent`*:: +*`rsa.network.dinterface`*:: + -- -String identifying requesting software user agent. - +This key should only be used when it’s a Destination Interface type: keyword -- -*`checkpoint.referrer`*:: +*`rsa.network.vlan`*:: + -- -Referrer HTTP request header, previous web page address. - +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`checkpoint.http_location`*:: +*`rsa.network.zone_src`*:: + -- -Response header, indicates the URL to redirect a page to. - +This key should only be used when it’s a Source Zone. type: keyword -- -*`checkpoint.content_disposition`*:: +*`rsa.network.zone`*:: + -- -Indicates how the content is expected to be displayed inline in the browser. - +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`checkpoint.via`*:: +*`rsa.network.zone_dst`*:: + -- -Via header is added by proxies for tracking purposes to avoid sending reqests in loop. - +This key should only be used when it’s a Destination Zone. type: keyword -- -*`checkpoint.http_server`*:: +*`rsa.network.gateway`*:: + -- -Server HTTP header value, contains information about the software used by the origin server, which handles the request. - +This key is used to capture the IP Address of the gateway type: keyword -- -*`checkpoint.content_length`*:: +*`rsa.network.icmp_type`*:: + -- -Indicates the size of the entity-body of the HTTP header. +This key is used to capture the ICMP type only - -type: keyword +type: long -- -*`checkpoint.authorization`*:: +*`rsa.network.mask`*:: + -- -Authorization HTTP header value. - +This key is used to capture the device network IPmask. type: keyword -- -*`checkpoint.http_host`*:: +*`rsa.network.icmp_code`*:: + -- -Domain name of the server that the HTTP request is sent to. +This key is used to capture the ICMP code only - -type: keyword +type: long -- -*`checkpoint.inspection_settings_log`*:: +*`rsa.network.protocol_detail`*:: + -- -Indicats that the log was released by inspection settings. - +This key should be used to capture additional protocol information type: keyword -- -*`checkpoint.cvpn_resource`*:: +*`rsa.network.dmask`*:: + -- -Mobile Access application. - +This key is used for Destionation Device network mask type: keyword -- -*`checkpoint.cvpn_category`*:: +*`rsa.network.port`*:: + -- -Mobile Access application type. - +This key should only be used to capture a Network Port when the directionality is not clear -type: keyword +type: long -- -*`checkpoint.url`*:: +*`rsa.network.smask`*:: + -- -Translated URL. - +This key is used for capturing source Network Mask type: keyword -- -*`checkpoint.reject_id`*:: +*`rsa.network.netname`*:: + -- -A reject ID that corresponds to the one presented in the Mobile Access error page. - +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`checkpoint.fs-proto`*:: +*`rsa.network.paddr`*:: + -- -The file share protocol used in mobile acess file share application. +Deprecated - -type: keyword +type: ip -- -*`checkpoint.app_package`*:: +*`rsa.network.faddr`*:: + -- -Unique identifier of the application on the protected mobile device. +type: keyword +-- +*`rsa.network.lhost`*:: ++ +-- type: keyword -- -*`checkpoint.appi_name`*:: +*`rsa.network.origin`*:: + -- -Name of application downloaded on the protected mobile device. +type: keyword +-- +*`rsa.network.remote_domain_id`*:: ++ +-- type: keyword -- -*`checkpoint.app_repackaged`*:: +*`rsa.network.addr`*:: + -- -Indicates whether the original application was repackage not by the official developer. +type: keyword +-- +*`rsa.network.dns_a_record`*:: ++ +-- type: keyword -- -*`checkpoint.app_sid_id`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Unique SHA identifier of a mobile application. +type: keyword +-- +*`rsa.network.fhost`*:: ++ +-- type: keyword -- -*`checkpoint.app_version`*:: +*`rsa.network.fport`*:: + -- -Version of the application downloaded on the protected mobile device. +type: keyword +-- +*`rsa.network.laddr`*:: ++ +-- type: keyword -- -*`checkpoint.developer_certificate_name`*:: +*`rsa.network.linterface`*:: + -- -Name of the developer's certificate that was used to sign the mobile application. +type: keyword +-- +*`rsa.network.phost`*:: ++ +-- type: keyword -- -*`checkpoint.email_control`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Engine name. - +Deprecated, use host.dst type: keyword -- -*`checkpoint.email_message_id`*:: +*`rsa.network.eth_type`*:: + -- -Email session id (uniqe ID of the mail). +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: keyword +type: long -- -*`checkpoint.email_queue_id`*:: +*`rsa.network.ip_proto`*:: + -- -Postfix email queue id. - +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -*`checkpoint.email_queue_name`*:: +*`rsa.network.dns_cname_record`*:: + -- -Postfix email queue name. +type: keyword +-- +*`rsa.network.dns_id`*:: ++ +-- type: keyword -- -*`checkpoint.file_name`*:: +*`rsa.network.dns_opcode`*:: + -- -Malicious file name. +type: keyword +-- +*`rsa.network.dns_resp`*:: ++ +-- type: keyword -- -*`checkpoint.failure_reason`*:: +*`rsa.network.dns_type`*:: + -- -MTA failure description. +type: keyword +-- +*`rsa.network.domain1`*:: ++ +-- type: keyword -- -*`checkpoint.email_headers`*:: +*`rsa.network.host_type`*:: + -- -String containing all the email headers. +type: keyword +-- +*`rsa.network.packet_length`*:: ++ +-- type: keyword -- -*`checkpoint.arrival_time`*:: +*`rsa.network.host_orig`*:: + -- -Email arrival timestamp. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`checkpoint.email_status`*:: +*`rsa.network.rpayload`*:: + -- -Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended - +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`checkpoint.status_update`*:: +*`rsa.network.vlan_name`*:: + -- -Last time log was updated. - +This key should only be used to capture the name of the Virtual LAN type: keyword -- -*`checkpoint.delivery_time`*:: + +*`rsa.investigations.ec_activity`*:: + -- -Timestamp of when email was delivered (MTA finished handling the email. - +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`checkpoint.links_num`*:: +*`rsa.investigations.ec_theme`*:: + -- -Number of links in the mail. - +This key captures the Theme of a particular Event(Ex:Authentication) -type: integer +type: keyword -- -*`checkpoint.attachments_num`*:: +*`rsa.investigations.ec_subject`*:: + -- -Number of attachments in the mail. +This key captures the Subject of a particular Event(Ex:User) - -type: integer +type: keyword -- -*`checkpoint.email_content`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Mail contents. Possible options: attachments/links & attachments/links/text only. - +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`checkpoint.allocated_ports`*:: +*`rsa.investigations.event_cat`*:: + -- -Amount of allocated ports. +This key captures the Event category number - -type: integer +type: long -- -*`checkpoint.capacity`*:: +*`rsa.investigations.event_cat_name`*:: + -- -Capacity of the ports. - +This key captures the event category name corresponding to the event cat code -type: integer +type: keyword -- -*`checkpoint.ports_usage`*:: +*`rsa.investigations.event_vcat`*:: + -- -Percentage of allocated ports. +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: integer +type: keyword -- -*`checkpoint.nat_exhausted_pool`*:: +*`rsa.investigations.analysis_file`*:: + -- -4-tuple of an exhausted pool. - +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`checkpoint.nat_rulenum`*:: +*`rsa.investigations.analysis_service`*:: + -- -NAT rulebase first matched rule. +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: integer +type: keyword -- -*`checkpoint.nat_addtnl_rulenum`*:: +*`rsa.investigations.analysis_session`*:: + -- -When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. - +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session -type: integer +type: keyword -- -*`checkpoint.message_info`*:: +*`rsa.investigations.boc`*:: + -- -Used for information messages, for example:NAT connection has ended. - +This is used to capture behaviour of compromise type: keyword -- -*`checkpoint.nat46`*:: +*`rsa.investigations.eoc`*:: + -- -NAT 46 status, in most cases "enabled". - +This is used to capture Enablers of Compromise type: keyword -- -*`checkpoint.end_time`*:: +*`rsa.investigations.inv_category`*:: + -- -TCP connection end time. - +This used to capture investigation category type: keyword -- -*`checkpoint.tcp_end_reason`*:: +*`rsa.investigations.inv_context`*:: + -- -Reason for TCP connection closure. - +This used to capture investigation context type: keyword -- -*`checkpoint.cgnet`*:: +*`rsa.investigations.ioc`*:: + -- -Describes NAT allocation for specific subscriber. - +This is key capture indicator of compromise type: keyword -- -*`checkpoint.subscriber`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Source IP before CGNAT. +This is a generic counter key that should be used with the label dclass.c1.str only - -type: ip +type: long -- -*`checkpoint.hide_ip`*:: +*`rsa.counters.dclass_c2`*:: + -- -Source IP which will be used after CGNAT. - +This is a generic counter key that should be used with the label dclass.c2.str only -type: ip +type: long -- -*`checkpoint.int_start`*:: +*`rsa.counters.event_counter`*:: + -- -Subscriber start int which will be used for NAT. +This is used to capture the number of times an event repeated - -type: integer +type: long -- -*`checkpoint.int_end`*:: +*`rsa.counters.dclass_r1`*:: + -- -Subscriber end int which will be used for NAT. - +This is a generic ratio key that should be used with the label dclass.r1.str only -type: integer +type: keyword -- -*`checkpoint.packet_amount`*:: +*`rsa.counters.dclass_c3`*:: + -- -Amount of packets dropped. +This is a generic counter key that should be used with the label dclass.c3.str only - -type: integer +type: long -- -*`checkpoint.monitor_reason`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Aggregated logs of monitored packets. - +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`checkpoint.drops_amount`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Amount of multicast packets dropped. +This is a generic counter string key that should be used with the label dclass.c2 only - -type: integer +type: keyword -- -*`checkpoint.securexl_message`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. - +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`checkpoint.conns_amount`*:: +*`rsa.counters.dclass_r2`*:: + -- -Connections amount of aggregated log info. +This is a generic ratio key that should be used with the label dclass.r2.str only - -type: integer +type: keyword -- -*`checkpoint.scope`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -IP related to the attack. - +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`checkpoint.analyzed_on`*:: +*`rsa.counters.dclass_r3`*:: + -- -Check Point ThreatCloud / emulator name. - +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`checkpoint.detected_on`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -System and applications version the file was emulated on. - +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`checkpoint.dropped_file_name`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -List of names dropped from the original file. - +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`checkpoint.dropped_file_type`*:: + +*`rsa.identity.auth_method`*:: + -- -List of file types dropped from the original file. - +This key is used to capture authentication methods used only type: keyword -- -*`checkpoint.dropped_file_hash`*:: +*`rsa.identity.user_role`*:: + -- -List of file hashes dropped from the original file. - +This key is used to capture the Role of a user only type: keyword -- -*`checkpoint.dropped_file_verdict`*:: +*`rsa.identity.dn`*:: + -- -List of file verdics dropped from the original file. - +X.500 (LDAP) Distinguished Name type: keyword -- -*`checkpoint.emulated_on`*:: +*`rsa.identity.logon_type`*:: + -- -Images the files were emulated on. - +This key is used to capture the type of logon method used. type: keyword -- -*`checkpoint.extracted_file_type`*:: +*`rsa.identity.profile`*:: + -- -Types of extracted files in case of an archive. - +This key is used to capture the user profile type: keyword -- -*`checkpoint.extracted_file_names`*:: +*`rsa.identity.accesses`*:: + -- -Names of extracted files in case of an archive. - +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`checkpoint.extracted_file_hash`*:: +*`rsa.identity.realm`*:: + -- -Archive hash in case of extracted files. - +Radius realm or similar grouping of accounts type: keyword -- -*`checkpoint.extracted_file_verdict`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Verdict of extracted files in case of an archive. - +This key captures Destination User Session ID type: keyword -- -*`checkpoint.extracted_file_uid`*:: +*`rsa.identity.dn_src`*:: + -- -UID of extracted files in case of an archive. - +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -*`checkpoint.mitre_initial_access`*:: +*`rsa.identity.org`*:: + -- -The adversary is trying to break into your network. - +This key captures the User organization type: keyword -- -*`checkpoint.mitre_execution`*:: +*`rsa.identity.dn_dst`*:: + -- -The adversary is trying to run malicious code. - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`checkpoint.mitre_persistence`*:: +*`rsa.identity.firstname`*:: + -- -The adversary is trying to maintain his foothold. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.mitre_privilege_escalation`*:: +*`rsa.identity.lastname`*:: + -- -The adversary is trying to gain higher-level permissions. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.mitre_defense_evasion`*:: +*`rsa.identity.user_dept`*:: + -- -The adversary is trying to avoid being detected. - +User's Department Names only type: keyword -- -*`checkpoint.mitre_credential_access`*:: +*`rsa.identity.user_sid_src`*:: + -- -The adversary is trying to steal account names and passwords. - +This key captures Source User Session ID type: keyword -- -*`checkpoint.mitre_discovery`*:: +*`rsa.identity.federated_sp`*:: + -- -The adversary is trying to expose information about your environment. - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -*`checkpoint.mitre_lateral_movement`*:: +*`rsa.identity.federated_idp`*:: + -- -The adversary is trying to explore your environment. - +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`checkpoint.mitre_collection`*:: +*`rsa.identity.logon_type_desc`*:: + -- -The adversary is trying to collect data of interest to achieve his goal. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`checkpoint.mitre_command_and_control`*:: +*`rsa.identity.middlename`*:: + -- -The adversary is trying to communicate with compromised systems in order to control them. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.mitre_exfiltration`*:: +*`rsa.identity.password`*:: + -- -The adversary is trying to steal data. - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`checkpoint.mitre_impact`*:: +*`rsa.identity.host_role`*:: + -- -The adversary is trying to manipulate, interrupt, or destroy your systems and data. - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`checkpoint.parent_file_hash`*:: +*`rsa.identity.ldap`*:: + -- -Archive's hash in case of extracted files. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`checkpoint.parent_file_name`*:: +*`rsa.identity.ldap_query`*:: + -- -Archive's name in case of extracted files. - +This key is the Search criteria from an LDAP search type: keyword -- -*`checkpoint.parent_file_uid`*:: +*`rsa.identity.ldap_response`*:: + -- -Archive's UID in case of extracted files. - +This key is to capture Results from an LDAP search type: keyword -- -*`checkpoint.similiar_iocs`*:: +*`rsa.identity.owner`*:: + -- -Other IoCs similar to the ones found, related to the malicious file. - +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`checkpoint.similar_hashes`*:: +*`rsa.identity.service_account`*:: + -- -Hashes found similar to the malicious file. - +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`checkpoint.similar_strings`*:: + +*`rsa.email.email_dst`*:: + -- -Strings found similar to the malicious file. - +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`checkpoint.similar_communication`*:: +*`rsa.email.email_src`*:: + -- -Network action found similar to the malicious file. - +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`checkpoint.te_verdict_determined_by`*:: +*`rsa.email.subject`*:: + -- -Emulators determined file verdict. - +This key is used to capture the subject string from an Email only. type: keyword -- -*`checkpoint.packet_capture_unique_id`*:: +*`rsa.email.email`*:: + -- -Identifier of the packet capture files. - +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`checkpoint.total_attachments`*:: +*`rsa.email.trans_from`*:: + -- -The number of attachments in an email. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`checkpoint.additional_info`*:: +*`rsa.email.trans_to`*:: + -- -ID of original file/mail which are sent by admin. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.content_risk`*:: + +*`rsa.file.privilege`*:: + -- -File risk. +Deprecated, use permissions - -type: integer +type: keyword -- -*`checkpoint.operation`*:: +*`rsa.file.attachment`*:: + -- -Operation made by Threat Extraction. - +This key captures the attachment file name type: keyword -- -*`checkpoint.scrubbed_content`*:: +*`rsa.file.filesystem`*:: + -- -Active content that was found. - - type: keyword -- -*`checkpoint.scrub_time`*:: +*`rsa.file.binary`*:: + -- -Extraction process duration. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.scrub_download_time`*:: +*`rsa.file.filename_dst`*:: + -- -File download time from resource. - +This is used to capture name of the file targeted by the action type: keyword -- -*`checkpoint.scrub_total_time`*:: +*`rsa.file.filename_src`*:: + -- -Threat extraction total file handling time. - +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`checkpoint.scrub_activity`*:: +*`rsa.file.filename_tmp`*:: + -- -The result of the extraction +type: keyword +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file type: keyword -- -*`checkpoint.watermark`*:: +*`rsa.file.directory_src`*:: + -- -Reports whether watermark is added to the cleaned file. - +This key is used to capture the directory of the source process or file type: keyword -- -*`checkpoint.source_object`*:: +*`rsa.file.file_entropy`*:: + -- -Matched object name on source column. - +This is used to capture entropy vale of a file -type: integer +type: double -- -*`checkpoint.destination_object`*:: +*`rsa.file.file_vendor`*:: + -- -Matched object name on destination column. - +This is used to capture Company name of file located in version_info type: keyword -- -*`checkpoint.drop_reason`*:: +*`rsa.file.task_name`*:: + -- -Drop reason description. - +This is used to capture name of the task type: keyword -- -*`checkpoint.hit`*:: + +*`rsa.web.fqdn`*:: + -- -Number of hits on a rule. - +Fully Qualified Domain Names -type: integer +type: keyword -- -*`checkpoint.rulebase_id`*:: +*`rsa.web.web_cookie`*:: + -- -Layer number. +This key is used to capture the Web cookies specifically. - -type: integer +type: keyword -- -*`checkpoint.first_hit_time`*:: +*`rsa.web.alias_host`*:: + -- -First hit time in current interval. - - -type: integer +type: keyword -- -*`checkpoint.last_hit_time`*:: +*`rsa.web.reputation_num`*:: + -- -Last hit time in current interval. - +Reputation Number of an entity. Typically used for Web Domains -type: integer +type: double -- -*`checkpoint.rematch_info`*:: +*`rsa.web.web_ref_domain`*:: + -- -Information sent when old connections cannot be matched during policy installation. - +Web referer's domain type: keyword -- -*`checkpoint.last_rematch_time`*:: +*`rsa.web.web_ref_query`*:: + -- -Connection rematched time. - +This key captures Web referer's query portion of the URL type: keyword -- -*`checkpoint.action_reason`*:: +*`rsa.web.remote_domain`*:: + -- -Connection drop reason. - - -type: integer +type: keyword -- -*`checkpoint.c_bytes`*:: +*`rsa.web.web_ref_page`*:: + -- -Boolean value indicates whether bytes sent from the client side are used. +This key captures Web referer's page information - -type: integer +type: keyword -- -*`checkpoint.context_num`*:: +*`rsa.web.web_ref_root`*:: + -- -Serial number of the log for a specific connection. - +Web referer's root URL path -type: integer +type: keyword -- -*`checkpoint.match_id`*:: +*`rsa.web.cn_asn_dst`*:: + -- -Private key of the rule - - -type: integer +type: keyword -- -*`checkpoint.alert`*:: +*`rsa.web.cn_rpackets`*:: + -- -Alert level of matched rule (for connection logs). +type: keyword +-- +*`rsa.web.urlpage`*:: ++ +-- type: keyword -- -*`checkpoint.parent_rule`*:: +*`rsa.web.urlroot`*:: + -- -Parent rule number, in case of inline layer. +type: keyword +-- -type: integer +*`rsa.web.p_url`*:: ++ +-- +type: keyword -- -*`checkpoint.match_fk`*:: +*`rsa.web.p_user_agent`*:: + -- -Rule number. +type: keyword +-- -type: integer +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword -- -*`checkpoint.dropped_outgoing`*:: +*`rsa.web.p_web_method`*:: + -- -Number of outgoing bytes dropped when using UP-limit feature. +type: keyword +-- -type: integer +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword -- -*`checkpoint.dropped_incoming`*:: +*`rsa.web.web_extension_tmp`*:: + -- -Number of incoming bytes dropped when using UP-limit feature. +type: keyword +-- -type: integer +*`rsa.web.web_page`*:: ++ +-- +type: keyword -- -*`checkpoint.media_type`*:: + +*`rsa.threat.threat_category`*:: + -- -Media used (audio, video, etc.) - +This key captures Threat Name/Threat Category/Categorization of alert type: keyword -- -*`checkpoint.sip_reason`*:: +*`rsa.threat.threat_desc`*:: + -- -Explains why 'source_ip' isn't allowed to redirect (handover). - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`checkpoint.voip_method`*:: +*`rsa.threat.alert`*:: + -- -Registration request. - +This key is used to capture name of the alert type: keyword -- -*`checkpoint.registered_ip-phones`*:: +*`rsa.threat.threat_source`*:: + -- -Registered IP-Phones. - +This key is used to capture source of the threat type: keyword -- -*`checkpoint.voip_reg_user_type`*:: + +*`rsa.crypto.crypto`*:: + -- -Registered IP-Phone type. - +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`checkpoint.voip_call_id`*:: +*`rsa.crypto.cipher_src`*:: + -- -Call-ID. - +This key is for Source (Client) Cipher type: keyword -- -*`checkpoint.voip_reg_int`*:: +*`rsa.crypto.cert_subject`*:: + -- -Registration port. +This key is used to capture the Certificate organization only - -type: integer +type: keyword -- -*`checkpoint.voip_reg_ipp`*:: +*`rsa.crypto.peer`*:: + -- -Registration IP protocol. - +This key is for Encryption peer's IP Address -type: integer +type: keyword -- -*`checkpoint.voip_reg_period`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Registration period. +This key captures Source (Client) Cipher Size - -type: integer +type: long -- -*`checkpoint.voip_log_type`*:: +*`rsa.crypto.ike`*:: + -- -VoIP log types. Possible values: reject, call, registration. - +IKE negotiation phase. type: keyword -- -*`checkpoint.src_phone_number`*:: +*`rsa.crypto.scheme`*:: + -- -Source IP-Phone. - +This key captures the Encryption scheme used type: keyword -- -*`checkpoint.voip_from_user_type`*:: +*`rsa.crypto.peer_id`*:: + -- -Source IP-Phone type. - +This key is for Encryption peer’s identity type: keyword -- -*`checkpoint.dst_phone_number`*:: +*`rsa.crypto.sig_type`*:: + -- -Destination IP-Phone. - +This key captures the Signature Type type: keyword -- -*`checkpoint.voip_to_user_type`*:: +*`rsa.crypto.cert_issuer`*:: + -- -Destination IP-Phone type. - - type: keyword -- -*`checkpoint.voip_call_dir`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Call direction: in/out. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.voip_call_state`*:: +*`rsa.crypto.cert_error`*:: + -- -Call state. Possible values: in/out. - +This key captures the Certificate Error String type: keyword -- -*`checkpoint.voip_call_term_time`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Call termination time stamp. - +This key is for Destination (Server) Cipher type: keyword -- -*`checkpoint.voip_duration`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Call duration (seconds). +This key captures Destination (Server) Cipher Size - -type: keyword +type: long -- -*`checkpoint.voip_media_port`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -Media int. - +Deprecated, use version type: keyword -- -*`checkpoint.voip_media_ipp`*:: +*`rsa.crypto.d_certauth`*:: + -- -Media IP protocol. +type: keyword +-- +*`rsa.crypto.s_certauth`*:: ++ +-- type: keyword -- -*`checkpoint.voip_est_codec`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -Estimated codec. - +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`checkpoint.voip_exp`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Expiration. - +ID of the negotiation — sent for ISAKMP Phase Two -type: integer +type: keyword -- -*`checkpoint.voip_attach_sz`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Attachment size. - - -type: integer +type: keyword -- -*`checkpoint.voip_attach_action_info`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Attachment action Info. - +This key is used for the hostname category value of a certificate type: keyword -- -*`checkpoint.voip_media_codec`*:: +*`rsa.crypto.cert_serial`*:: + -- -Estimated codec. - +This key is used to capture the Certificate serial number only type: keyword -- -*`checkpoint.voip_reject_reason`*:: +*`rsa.crypto.cert_status`*:: + -- -Reject reason. - +This key captures Certificate validation status type: keyword -- -*`checkpoint.voip_reason_info`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -Information. - +Deprecated, use version type: keyword -- -*`checkpoint.voip_config`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Configuration. +type: keyword +-- +*`rsa.crypto.cert_username`*:: ++ +-- type: keyword -- -*`checkpoint.voip_reg_server`*:: +*`rsa.crypto.https_insact`*:: + -- -Registrar server IP address. +type: keyword +-- -type: ip +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword -- -*`checkpoint.scv_user`*:: +*`rsa.crypto.cert_ca`*:: + -- -Username whose packets are dropped on SCV. - +This key is used to capture the Certificate signing authority only type: keyword -- -*`checkpoint.scv_message_info`*:: +*`rsa.crypto.cert_common`*:: + -- -Drop reason. - +This key is used to capture the Certificate common name only type: keyword -- -*`checkpoint.ppp`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Authentication status. - +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`checkpoint.scheme`*:: +*`rsa.wireless.access_point`*:: + -- -Describes the scheme used for the log. - +This key is used to capture the access point name. type: keyword -- -*`checkpoint.auth_method`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Password authentication protocol used (PAP or EAP). - +This is used to capture the channel names -type: keyword +type: long -- -*`checkpoint.machine`*:: +*`rsa.wireless.wlan_name`*:: + -- -L2TP machine which triggered the log and the log refers to it. - +This key captures either WLAN number/name type: keyword -- -*`checkpoint.vpn_feature_name`*:: + +*`rsa.storage.disk_volume`*:: + -- -L2TP /IKE / Link Selection. - +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`checkpoint.reject_category`*:: +*`rsa.storage.lun`*:: + -- -Authentication failure reason. - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`checkpoint.peer_ip_probing_status_update`*:: +*`rsa.storage.pwwn`*:: + -- -IP address response status. - +This uniquely identifies a port on a HBA. type: keyword -- -*`checkpoint.peer_ip`*:: + +*`rsa.physical.org_dst`*:: + -- -IP address which the client connects to. - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`checkpoint.peer_gateway`*:: +*`rsa.physical.org_src`*:: + -- -Main IP of the peer Security Gateway. - +This is used to capture the source organization based on the GEOPIP Maxmind database. -type: ip +type: keyword -- -*`checkpoint.link_probing_status_update`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -IP address response status. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.source_interface`*:: +*`rsa.healthcare.patient_id`*:: + -- -External Interface name for source interface or Null if not found. - +This key captures the unique ID for a patient type: keyword -- -*`checkpoint.next_hop_ip`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Next hop IP address. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.srckeyid`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Initiator Spi ID. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.dstkeyid`*:: + +*`rsa.endpoint.host_state`*:: + -- -Responder Spi ID. - +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`checkpoint.encryption_failure`*:: +*`rsa.endpoint.registry_key`*:: + -- -Message indicating why the encryption failed. - +This key captures the path to the registry key type: keyword -- -*`checkpoint.ike_ids`*:: +*`rsa.endpoint.registry_value`*:: + -- -All QM ids. - +This key captures values or decorators used within a registry entry type: keyword -- -*`checkpoint.community`*:: +[[exported-fields-beat-common]] +== Beat fields + +Contains common beat fields available in all event types. + + + +*`agent.hostname`*:: + -- -Community name for the IPSec key and the use of the IKEv. +Deprecated - use agent.name or agent.id to identify an agent. -type: keyword +type: alias + +alias to: agent.name -- -*`checkpoint.ike`*:: +*`beat.timezone`*:: + -- -IKEMode (PHASE1, PHASE2, etc..). - +type: alias -type: keyword +alias to: event.timezone -- -*`checkpoint.cookieI`*:: +*`fields`*:: + -- -Initiator cookie. +Contains user configurable fields. -type: keyword +type: object -- -*`checkpoint.cookieR`*:: +*`beat.name`*:: + -- -Responder cookie. - +type: alias -type: keyword +alias to: host.name -- -*`checkpoint.msgid`*:: +*`beat.hostname`*:: + -- -Message ID. - +type: alias -type: keyword +alias to: agent.name -- -*`checkpoint.methods`*:: +*`timeseries.instance`*:: + -- -IPSEc methods. - +Time series instance id type: keyword -- -*`checkpoint.connection_uid`*:: +[[exported-fields-bluecoat]] +== Blue Coat Director fields + +bluecoat fields. + + + +*`network.interface.name`*:: + -- -Calculation of md5 of the IP and user name as UID. +Name of the network interface where the traffic has been observed. type: keyword -- -*`checkpoint.site_name`*:: + + +*`rsa.internal.msg`*:: + -- -Site name. - +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`checkpoint.esod_rule_name`*:: +*`rsa.internal.messageid`*:: + -- -Unknown rule name. +type: keyword +-- +*`rsa.internal.event_desc`*:: ++ +-- type: keyword -- -*`checkpoint.esod_rule_action`*:: +*`rsa.internal.message`*:: + -- -Unknown rule action. - +This key captures the contents of instant messages type: keyword -- -*`checkpoint.esod_rule_type`*:: +*`rsa.internal.time`*:: + -- -Unknown rule type. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: keyword +type: date -- -*`checkpoint.esod_noncompliance_reason`*:: +*`rsa.internal.level`*:: + -- -Non-compliance reason. - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`checkpoint.esod_associated_policies`*:: +*`rsa.internal.msg_id`*:: + -- -Associated policies. - +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`checkpoint.spyware_name`*:: +*`rsa.internal.msg_vid`*:: + -- -Spyware name. - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`checkpoint.spyware_type`*:: +*`rsa.internal.data`*:: + -- -Spyware type. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.anti_virus_type`*:: +*`rsa.internal.obj_server`*:: + -- -Anti virus type. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.end_user_firewall_type`*:: +*`rsa.internal.obj_val`*:: + -- -End user firewall type. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.esod_scan_status`*:: +*`rsa.internal.resource`*:: + -- -Scan failed. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.esod_access_status`*:: +*`rsa.internal.obj_id`*:: + -- -Access denied. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.client_type`*:: +*`rsa.internal.statement`*:: + -- -Endpoint Connect. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.precise_error`*:: +*`rsa.internal.audit_class`*:: + -- -HTTP parser error. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.method`*:: +*`rsa.internal.entry`*:: + -- -HTTP method. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.trusted_domain`*:: +*`rsa.internal.hcode`*:: + -- -In case of phishing event, the domain, which the attacker was impersonating. - +Deprecated key defined only in table map. type: keyword -- -[[exported-fields-cisco]] -== Cisco fields +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. -Module for handling Cisco network device logs. +type: long +-- +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. -[float] -=== cisco - -Fields from Cisco logs. - - - -[float] -=== asa - -Fields for Cisco ASA Firewall. - +type: keyword +-- -*`cisco.asa.message_id`*:: +*`rsa.internal.dead`*:: + -- -The Cisco ASA message identifier. +Deprecated key defined only in table map. - -type: keyword +type: long -- -*`cisco.asa.suffix`*:: +*`rsa.internal.feed_desc`*:: + -- -Optional suffix after %ASA identifier. - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: session - -- -*`cisco.asa.source_interface`*:: +*`rsa.internal.feed_name`*:: + -- -Source interface for the flow or event. - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.destination_interface`*:: +*`rsa.internal.cid`*:: + -- -Destination interface for the flow or event. - +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.rule_name`*:: +*`rsa.internal.device_class`*:: + -- -Name of the Access Control List rule that matched this event. - +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.source_username`*:: +*`rsa.internal.device_group`*:: + -- -Name of the user that is the source for this event. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.destination_username`*:: +*`rsa.internal.device_host`*:: + -- -Name of the user that is the destination for this event. - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.mapped_source_ip`*:: +*`rsa.internal.device_ip`*:: + -- -The translated source IP address. - +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: ip -- -*`cisco.asa.mapped_source_host`*:: +*`rsa.internal.device_ipv6`*:: + -- -The translated source host. +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: ip -- -*`cisco.asa.mapped_source_port`*:: +*`rsa.internal.device_type`*:: + -- -The translated source port. - +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`cisco.asa.mapped_destination_ip`*:: +*`rsa.internal.device_type_id`*:: + -- -The translated destination IP address. +Deprecated key defined only in table map. - -type: ip +type: long -- -*`cisco.asa.mapped_destination_host`*:: +*`rsa.internal.did`*:: + -- -The translated destination host. - +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.mapped_destination_port`*:: +*`rsa.internal.entropy_req`*:: + -- -The translated destination port. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`cisco.asa.threat_level`*:: +*`rsa.internal.entropy_res`*:: + -- -Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`cisco.asa.threat_category`*:: +*`rsa.internal.event_name`*:: + -- -Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - +Deprecated key defined only in table map. type: keyword -- -*`cisco.asa.connection_id`*:: +*`rsa.internal.feed_category`*:: + -- -Unique identifier for a flow. - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.icmp_type`*:: +*`rsa.internal.forward_ip`*:: + -- -ICMP type. +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: short +type: ip -- -*`cisco.asa.icmp_code`*:: +*`rsa.internal.forward_ipv6`*:: + -- -ICMP code. - +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: short +type: ip -- -*`cisco.asa.connection_type`*:: +*`rsa.internal.header_id`*:: + -- -The VPN connection type - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.dap_records`*:: +*`rsa.internal.lc_cid`*:: + -- -The assigned DAP records - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== ftd - -Fields for Cisco Firepower Threat Defense Firewall. - - - -*`cisco.ftd.message_id`*:: +*`rsa.internal.lc_ctime`*:: + -- -The Cisco FTD message identifier. - +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`cisco.ftd.suffix`*:: +*`rsa.internal.mcb_req`*:: + -- -Optional suffix after %FTD identifier. - - -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -example: session +type: long -- -*`cisco.ftd.source_interface`*:: +*`rsa.internal.mcb_res`*:: + -- -Source interface for the flow or event. - +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`cisco.ftd.destination_interface`*:: +*`rsa.internal.mcbc_req`*:: + -- -Destination interface for the flow or event. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: keyword +type: long -- -*`cisco.ftd.rule_name`*:: +*`rsa.internal.mcbc_res`*:: + -- -Name of the Access Control List rule that matched this event. - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`cisco.ftd.source_username`*:: +*`rsa.internal.medium`*:: + -- -Name of the user that is the source for this event. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: keyword +type: long -- -*`cisco.ftd.destination_username`*:: +*`rsa.internal.node_name`*:: + -- -Name of the user that is the destination for this event. - +Deprecated key defined only in table map. type: keyword -- -*`cisco.ftd.mapped_source_ip`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -The translated source IP address. Use ECS source.nat.ip. +This key denotes that event is endpoint related - -type: ip +type: keyword -- -*`cisco.ftd.mapped_source_host`*:: +*`rsa.internal.parse_error`*:: + -- -The translated source host. - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.ftd.mapped_source_port`*:: +*`rsa.internal.payload_req`*:: + -- -The translated source port. Use ECS source.nat.port. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`cisco.ftd.mapped_destination_ip`*:: +*`rsa.internal.payload_res`*:: + -- -The translated destination IP address. Use ECS destination.nat.ip. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: ip +type: long -- -*`cisco.ftd.mapped_destination_host`*:: +*`rsa.internal.process_vid_dst`*:: + -- -The translated destination host. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`cisco.ftd.mapped_destination_port`*:: +*`rsa.internal.process_vid_src`*:: + -- -The translated destination port. Use ECS destination.nat.port. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. -type: long +type: keyword -- -*`cisco.ftd.threat_level`*:: +*`rsa.internal.rid`*:: + -- -Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`cisco.ftd.threat_category`*:: +*`rsa.internal.session_split`*:: + -- -Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.ftd.connection_id`*:: +*`rsa.internal.site`*:: + -- -Unique identifier for a flow. - +Deprecated key defined only in table map. type: keyword -- -*`cisco.ftd.icmp_type`*:: +*`rsa.internal.size`*:: + -- -ICMP type. - +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: short +type: long -- -*`cisco.ftd.icmp_code`*:: +*`rsa.internal.sourcefile`*:: + -- -ICMP code. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: short +type: keyword -- -*`cisco.ftd.security`*:: +*`rsa.internal.ubc_req`*:: + -- -Raw fields for Security Events. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: object +type: long -- -*`cisco.ftd.connection_type`*:: +*`rsa.internal.ubc_res`*:: + -- -The VPN connection type - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`cisco.ftd.dap_records`*:: +*`rsa.internal.word`*:: + -- -The assigned DAP records - +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -[float] -=== ios -Fields for Cisco IOS logs. +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +type: date +-- -*`cisco.ios.access_list`*:: +*`rsa.time.duration_time`*:: + -- -Name of the IP access list. +This key is used to capture the normalized duration/lifetime in seconds. - -type: keyword +type: double -- -*`cisco.ios.facility`*:: +*`rsa.time.event_time_str`*:: + -- -The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. - +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -example: SEC - -- -[[exported-fields-cloud]] -== Cloud provider metadata fields - -Metadata from cloud providers added by the add_cloud_metadata processor. - - - -*`cloud.project.id`*:: +*`rsa.time.starttime`*:: + -- -Name of the project in Google Cloud. - +This key is used to capture the Start time mentioned in a session in a standard form -example: project-x +type: date -- -*`cloud.image.id`*:: +*`rsa.time.month`*:: + -- -Image ID for the cloud instance. +type: keyword +-- -example: ami-abcd1234 +*`rsa.time.day`*:: ++ +-- +type: keyword -- -*`meta.cloud.provider`*:: +*`rsa.time.endtime`*:: + -- -type: alias +This key is used to capture the End time mentioned in a session in a standard form -alias to: cloud.provider +type: date -- -*`meta.cloud.instance_id`*:: +*`rsa.time.timezone`*:: + -- -type: alias +This key is used to capture the timezone of the Event Time -alias to: cloud.instance.id +type: keyword -- -*`meta.cloud.instance_name`*:: +*`rsa.time.duration_str`*:: + -- -type: alias +A text string version of the duration -alias to: cloud.instance.name +type: keyword -- -*`meta.cloud.machine_type`*:: +*`rsa.time.date`*:: + -- -type: alias - -alias to: cloud.machine.type +type: keyword -- -*`meta.cloud.availability_zone`*:: +*`rsa.time.year`*:: + -- -type: alias - -alias to: cloud.availability_zone +type: keyword -- -*`meta.cloud.project_id`*:: +*`rsa.time.recorded_time`*:: + -- -type: alias +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -alias to: cloud.project.id +type: date -- -*`meta.cloud.region`*:: +*`rsa.time.datetime`*:: + -- -type: alias +type: keyword -alias to: cloud.region +-- +*`rsa.time.effective_time`*:: ++ -- +This key is the effective time referenced by an individual event in a Standard Timestamp format -[[exported-fields-coredns]] -== Coredns fields +type: date -Module for handling logs produced by coredns +-- +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. +type: date -[float] -=== coredns +-- -coredns fields after normalization +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time +type: keyword +-- -*`coredns.id`*:: +*`rsa.time.hour`*:: + -- -id of the DNS transaction +type: keyword +-- +*`rsa.time.min`*:: ++ +-- type: keyword -- -*`coredns.query.size`*:: +*`rsa.time.timestamp`*:: + -- -size of the DNS query +type: keyword +-- -type: integer +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. -format: bytes +type: date -- -*`coredns.query.class`*:: +*`rsa.time.p_time1`*:: + -- -DNS query class - - type: keyword -- -*`coredns.query.name`*:: +*`rsa.time.tzone`*:: + -- -DNS query name +type: keyword +-- +*`rsa.time.eventtime`*:: ++ +-- type: keyword -- -*`coredns.query.type`*:: +*`rsa.time.gmtdate`*:: + -- -DNS query type +type: keyword +-- +*`rsa.time.gmttime`*:: ++ +-- type: keyword -- -*`coredns.response.code`*:: +*`rsa.time.p_date`*:: + -- -DNS response code +type: keyword +-- +*`rsa.time.p_month`*:: ++ +-- type: keyword -- -*`coredns.response.flags`*:: +*`rsa.time.p_time`*:: + -- -DNS response flags +type: keyword +-- +*`rsa.time.p_time2`*:: ++ +-- type: keyword -- -*`coredns.response.size`*:: +*`rsa.time.p_year`*:: + -- -size of the DNS response +type: keyword +-- -type: integer +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -format: bytes +type: keyword -- -*`coredns.dnssec_ok`*:: +*`rsa.time.stamp`*:: + -- -dnssec flag +Deprecated key defined only in table map. - -type: boolean +type: date -- -[[exported-fields-crowdstrike]] -== Crowdstrike fields -Module for collecting Crowdstrike events. +*`rsa.misc.action`*:: ++ +-- +type: keyword +-- +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. -[float] -=== crowdstrike +type: keyword -Fields for Crowdstrike Falcon event and alert data. +-- +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session +type: keyword -[float] -=== metadata +-- -Meta data fields for each event that include type and timestamp. +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. +type: keyword +-- -*`crowdstrike.metadata.eventType`*:: +*`rsa.misc.reference_id`*:: + -- -DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - +This key is used to capture an event id from the session directly type: keyword -- -*`crowdstrike.metadata.eventCreationTime`*:: +*`rsa.misc.version`*:: + -- -The time this event occurred on the endpoint in UTC UNIX_MS format. - +This key captures Version of the application or OS which is generating the event. -type: date +type: keyword -- -*`crowdstrike.metadata.offset`*:: +*`rsa.misc.disposition`*:: + -- -Offset number that tracks the location of the event in stream. This is used to identify unique detection events. +This key captures the The end state of an action. - -type: integer +type: keyword -- -*`crowdstrike.metadata.customerIDString`*:: +*`rsa.misc.result_code`*:: + -- -Customer identifier - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`crowdstrike.metadata.version`*:: +*`rsa.misc.category`*:: + -- -Schema version - +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -[float] -=== event - -Event data fields for each event and alert. +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object +type: keyword +-- -*`crowdstrike.event.ProcessStartTime`*:: +*`rsa.misc.obj_type`*:: + -- -The process start time in UTC UNIX_MS format. - +This is used to capture type of object -type: date +type: keyword -- -*`crowdstrike.event.ProcessEndTime`*:: +*`rsa.misc.event_source`*:: + -- -The process termination time in UTC UNIX_MS format. +This key captures Source of the event that’s not a hostname - -type: date +type: keyword -- -*`crowdstrike.event.ProcessId`*:: +*`rsa.misc.log_session_id`*:: + -- -Process ID related to the detection. - +This key is used to capture a sessionid from the session directly -type: integer +type: keyword -- -*`crowdstrike.event.ParentProcessId`*:: +*`rsa.misc.group`*:: + -- -Parent process ID related to the detection. +This key captures the Group Name value - -type: integer +type: keyword -- -*`crowdstrike.event.ComputerName`*:: +*`rsa.misc.policy_name`*:: + -- -Name of the computer where the detection occurred. - +This key is used to capture the Policy Name only. type: keyword -- -*`crowdstrike.event.UserName`*:: +*`rsa.misc.rule_name`*:: + -- -User name associated with the detection. - +This key captures the Rule Name type: keyword -- -*`crowdstrike.event.DetectName`*:: +*`rsa.misc.context`*:: + -- -Name of the detection. - +This key captures Information which adds additional context to the event. type: keyword -- -*`crowdstrike.event.DetectDescription`*:: +*`rsa.misc.change_new`*:: + -- -Description of the detection. - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`crowdstrike.event.Severity`*:: +*`rsa.misc.space`*:: + -- -Severity score of the detection. - - -type: integer +type: keyword -- -*`crowdstrike.event.SeverityName`*:: +*`rsa.misc.client`*:: + -- -Severity score text. - +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`crowdstrike.event.FileName`*:: +*`rsa.misc.msgIdPart1`*:: + -- -File name of the associated process for the detection. +type: keyword +-- +*`rsa.misc.msgIdPart2`*:: ++ +-- type: keyword -- -*`crowdstrike.event.FilePath`*:: +*`rsa.misc.change_old`*:: + -- -Path of the executable associated with the detection. - +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`crowdstrike.event.CommandLine`*:: +*`rsa.misc.operation_id`*:: + -- -Executable path with command line arguments. - +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`crowdstrike.event.SHA256String`*:: +*`rsa.misc.event_state`*:: + -- -SHA256 sum of the executable associated with the detection. - +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -- -*`crowdstrike.event.MD5String`*:: +*`rsa.misc.group_object`*:: + -- -MD5 sum of the executable associated with the detection. - +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`crowdstrike.event.MachineDomain`*:: +*`rsa.misc.node`*:: + -- -Domain for the machine associated with the detection. - +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`crowdstrike.event.FalconHostLink`*:: +*`rsa.misc.rule`*:: + -- -URL to view the detection in Falcon. - +This key captures the Rule number type: keyword -- -*`crowdstrike.event.SensorId`*:: +*`rsa.misc.device_name`*:: + -- -Unique ID associated with the Falcon sensor. - +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`crowdstrike.event.DetectId`*:: +*`rsa.misc.param`*:: + -- -Unique ID associated with the detection. - +This key is the parameters passed as part of a command or application, etc. type: keyword -- -*`crowdstrike.event.LocalIP`*:: +*`rsa.misc.change_attrib`*:: + -- -IP address of the host associated with the detection. - +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`crowdstrike.event.MACAddress`*:: +*`rsa.misc.event_computer`*:: + -- -MAC address of the host associated with the detection. - +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`crowdstrike.event.Tactic`*:: +*`rsa.misc.reference_id1`*:: + -- -MITRE tactic category of the detection. - +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`crowdstrike.event.Technique`*:: +*`rsa.misc.event_log`*:: + -- -MITRE technique category of the detection. - +This key captures the Name of the event log type: keyword -- -*`crowdstrike.event.Objective`*:: +*`rsa.misc.OS`*:: + -- -Method of detection. - +This key captures the Name of the Operating System type: keyword -- -*`crowdstrike.event.PatternDispositionDescription`*:: +*`rsa.misc.terminal`*:: + -- -Action taken by Falcon. - +This key captures the Terminal Names only type: keyword -- -*`crowdstrike.event.PatternDispositionValue`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Unique ID associated with action taken. - - -type: integer +type: keyword -- -*`crowdstrike.event.PatternDispositionFlags`*:: +*`rsa.misc.filter`*:: + -- -Flags indicating actions taken. +This key captures Filter used to reduce result set - -type: object +type: keyword -- -*`crowdstrike.event.State`*:: +*`rsa.misc.serial_number`*:: + -- -Whether the incident summary is open and ongoing or closed. - +This key is the Serial number associated with a physical asset. type: keyword -- -*`crowdstrike.event.IncidentStartTime`*:: +*`rsa.misc.checksum`*:: + -- -Start time for the incident in UTC UNIX format. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: date +type: keyword -- -*`crowdstrike.event.IncidentEndTime`*:: +*`rsa.misc.event_user`*:: + -- -End time for the incident in UTC UNIX format. - +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. -type: date +type: keyword -- -*`crowdstrike.event.FineScore`*:: +*`rsa.misc.virusname`*:: + -- -Score for incident. +This key captures the name of the virus - -type: float +type: keyword -- -*`crowdstrike.event.UserId`*:: +*`rsa.misc.content_type`*:: + -- -Email address or user ID associated with the event. - +This key is used to capture Content Type only. type: keyword -- -*`crowdstrike.event.UserIp`*:: +*`rsa.misc.group_id`*:: + -- -IP address associated with the user. - +This key captures Group ID Number (related to the group name) type: keyword -- -*`crowdstrike.event.OperationName`*:: +*`rsa.misc.policy_id`*:: + -- -Event subtype. - +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`crowdstrike.event.ServiceName`*:: +*`rsa.misc.vsys`*:: + -- -Service associated with this event. - +This key captures Virtual System Name type: keyword -- -*`crowdstrike.event.Success`*:: +*`rsa.misc.connection_id`*:: + -- -Indicator of whether or not this event was successful. - +This key captures the Connection ID -type: boolean +type: keyword -- -*`crowdstrike.event.UTCTimestamp`*:: +*`rsa.misc.reference_id2`*:: + -- -Timestamp associated with this event in UTC UNIX format. +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: date +type: keyword -- -*`crowdstrike.event.AuditKeyValues`*:: +*`rsa.misc.sensor`*:: + -- -Fields that were changed in this event. - +This key captures Name of the sensor. Typically used in IDS/IPS based devices -type: nested +type: keyword -- -*`crowdstrike.event.SessionId`*:: +*`rsa.misc.sig_id`*:: + -- -Session ID of the remote response session. +This key captures IDS/IPS Int Signature ID - -type: keyword +type: long -- -*`crowdstrike.event.HostnameField`*:: +*`rsa.misc.port_name`*:: + -- -Host name of the machine for the remote session. - +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`crowdstrike.event.StartTimestamp`*:: +*`rsa.misc.rule_group`*:: + -- -Start time for the remote session in UTC UNIX format. +This key captures the Rule group name - -type: date +type: keyword -- -*`crowdstrike.event.EndTimestamp`*:: +*`rsa.misc.risk_num`*:: + -- -End time for the remote session in UTC UNIX format. +This key captures a Numeric Risk value +type: double -type: date +-- +*`rsa.misc.trigger_val`*:: ++ -- +This key captures the Value of the trigger or threshold condition. -[[exported-fields-docker-processor]] -== Docker fields +type: keyword -Docker stats collected from Docker. +-- +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly +type: keyword +-- -*`docker.container.id`*:: +*`rsa.misc.comp_version`*:: + -- -type: alias +This key captures the Version level of a sub-component of a product. -alias to: container.id +type: keyword -- -*`docker.container.image`*:: +*`rsa.misc.content_version`*:: + -- -type: alias +This key captures Version level of a signature or database content. -alias to: container.image.name +type: keyword -- -*`docker.container.name`*:: +*`rsa.misc.hardware_id`*:: + -- -type: alias +This key is used to capture unique identifier for a device or system (NOT a Mac address) -alias to: container.name +type: keyword -- -*`docker.container.labels`*:: +*`rsa.misc.risk`*:: + -- -Image labels. +This key captures the non-numeric risk value - -type: object +type: keyword -- -[[exported-fields-ecs]] -== ECS fields - -ECS Fields. +*`rsa.misc.event_id`*:: ++ +-- +type: keyword +-- -*`@timestamp`*:: +*`rsa.misc.reason`*:: + -- -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -type: date +type: keyword -example: 2016-05-23T08:05:34.853Z +-- -required: True +*`rsa.misc.status`*:: ++ +-- +type: keyword -- -*`labels`*:: +*`rsa.misc.mail_id`*:: + -- -Custom key/value pairs. -Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. -Example: `docker` and `k8s` labels. - -type: object +This key is used to capture the mailbox id/name -example: {"application": "foo-bar", "env": "production"} +type: keyword -- -*`message`*:: +*`rsa.misc.rule_uid`*:: + -- -For log events the message field contains the log message, optimized for viewing in a log viewer. -For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. -If multiple messages exist, they can be combined into one message. - -type: text +This key is the Unique Identifier for a rule. -example: Hello World +type: keyword -- -*`tags`*:: +*`rsa.misc.trigger_desc`*:: + -- -List of keywords used to tag each event. +This key captures the Description of the trigger or threshold condition. type: keyword -example: ["production", "env2"] +-- +*`rsa.misc.inout`*:: ++ -- +type: keyword -[float] -=== agent +-- -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. -Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword +-- -*`agent.ephemeral_id`*:: +*`rsa.misc.data_type`*:: + -- -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - type: keyword -example: 8a4f500f - -- -*`agent.id`*:: +*`rsa.misc.msgIdPart4`*:: + -- -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - type: keyword -example: 8a4f500d - -- -*`agent.name`*:: +*`rsa.misc.error`*:: + -- -Custom name of the agent. -This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. -If no name is given, the name is often left empty. +This key captures All non successful Error codes or responses type: keyword -example: foo - -- -*`agent.type`*:: +*`rsa.misc.index`*:: + -- -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - type: keyword -example: filebeat - -- -*`agent.version`*:: +*`rsa.misc.listnum`*:: + -- -Version of the agent. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -example: 6.0.0-rc2 - -- -[float] -=== as - -An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. +*`rsa.misc.ntype`*:: ++ +-- +type: keyword +-- -*`as.number`*:: +*`rsa.misc.observed_val`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +This key captures the Value observed (from the perspective of the device generating the log). -example: 15169 +type: keyword -- -*`as.organization.name`*:: +*`rsa.misc.policy_value`*:: + -- -Organization name. +This key captures the contents of the policy. This contains details about the policy type: keyword -example: Google LLC - -- -*`as.organization.name.text`*:: +*`rsa.misc.pool_name`*:: + -- -type: text +This key captures the name of a resource pool + +type: keyword -- -[float] -=== client +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +type: keyword +-- -*`client.address`*:: +*`rsa.misc.count`*:: + -- -Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - type: keyword -- -*`client.as.number`*:: +*`rsa.misc.number`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +type: keyword -type: long +-- -example: 15169 +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword -- -*`client.as.organization.name`*:: +*`rsa.misc.type`*:: + -- -Organization name. - type: keyword -example: Google LLC - -- -*`client.as.organization.name.text`*:: +*`rsa.misc.comments`*:: + -- -type: text +Comment information provided in the log message + +type: keyword -- -*`client.bytes`*:: +*`rsa.misc.doc_number`*:: + -- -Bytes sent from the client to the server. +This key captures File Identification number type: long -example: 184 - -format: bytes - -- -*`client.domain`*:: +*`rsa.misc.expected_val`*:: + -- -Client domain. +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`client.geo.city_name`*:: +*`rsa.misc.job_num`*:: + -- -City name. +This key captures the Job Number type: keyword -example: Montreal - -- -*`client.geo.continent_name`*:: +*`rsa.misc.spi_dst`*:: + -- -Name of the continent. +Destination SPI Index type: keyword -example: North America - -- -*`client.geo.country_iso_code`*:: +*`rsa.misc.spi_src`*:: + -- -Country ISO code. +Source SPI Index type: keyword -example: CA - -- -*`client.geo.country_name`*:: +*`rsa.misc.code`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`client.geo.location`*:: +*`rsa.misc.agent_id`*:: + -- -Longitude and latitude. +This key is used to capture agent id -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`client.geo.name`*:: +*`rsa.misc.message_body`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This key captures the The contents of the message body. type: keyword -example: boston-dc - -- -*`client.geo.region_iso_code`*:: +*`rsa.misc.phone`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`client.geo.region_name`*:: +*`rsa.misc.sig_id_str`*:: + -- -Region name. +This key captures a string object of the sigid variable. type: keyword -example: Quebec - -- -*`client.ip`*:: +*`rsa.misc.cmd`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. - -type: ip +type: keyword -- -*`client.mac`*:: +*`rsa.misc.misc`*:: + -- -MAC address of the client. - type: keyword -- -*`client.nat.ip`*:: +*`rsa.misc.name`*:: + -- -Translated IP of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. - -type: ip +type: keyword -- -*`client.nat.port`*:: +*`rsa.misc.cpu`*:: + -- -Translated port of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. +This key is the CPU time used in the execution of the event being recorded. type: long -format: string - -- -*`client.packets`*:: +*`rsa.misc.event_desc`*:: + -- -Packets sent from the client to the server. - -type: long +This key is used to capture a description of an event available directly or inferred -example: 12 +type: keyword -- -*`client.port`*:: +*`rsa.misc.sig_id1`*:: + -- -Port of the client. +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -format: string - -- -*`client.registered_domain`*:: +*`rsa.misc.im_buddyid`*:: + -- -The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`client.top_level_domain`*:: +*`rsa.misc.im_client`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`client.user.domain`*:: +*`rsa.misc.im_userid`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`client.user.email`*:: +*`rsa.misc.pid`*:: + -- -User email address. - type: keyword -- -*`client.user.full_name`*:: +*`rsa.misc.priority`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`client.user.full_name.text`*:: +*`rsa.misc.context_subject`*:: + -- -type: text +This key is to be used in an audit context where the subject is the object being identified + +type: keyword -- -*`client.user.group.domain`*:: +*`rsa.misc.context_target`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`client.user.group.id`*:: +*`rsa.misc.cve`*:: + -- -Unique identifier for the group on the system/platform. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`client.user.group.name`*:: +*`rsa.misc.fcatnum`*:: + -- -Name of the group. +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`client.user.hash`*:: +*`rsa.misc.library`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +This key is used to capture library information in mainframe devices type: keyword -- -*`client.user.id`*:: +*`rsa.misc.parent_node`*:: + -- -Unique identifiers of the user. +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`client.user.name`*:: +*`rsa.misc.risk_info`*:: + -- -Short name or login of the user. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -example: albert - -- -*`client.user.name.text`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: text +This key is captures the TCP flags set in any packet of session + +type: long -- -[float] -=== cloud +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service -Fields related to the cloud or infrastructure the events are coming from. +type: long +-- -*`cloud.account.id`*:: +*`rsa.misc.vm_target`*:: + -- -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. +VMWare Target **VMWARE** only varaible. type: keyword -example: 666777888999 - -- -*`cloud.availability_zone`*:: +*`rsa.misc.workspace`*:: + -- -Availability zone in which this host is running. +This key captures Workspace Description type: keyword -example: us-east-1c - -- -*`cloud.instance.id`*:: +*`rsa.misc.command`*:: + -- -Instance ID of the host machine. - type: keyword -example: i-1234567890abcdef0 - -- -*`cloud.instance.name`*:: +*`rsa.misc.event_category`*:: + -- -Instance name of the host machine. - type: keyword -- -*`cloud.machine.type`*:: +*`rsa.misc.facilityname`*:: + -- -Machine type of the host machine. - type: keyword -example: t2.medium - -- -*`cloud.provider`*:: +*`rsa.misc.forensic_info`*:: + -- -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - type: keyword -example: aws - -- -*`cloud.region`*:: +*`rsa.misc.jobname`*:: + -- -Region in which this host is running. - type: keyword -example: us-east-1 - -- -[float] -=== code_signature - -These fields contain information about binary code signatures. - - -*`code_signature.exists`*:: +*`rsa.misc.mode`*:: + -- -Boolean to capture if a signature is present. - -type: boolean - -example: true +type: keyword -- -*`code_signature.status`*:: +*`rsa.misc.policy`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`code_signature.subject_name`*:: +*`rsa.misc.policy_waiver`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`code_signature.trusted`*:: +*`rsa.misc.second`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true +type: keyword -- -*`code_signature.valid`*:: +*`rsa.misc.space1`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +type: keyword -example: true +-- +*`rsa.misc.subcategory`*:: ++ -- +type: keyword -[float] -=== container +-- -Container fields are used for meta information about the specific container that is the source of information. -These fields help correlate data based containers from any runtime. +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword +-- -*`container.id`*:: +*`rsa.misc.alert_id`*:: + -- -Unique container id. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`container.image.name`*:: +*`rsa.misc.checksum_dst`*:: + -- -Name of the image the container was built on. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`container.image.tag`*:: +*`rsa.misc.checksum_src`*:: + -- -Container image tags. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`container.labels`*:: +*`rsa.misc.fresult`*:: + -- -Image labels. +This key captures the Filter Result -type: object +type: long -- -*`container.name`*:: +*`rsa.misc.payload_dst`*:: + -- -Container name. +This key is used to capture destination payload type: keyword -- -*`container.runtime`*:: +*`rsa.misc.payload_src`*:: + -- -Runtime managing this container. +This key is used to capture source payload type: keyword -example: docker - -- -[float] -=== destination +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool -Destination fields describe details about the destination of a packet/event. -Destination fields are usually populated in conjunction with source fields. +type: keyword +-- -*`destination.address`*:: +*`rsa.misc.process_id_val`*:: + -- -Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`destination.as.number`*:: +*`rsa.misc.risk_num_comm`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +This key captures Risk Number Community -example: 15169 +type: double -- -*`destination.as.organization.name`*:: +*`rsa.misc.risk_num_next`*:: + -- -Organization name. +This key captures Risk Number NextGen -type: keyword - -example: Google LLC +type: double -- -*`destination.as.organization.name.text`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: text +This key captures Risk Number SandBox + +type: double -- -*`destination.bytes`*:: +*`rsa.misc.risk_num_static`*:: + -- -Bytes sent from the destination to the source. - -type: long +This key captures Risk Number Static -example: 184 - -format: bytes +type: double -- -*`destination.domain`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Destination domain. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`destination.geo.city_name`*:: +*`rsa.misc.risk_warning`*:: + -- -City name. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -example: Montreal - -- -*`destination.geo.continent_name`*:: +*`rsa.misc.snmp_oid`*:: + -- -Name of the continent. +SNMP Object Identifier type: keyword -example: North America - -- -*`destination.geo.country_iso_code`*:: +*`rsa.misc.sql`*:: + -- -Country ISO code. +This key captures the SQL query type: keyword -example: CA - -- -*`destination.geo.country_name`*:: +*`rsa.misc.vuln_ref`*:: + -- -Country name. +This key captures the Vulnerability Reference details type: keyword -example: Canada - -- -*`destination.geo.location`*:: +*`rsa.misc.acl_id`*:: + -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`destination.geo.name`*:: +*`rsa.misc.acl_op`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`destination.geo.region_iso_code`*:: +*`rsa.misc.acl_pos`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`destination.geo.region_name`*:: +*`rsa.misc.acl_table`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`destination.ip`*:: +*`rsa.misc.admin`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. - -type: ip +type: keyword -- -*`destination.mac`*:: +*`rsa.misc.alarm_id`*:: + -- -MAC address of the destination. - type: keyword -- -*`destination.nat.ip`*:: +*`rsa.misc.alarmname`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: ip +type: keyword -- -*`destination.nat.port`*:: +*`rsa.misc.app_id`*:: + -- -Port the source session is translated to by NAT Device. -Typically used with load balancers, firewalls, or routers. - -type: long - -format: string +type: keyword -- -*`destination.packets`*:: +*`rsa.misc.audit`*:: + -- -Packets sent from the destination to the source. +type: keyword -type: long +-- -example: 12 +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword -- -*`destination.port`*:: +*`rsa.misc.auditdata`*:: + -- -Port of the destination. +type: keyword -type: long +-- -format: string +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword -- -*`destination.registered_domain`*:: +*`rsa.misc.bypass`*:: + -- -The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`destination.top_level_domain`*:: +*`rsa.misc.cache`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`destination.user.domain`*:: +*`rsa.misc.cache_hit`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`destination.user.email`*:: +*`rsa.misc.cefversion`*:: + -- -User email address. - type: keyword -- -*`destination.user.full_name`*:: +*`rsa.misc.cfg_attr`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`destination.user.full_name.text`*:: +*`rsa.misc.cfg_obj`*:: + -- -type: text +type: keyword -- -*`destination.user.group.domain`*:: +*`rsa.misc.cfg_path`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`destination.user.group.id`*:: +*`rsa.misc.changes`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`destination.user.group.name`*:: +*`rsa.misc.client_ip`*:: + -- -Name of the group. - type: keyword -- -*`destination.user.hash`*:: +*`rsa.misc.clustermembers`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - type: keyword -- -*`destination.user.id`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Unique identifiers of the user. - type: keyword -- -*`destination.user.name`*:: +*`rsa.misc.cn_asn_src`*:: + -- -Short name or login of the user. - type: keyword -example: albert - -- -*`destination.user.name.text`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -type: text +type: keyword -- -[float] -=== dll +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword -These fields contain information about code libraries dynamically loaded into processes. +-- -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: -* Dynamic-link library (`.dll`) commonly used on Windows -* Shared Object (`.so`) commonly used on Unix-like operating systems -* Dynamic library (`.dylib`) commonly used on macOS +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword +-- -*`dll.code_signature.exists`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -Boolean to capture if a signature is present. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword -- -*`dll.code_signature.status`*:: +*`rsa.misc.cn_engine_type`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`dll.code_signature.subject_name`*:: +*`rsa.misc.cn_f_switch`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`dll.code_signature.trusted`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword -- -*`dll.code_signature.valid`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword -- -*`dll.hash.md5`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -MD5 hash. - type: keyword -- -*`dll.hash.sha1`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -SHA1 hash. - type: keyword -- -*`dll.hash.sha256`*:: +*`rsa.misc.cn_invalid`*:: + -- -SHA256 hash. - type: keyword -- -*`dll.hash.sha512`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -SHA512 hash. - type: keyword -- -*`dll.name`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -Name of the library. -This generally maps to the name of the file on disk. - type: keyword -example: kernel32.dll - -- -*`dll.path`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Full file path of the library. - type: keyword -example: C:\Windows\System32\kernel32.dll - -- -*`dll.pe.company`*:: +*`rsa.misc.cn_log_did`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`dll.pe.description`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`dll.pe.file_version`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`dll.pe.original_file_name`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Internal name of the file, provided at compile-time. - type: keyword -example: MSPAINT.EXE - -- -*`dll.pe.product`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -Internal product name of the file, provided at compile-time. - type: keyword -example: Microsoft® Windows® Operating System +-- +*`rsa.misc.cn_minpcktlen`*:: ++ -- +type: keyword -[float] -=== dns +-- -Fields describing DNS queries and answers. -DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword +-- -*`dns.answers`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -An array containing an object for each answer section returned by the server. -The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. -Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - -type: object +type: keyword -- -*`dns.answers.class`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -The class of DNS data contained in this resource record. - type: keyword -example: IN - -- -*`dns.answers.data`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -The data describing the resource. -The meaning of this data depends on the type and class of the resource record. - type: keyword -example: 10.10.10.10 - -- -*`dns.answers.name`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -The domain name to which this resource record pertains. -If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - type: keyword -example: www.google.com - -- -*`dns.answers.ttl`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. +type: keyword -type: long +-- -example: 180 +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword -- -*`dns.answers.type`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -The type of data contained in this resource record. - type: keyword -example: CNAME - -- -*`dns.header_flags`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -Array of 2 letter DNS header flags. -Expected values are: AA, TC, RD, RA, AD, CD, DO. - type: keyword -example: ['RD', 'RA'] - -- -*`dns.id`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - type: keyword -example: 62111 - -- -*`dns.op_code`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - type: keyword -example: QUERY - -- -*`dns.question.class`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -The class of records being queried. - type: keyword -example: IN - -- -*`dns.question.name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -The name being queried. -If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - type: keyword -example: www.google.com - -- -*`dns.question.registered_domain`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`dns.question.subdomain`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -The subdomain is all of the labels under the registered_domain. -If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - type: keyword -example: www - -- -*`dns.question.top_level_domain`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`dns.question.type`*:: +*`rsa.misc.cn_sampint`*:: + -- -The type of record being queried. - type: keyword -example: AAAA - -- -*`dns.resolved_ip`*:: +*`rsa.misc.cn_seqctr`*:: + -- -Array containing all IPs seen in `answers.data`. -The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. +type: keyword -type: ip +-- -example: ['10.10.10.10', '10.10.10.11'] +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword -- -*`dns.response_code`*:: +*`rsa.misc.cn_src_tos`*:: + -- -The DNS response code. - type: keyword -example: NOERROR - -- -*`dns.type`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -The type of DNS event captured, query or answer. -If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. -If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - type: keyword -example: answer +-- +*`rsa.misc.cn_sysuptime`*:: ++ -- +type: keyword -[float] -=== ecs +-- -Meta-information specific to ECS. +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword +-- -*`ecs.version`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - type: keyword -example: 1.0.0 - -required: True +-- +*`rsa.misc.cn_totflowexp`*:: ++ -- +type: keyword -[float] -=== error +-- -These fields can represent errors of any kind. -Use them for errors that happen while fetching events or in cases where the event itself contains an error. +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword +-- -*`error.code`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -Error code describing the error. - type: keyword -- -*`error.id`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -Unique identifier for the error. - type: keyword -- -*`error.message`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -Error message. - -type: text +type: keyword -- -*`error.stack_trace`*:: +*`rsa.misc.comp_class`*:: + -- -The stack trace of this error in plain text. - type: keyword -- -*`error.stack_trace.text`*:: +*`rsa.misc.comp_name`*:: + -- -type: text +type: keyword -- -*`error.type`*:: +*`rsa.misc.comp_rbytes`*:: + -- -The type of the error, for example the class name of the exception. - type: keyword -example: java.lang.NullPointerException +-- +*`rsa.misc.comp_sbytes`*:: ++ -- +type: keyword -[float] -=== event +-- -The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword +-- -*`event.action`*:: +*`rsa.misc.criticality`*:: + -- -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - type: keyword -example: user-password-change - -- -*`event.category`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. -`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. -This field is an array. This will allow proper categorization of some events that fall in multiple categories. - type: keyword -example: authentication - -- -*`event.code`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Identification code for this event, if one exists. -Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - type: keyword -example: 4648 - -- -*`event.created`*:: +*`rsa.misc.cs_av_other`*:: + -- -event.created contains the date/time when the event was first read by an agent, or by your pipeline. -This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. -In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. -In case the two timestamps are identical, @timestamp should be used. +type: keyword -type: date +-- -example: 2016-05-23T08:05:34.857Z +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword -- -*`event.dataset`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Name of the dataset. -If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. -It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - type: keyword -example: apache.access - -- -*`event.duration`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. +type: keyword -type: long +-- -format: duration +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword -- -*`event.end`*:: +*`rsa.misc.cs_context`*:: + -- -event.end contains the date when the event ended or when the activity was last observed. - -type: date +type: keyword -- -*`event.hash`*:: +*`rsa.misc.cs_control`*:: + -- -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - type: keyword -example: 123456789012345678901234567890ABCD - -- -*`event.id`*:: +*`rsa.misc.cs_data`*:: + -- -Unique ID to describe the event. - type: keyword -example: 8a4f500d - -- -*`event.ingested`*:: +*`rsa.misc.cs_datecret`*:: + -- -Timestamp when an event arrived in the central data store. -This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. -In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +type: keyword -type: date +-- -example: 2016-05-23T08:05:35.101Z +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword -- -*`event.kind`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. -`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. -The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - type: keyword -example: alert - -- -*`event.module`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -Name of the module this data is coming from. -If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - type: keyword -example: apache - -- -*`event.original`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - -- -*`event.outcome`*:: +*`rsa.misc.cs_filetype`*:: + -- -This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. -Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. -Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. -Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - type: keyword -example: success - -- -*`event.provider`*:: +*`rsa.misc.cs_fld`*:: + -- -Source of the event. -Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - type: keyword -example: kernel - -- -*`event.reference`*:: +*`rsa.misc.cs_if_desc`*:: + -- -Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - type: keyword -example: https://system.vendor.com/event/#0001234 - -- -*`event.risk_score`*:: +*`rsa.misc.cs_if_name`*:: + -- -Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - -type: float +type: keyword -- -*`event.risk_score_norm`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -Normalized risk score or priority of the event, on a scale of 0 to 100. -This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - -type: float +type: keyword -- -*`event.sequence`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. +type: keyword -type: long +-- -format: string +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword -- -*`event.severity`*:: +*`rsa.misc.cs_lifetime`*:: + -- -The numeric severity of the event according to your event source. -What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. -The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - -type: long +type: keyword -example: 7 +-- -format: string +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword -- -*`event.start`*:: +*`rsa.misc.cs_loginname`*:: + -- -event.start contains the date when the event started or when the activity was first observed. - -type: date +type: keyword -- -*`event.timezone`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. -Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - type: keyword -- -*`event.type`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. -`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. -This field is an array. This will allow proper categorization of some events that fall in multiple event types. - type: keyword -- -*`event.url`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +-- +*`rsa.misc.cs_payload`*:: ++ -- +type: keyword -[float] -=== file +-- -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword +-- -*`file.accessed`*:: +*`rsa.misc.cs_registrar`*:: + -- -Last time the file was accessed. -Note that not all filesystems keep track of access time. - -type: date +type: keyword -- -*`file.attributes`*:: +*`rsa.misc.cs_represult`*:: + -- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - type: keyword -example: ["readonly", "system"] - -- -*`file.code_signature.exists`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Boolean to capture if a signature is present. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword -- -*`file.code_signature.status`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`file.code_signature.subject_name`*:: +*`rsa.misc.cs_streams`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`file.code_signature.trusted`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword -- -*`file.code_signature.valid`*:: +*`rsa.misc.cs_whois_server`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword -- -*`file.created`*:: +*`rsa.misc.description`*:: + -- -File creation time. -Note that not all filesystems store the creation time. - -type: date +type: keyword -- -*`file.ctime`*:: +*`rsa.misc.devvendor`*:: + -- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - -type: date +type: keyword -- -*`file.device`*:: +*`rsa.misc.distance`*:: + -- -Device that is the source of the file. - type: keyword -example: sda - -- -*`file.directory`*:: +*`rsa.misc.dstburb`*:: + -- -Directory where the file is located. It should include the drive letter, when appropriate. - type: keyword -example: /home/alice - -- -*`file.drive_letter`*:: +*`rsa.misc.edomain`*:: + -- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. - type: keyword -example: C - -- -*`file.extension`*:: +*`rsa.misc.edomaub`*:: + -- -File extension. - type: keyword -example: png - -- -*`file.gid`*:: +*`rsa.misc.euid`*:: + -- -Primary group ID (GID) of the file. - type: keyword -example: 1001 - -- -*`file.group`*:: +*`rsa.misc.facility`*:: + -- -Primary group name of the file. - type: keyword -example: alice - -- -*`file.hash.md5`*:: +*`rsa.misc.finterface`*:: + -- -MD5 hash. - type: keyword -- -*`file.hash.sha1`*:: +*`rsa.misc.flags`*:: + -- -SHA1 hash. - type: keyword -- -*`file.hash.sha256`*:: +*`rsa.misc.gaddr`*:: + -- -SHA256 hash. - type: keyword -- -*`file.hash.sha512`*:: +*`rsa.misc.id3`*:: + -- -SHA512 hash. - type: keyword -- -*`file.inode`*:: +*`rsa.misc.im_buddyname`*:: + -- -Inode representing the file in the filesystem. - type: keyword -example: 256383 - -- -*`file.mime_type`*:: +*`rsa.misc.im_croomid`*:: + -- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - type: keyword -- -*`file.mode`*:: +*`rsa.misc.im_croomtype`*:: + -- -Mode of the file in octal representation. - type: keyword -example: 0640 - -- -*`file.mtime`*:: +*`rsa.misc.im_members`*:: + -- -Last time the file content was modified. - -type: date +type: keyword -- -*`file.name`*:: +*`rsa.misc.im_username`*:: + -- -Name of the file including the extension, without the directory. - type: keyword -example: example.png - -- -*`file.owner`*:: +*`rsa.misc.ipkt`*:: + -- -File owner's username. - type: keyword -example: alice - -- -*`file.path`*:: +*`rsa.misc.ipscat`*:: + -- -Full path to the file, including the file name. It should include the drive letter, when appropriate. - type: keyword -example: /home/alice/example.png - -- -*`file.path.text`*:: +*`rsa.misc.ipspri`*:: + -- -type: text +type: keyword -- -*`file.pe.company`*:: +*`rsa.misc.latitude`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`file.pe.description`*:: +*`rsa.misc.linenum`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`file.pe.file_version`*:: +*`rsa.misc.list_name`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`file.pe.original_file_name`*:: +*`rsa.misc.load_data`*:: + -- -Internal name of the file, provided at compile-time. - type: keyword -example: MSPAINT.EXE - -- -*`file.pe.product`*:: +*`rsa.misc.location_floor`*:: + -- -Internal product name of the file, provided at compile-time. - type: keyword -example: Microsoft® Windows® Operating System - -- -*`file.size`*:: +*`rsa.misc.location_mark`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +type: keyword -type: long +-- -example: 16384 +*`rsa.misc.log_id`*:: ++ +-- +type: keyword -- -*`file.target_path`*:: +*`rsa.misc.log_type`*:: + -- -Target path for symlinks. - type: keyword -- -*`file.target_path.text`*:: +*`rsa.misc.logid`*:: + -- -type: text +type: keyword -- -*`file.type`*:: +*`rsa.misc.logip`*:: + -- -File type (file, dir, or symlink). - type: keyword -example: file - -- -*`file.uid`*:: +*`rsa.misc.logname`*:: + -- -The user ID (UID) or security identifier (SID) of the file owner. - type: keyword -example: 1001 +-- +*`rsa.misc.longitude`*:: ++ -- +type: keyword -[float] -=== geo +-- -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +*`rsa.misc.lport`*:: ++ +-- +type: keyword +-- -*`geo.city_name`*:: +*`rsa.misc.mbug_data`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`geo.continent_name`*:: +*`rsa.misc.misc_name`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`geo.country_iso_code`*:: +*`rsa.misc.msg_type`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`geo.country_name`*:: +*`rsa.misc.msgid`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`geo.location`*:: +*`rsa.misc.netsessid`*:: + -- -Longitude and latitude. +type: keyword -type: geo_point +-- -example: { "lon": -73.614830, "lat": 45.505918 } +*`rsa.misc.num`*:: ++ +-- +type: keyword -- -*`geo.name`*:: +*`rsa.misc.number1`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`geo.region_iso_code`*:: +*`rsa.misc.number2`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`geo.region_name`*:: +*`rsa.misc.nwwn`*:: + -- -Region name. - type: keyword -example: Quebec +-- +*`rsa.misc.object`*:: ++ -- +type: keyword -[float] -=== group +-- -The group fields are meant to represent groups that are relevant to the event. +*`rsa.misc.operation`*:: ++ +-- +type: keyword +-- -*`group.domain`*:: +*`rsa.misc.opkt`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`group.id`*:: +*`rsa.misc.orig_from`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`group.name`*:: +*`rsa.misc.owner_id`*:: + -- -Name of the group. - type: keyword -- -[float] -=== hash - -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +*`rsa.misc.p_action`*:: ++ +-- +type: keyword +-- -*`hash.md5`*:: +*`rsa.misc.p_filter`*:: + -- -MD5 hash. - type: keyword -- -*`hash.sha1`*:: +*`rsa.misc.p_group_object`*:: + -- -SHA1 hash. - type: keyword -- -*`hash.sha256`*:: +*`rsa.misc.p_id`*:: + -- -SHA256 hash. - type: keyword -- -*`hash.sha512`*:: +*`rsa.misc.p_msgid1`*:: + -- -SHA512 hash. - type: keyword -- -[float] -=== host - -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword +-- -*`host.architecture`*:: +*`rsa.misc.p_result1`*:: + -- -Operating system architecture. - type: keyword -example: x86_64 - -- -*`host.domain`*:: +*`rsa.misc.password_chg`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - type: keyword -example: CONTOSO - -- -*`host.geo.city_name`*:: +*`rsa.misc.password_expire`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`host.geo.continent_name`*:: +*`rsa.misc.permgranted`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`host.geo.country_iso_code`*:: +*`rsa.misc.permwanted`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`host.geo.country_name`*:: +*`rsa.misc.pgid`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`host.geo.location`*:: +*`rsa.misc.policyUUID`*:: + -- -Longitude and latitude. +type: keyword -type: geo_point +-- -example: { "lon": -73.614830, "lat": 45.505918 } +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword -- -*`host.geo.name`*:: +*`rsa.misc.program`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`host.geo.region_iso_code`*:: +*`rsa.misc.real_data`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`host.geo.region_name`*:: +*`rsa.misc.rec_asp_device`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`host.hostname`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. - type: keyword -- -*`host.id`*:: +*`rsa.misc.rec_library`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. - type: keyword -- -*`host.ip`*:: +*`rsa.misc.recordnum`*:: + -- -Host ip addresses. - -type: ip +type: keyword -- -*`host.mac`*:: +*`rsa.misc.ruid`*:: + -- -Host mac addresses. - type: keyword -- -*`host.name`*:: +*`rsa.misc.sburb`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - type: keyword -- -*`host.os.family`*:: +*`rsa.misc.sdomain_fld`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`host.os.full`*:: +*`rsa.misc.sec`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`host.os.full.text`*:: +*`rsa.misc.sensorname`*:: + -- -type: text +type: keyword -- -*`host.os.kernel`*:: +*`rsa.misc.seqnum`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`host.os.name`*:: +*`rsa.misc.session`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`host.os.name.text`*:: +*`rsa.misc.sessiontype`*:: + -- -type: text +type: keyword -- -*`host.os.platform`*:: +*`rsa.misc.sigUUID`*:: + -- -Operating system platform (such centos, ubuntu, windows). - type: keyword -example: darwin - -- -*`host.os.version`*:: +*`rsa.misc.spi`*:: + -- -Operating system version as a raw string. - type: keyword -example: 10.14.1 - -- -*`host.type`*:: +*`rsa.misc.srcburb`*:: + -- -Type of host. -For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - type: keyword -- -*`host.uptime`*:: +*`rsa.misc.srcdom`*:: + -- -Seconds the host has been up. +type: keyword -type: long +-- -example: 1325 +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword -- -*`host.user.domain`*:: +*`rsa.misc.state`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.email`*:: +*`rsa.misc.status1`*:: + -- -User email address. - type: keyword -- -*`host.user.full_name`*:: +*`rsa.misc.svcno`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`host.user.full_name.text`*:: +*`rsa.misc.system`*:: + -- -type: text +type: keyword -- -*`host.user.group.domain`*:: +*`rsa.misc.tbdstr1`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.group.id`*:: +*`rsa.misc.tgtdom`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`host.user.group.name`*:: +*`rsa.misc.tgtdomain`*:: + -- -Name of the group. - type: keyword -- -*`host.user.hash`*:: +*`rsa.misc.threshold`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - type: keyword -- -*`host.user.id`*:: +*`rsa.misc.type1`*:: + -- -Unique identifiers of the user. - type: keyword -- -*`host.user.name`*:: +*`rsa.misc.udb_class`*:: + -- -Short name or login of the user. - type: keyword -example: albert - -- -*`host.user.name.text`*:: +*`rsa.misc.url_fld`*:: + -- -type: text +type: keyword -- -[float] -=== http - -Fields related to HTTP activity. Use the `url` field set to store the url of the request. - - -*`http.request.body.bytes`*:: +*`rsa.misc.user_div`*:: + -- -Size in bytes of the request body. - -type: long +type: keyword -example: 887 +-- -format: bytes +*`rsa.misc.userid`*:: ++ +-- +type: keyword -- -*`http.request.body.content`*:: +*`rsa.misc.username_fld`*:: + -- -The full HTTP request body. - type: keyword -example: Hello world - -- -*`http.request.body.content.text`*:: +*`rsa.misc.utcstamp`*:: + -- -type: text +type: keyword -- -*`http.request.bytes`*:: +*`rsa.misc.v_instafname`*:: + -- -Total size in bytes of the request (body and headers). - -type: long +type: keyword -example: 1437 +-- -format: bytes +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword -- -*`http.request.method`*:: +*`rsa.misc.vpnid`*:: + -- -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: get, post, put - -- -*`http.request.referrer`*:: +*`rsa.misc.autorun_type`*:: + -- -Referrer for this HTTP request. +This is used to capture Auto Run type type: keyword -example: https://blog.example.com/ - -- -*`http.response.body.bytes`*:: +*`rsa.misc.cc_number`*:: + -- -Size in bytes of the response body. +Valid Credit Card Numbers only type: long -example: 887 - -format: bytes - -- -*`http.response.body.content`*:: +*`rsa.misc.content`*:: + -- -The full HTTP response body. +This key captures the content type from protocol headers type: keyword -example: Hello world - -- -*`http.response.body.content.text`*:: +*`rsa.misc.ein_number`*:: + -- -type: text +Employee Identification Numbers only + +type: long -- -*`http.response.bytes`*:: +*`rsa.misc.found`*:: + -- -Total size in bytes of the response (body and headers). +This is used to capture the results of regex match -type: long +type: keyword -example: 1437 +-- -format: bytes +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword -- -*`http.response.status_code`*:: +*`rsa.misc.lifetime`*:: + -- -HTTP response status code. +This key is used to capture the session lifetime in seconds. type: long -example: 404 - -format: string - -- -*`http.version`*:: +*`rsa.misc.link`*:: + -- -HTTP version. +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: 1.1 - -- -[float] -=== interface - -The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. - - -*`interface.alias`*:: +*`rsa.misc.match`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +This key is for regex match name from search.ini type: keyword -example: outside - -- -*`interface.id`*:: +*`rsa.misc.param_dst`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +This key captures the command line/launch argument of the target process or file type: keyword -example: 10 - -- -*`interface.name`*:: +*`rsa.misc.param_src`*:: + -- -Interface name as reported by the system. +This key captures source parameter type: keyword -example: eth0 - -- -[float] -=== log +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used -Details about the event's logging mechanism or logging transport. -The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. -The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +type: keyword +-- -*`log.level`*:: +*`rsa.misc.sig_name`*:: + -- -Original log level of the log event. -If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). -Some examples are `warn`, `err`, `i`, `informational`. +This key is used to capture the Signature Name only. type: keyword -example: error - -- -*`log.logger`*:: +*`rsa.misc.snmp_value`*:: + -- -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +SNMP set request value type: keyword -example: org.elasticsearch.bootstrap.Bootstrap - -- -*`log.origin.file.line`*:: +*`rsa.misc.streams`*:: + -- -The line number of the file containing the source code which originated the log event. - -type: integer +This key captures number of streams in session -example: 42 +type: long -- -*`log.origin.file.name`*:: + +*`rsa.db.index`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +This key captures IndexID of the index. type: keyword -example: Bootstrap.java - -- -*`log.origin.function`*:: +*`rsa.db.instance`*:: + -- -The name of the function or method which originated the log event. +This key is used to capture the database server instance name type: keyword -example: init - -- -*`log.original`*:: +*`rsa.db.database`*:: + -- -This is the original log message and contains the full log message before splitting it up in multiple parts. -In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. -This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +This key is used to capture the name of a database or an instance as seen in a session type: keyword -example: Sep 19 08:26:10 localhost My log - -- -*`log.syslog`*:: +*`rsa.db.transact_id`*:: + -- -The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. +This key captures the SQL transantion ID of the current session -type: object +type: keyword -- -*`log.syslog.facility.code`*:: +*`rsa.db.permissions`*:: + -- -The Syslog numeric facility of the log event, if available. -According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. +This key captures permission or privilege level assigned to a resource. -type: long - -example: 23 - -format: string +type: keyword -- -*`log.syslog.facility.name`*:: +*`rsa.db.table_name`*:: + -- -The Syslog text-based facility of the log event, if available. +This key is used to capture the table name type: keyword -example: local7 - -- -*`log.syslog.priority`*:: +*`rsa.db.db_id`*:: + -- -Syslog numeric priority of the event, if available. -According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - -type: long - -example: 135 +This key is used to capture the unique identifier for a database -format: string +type: keyword -- -*`log.syslog.severity.code`*:: +*`rsa.db.db_pid`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +This key captures the process id of a connection with database server type: long -example: 3 - -- -*`log.syslog.severity.name`*:: +*`rsa.db.lread`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - -type: keyword +This key is used for the number of logical reads -example: Error +type: long -- -[float] -=== network - -The network is defined as the communication path over which a host or network event happens. -The network.* fields should be populated with details about the network activity associated with an event. - - -*`network.application`*:: +*`rsa.db.lwrite`*:: + -- -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -type: keyword +This key is used for the number of logical writes -example: aim +type: long -- -*`network.bytes`*:: +*`rsa.db.pread`*:: + -- -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. +This key is used for the number of physical writes type: long -example: 368 - -format: bytes - -- -*`network.community_id`*:: + +*`rsa.network.alias_host`*:: + -- -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= - -- -*`network.direction`*:: +*`rsa.network.domain`*:: + -- -Direction of the network traffic. -Recommended values are: - * inbound - * outbound - * internal - * external - * unknown - -When mapping events from a host-based monitoring context, populate this field from the host's point of view. -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. - type: keyword -example: inbound - -- -*`network.forwarded_ip`*:: +*`rsa.network.host_dst`*:: + -- -Host IP address when the source IP address is the proxy. - -type: ip +This key should only be used when it’s a Destination Hostname -example: 192.1.1.2 +type: keyword -- -*`network.iana_number`*:: +*`rsa.network.network_service`*:: + -- -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +This is used to capture layer 7 protocols/service names type: keyword -example: 6 - -- -*`network.inner`*:: +*`rsa.network.interface`*:: + -- -Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) +This key should be used when the source or destination context of an interface is not clear -type: object +type: keyword -- -*`network.inner.vlan.id`*:: +*`rsa.network.network_port`*:: + -- -VLAN ID as reported by the observer. +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword - -example: 10 +type: long -- -*`network.inner.vlan.name`*:: +*`rsa.network.eth_host`*:: + -- -Optional VLAN name as reported by the observer. +Deprecated, use alias.mac type: keyword -example: outside - -- -*`network.name`*:: +*`rsa.network.sinterface`*:: + -- -Name given by operators to sections of their network. +This key should only be used when it’s a Source Interface type: keyword -example: Guest Wifi - -- -*`network.packets`*:: +*`rsa.network.dinterface`*:: + -- -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -type: long +This key should only be used when it’s a Destination Interface -example: 24 +type: keyword -- -*`network.protocol`*:: +*`rsa.network.vlan`*:: + -- -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -type: keyword +This key should only be used to capture the ID of the Virtual LAN -example: http +type: long -- -*`network.transport`*:: +*`rsa.network.zone_src`*:: + -- -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +This key should only be used when it’s a Source Zone. type: keyword -example: tcp - -- -*`network.type`*:: +*`rsa.network.zone`*:: + -- -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +This key should be used when the source or destination context of a Zone is not clear type: keyword -example: ipv4 - -- -*`network.vlan.id`*:: +*`rsa.network.zone_dst`*:: + -- -VLAN ID as reported by the observer. +This key should only be used when it’s a Destination Zone. type: keyword -example: 10 - -- -*`network.vlan.name`*:: +*`rsa.network.gateway`*:: + -- -Optional VLAN name as reported by the observer. +This key is used to capture the IP Address of the gateway type: keyword -example: outside - -- -[float] -=== observer - -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. -This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. - - -*`observer.egress`*:: +*`rsa.network.icmp_type`*:: + -- -Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +This key is used to capture the ICMP type only -type: object +type: long -- -*`observer.egress.interface.alias`*:: +*`rsa.network.mask`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +This key is used to capture the device network IPmask. type: keyword -example: outside - -- -*`observer.egress.interface.id`*:: +*`rsa.network.icmp_code`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - -type: keyword +This key is used to capture the ICMP code only -example: 10 +type: long -- -*`observer.egress.interface.name`*:: +*`rsa.network.protocol_detail`*:: + -- -Interface name as reported by the system. +This key should be used to capture additional protocol information type: keyword -example: eth0 - -- -*`observer.egress.vlan.id`*:: +*`rsa.network.dmask`*:: + -- -VLAN ID as reported by the observer. +This key is used for Destionation Device network mask type: keyword -example: 10 - -- -*`observer.egress.vlan.name`*:: +*`rsa.network.port`*:: + -- -Optional VLAN name as reported by the observer. - -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear -example: outside +type: long -- -*`observer.egress.zone`*:: +*`rsa.network.smask`*:: + -- -Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. +This key is used for capturing source Network Mask type: keyword -example: Public_Internet - -- -*`observer.geo.city_name`*:: +*`rsa.network.netname`*:: + -- -City name. +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -example: Montreal - -- -*`observer.geo.continent_name`*:: +*`rsa.network.paddr`*:: + -- -Name of the continent. - -type: keyword +Deprecated -example: North America +type: ip -- -*`observer.geo.country_iso_code`*:: +*`rsa.network.faddr`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`observer.geo.country_name`*:: +*`rsa.network.lhost`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`observer.geo.location`*:: +*`rsa.network.origin`*:: + -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`observer.geo.name`*:: +*`rsa.network.remote_domain_id`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`observer.geo.region_iso_code`*:: +*`rsa.network.addr`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`observer.geo.region_name`*:: +*`rsa.network.dns_a_record`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`observer.hostname`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Hostname of the observer. - type: keyword -- -*`observer.ingress`*:: +*`rsa.network.fhost`*:: + -- -Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - -type: object +type: keyword -- -*`observer.ingress.interface.alias`*:: +*`rsa.network.fport`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - type: keyword -example: outside - -- -*`observer.ingress.interface.id`*:: +*`rsa.network.laddr`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - type: keyword -example: 10 - -- -*`observer.ingress.interface.name`*:: +*`rsa.network.linterface`*:: + -- -Interface name as reported by the system. - type: keyword -example: eth0 - -- -*`observer.ingress.vlan.id`*:: +*`rsa.network.phost`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`observer.ingress.vlan.name`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Optional VLAN name as reported by the observer. +Deprecated, use host.dst type: keyword -example: outside - -- -*`observer.ingress.zone`*:: +*`rsa.network.eth_type`*:: + -- -Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -example: DMZ +type: long -- -*`observer.ip`*:: +*`rsa.network.ip_proto`*:: + -- -IP addresses of the observer. +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: ip +type: long -- -*`observer.mac`*:: +*`rsa.network.dns_cname_record`*:: + -- -MAC addresses of the observer - type: keyword -- -*`observer.name`*:: +*`rsa.network.dns_id`*:: + -- -Custom name of the observer. -This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. -If no custom name is needed, the field can be left empty. - type: keyword -example: 1_proxySG - -- -*`observer.os.family`*:: +*`rsa.network.dns_opcode`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`observer.os.full`*:: +*`rsa.network.dns_resp`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`observer.os.full.text`*:: +*`rsa.network.dns_type`*:: + -- -type: text +type: keyword -- -*`observer.os.kernel`*:: +*`rsa.network.domain1`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`observer.os.name`*:: +*`rsa.network.host_type`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`observer.os.name.text`*:: +*`rsa.network.packet_length`*:: + -- -type: text +type: keyword -- -*`observer.os.platform`*:: +*`rsa.network.host_orig`*:: + -- -Operating system platform (such centos, ubuntu, windows). +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -example: darwin - -- -*`observer.os.version`*:: +*`rsa.network.rpayload`*:: + -- -Operating system version as a raw string. +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -example: 10.14.1 - -- -*`observer.product`*:: +*`rsa.network.vlan_name`*:: + -- -The product name of the observer. +This key should only be used to capture the name of the Virtual LAN type: keyword -example: s200 - -- -*`observer.serial_number`*:: + +*`rsa.investigations.ec_activity`*:: + -- -Observer serial number. +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`observer.type`*:: +*`rsa.investigations.ec_theme`*:: + -- -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -example: firewall - -- -*`observer.vendor`*:: +*`rsa.investigations.ec_subject`*:: + -- -Vendor name of the observer. +This key captures the Subject of a particular Event(Ex:User) type: keyword -example: Symantec - -- -*`observer.version`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Observer version. +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -[float] -=== organization +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number -The organization fields enrich data with information about the company or entity the data is associated with. -These fields help you arrange or filter data stored in an index by one or multiple organizations. +type: long +-- -*`organization.id`*:: +*`rsa.investigations.event_cat_name`*:: + -- -Unique identifier for the organization. +This key captures the event category name corresponding to the event cat code type: keyword -- -*`organization.name`*:: +*`rsa.investigations.event_vcat`*:: + -- -Organization name. +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -- -*`organization.name.text`*:: +*`rsa.investigations.analysis_file`*:: + -- -type: text - --- - -[float] -=== os +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file -The OS fields contain information about the operating system. +type: keyword +-- -*`os.family`*:: +*`rsa.investigations.analysis_service`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -example: debian - -- -*`os.full`*:: +*`rsa.investigations.analysis_session`*:: + -- -Operating system name, including the version or code name. +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -example: Mac OS Mojave - -- -*`os.full.text`*:: +*`rsa.investigations.boc`*:: + -- -type: text +This is used to capture behaviour of compromise + +type: keyword -- -*`os.kernel`*:: +*`rsa.investigations.eoc`*:: + -- -Operating system kernel version as a raw string. +This is used to capture Enablers of Compromise type: keyword -example: 4.4.0-112-generic - -- -*`os.name`*:: +*`rsa.investigations.inv_category`*:: + -- -Operating system name, without the version. +This used to capture investigation category type: keyword -example: Mac OS X - -- -*`os.name.text`*:: +*`rsa.investigations.inv_context`*:: + -- -type: text +This used to capture investigation context + +type: keyword -- -*`os.platform`*:: +*`rsa.investigations.ioc`*:: + -- -Operating system platform (such centos, ubuntu, windows). +This is key capture indicator of compromise type: keyword -example: darwin - -- -*`os.version`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Operating system version as a raw string. +This is a generic counter key that should be used with the label dclass.c1.str only -type: keyword - -example: 10.14.1 +type: long -- -[float] -=== package +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only -These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. +type: long +-- -*`package.architecture`*:: +*`rsa.counters.event_counter`*:: + -- -Package architecture. - -type: keyword +This is used to capture the number of times an event repeated -example: x86_64 +type: long -- -*`package.build_version`*:: +*`rsa.counters.dclass_r1`*:: + -- -Additional information about the build version of the installed package. -For example use the commit SHA of a non-released package. +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -example: 36f4f7e89dd61b0988b12ee000b98966867710cd - -- -*`package.checksum`*:: +*`rsa.counters.dclass_c3`*:: + -- -Checksum of the installed package for verification. +This is a generic counter key that should be used with the label dclass.c3.str only -type: keyword - -example: 68b329da9893e34099c7d8ad5cb9c940 +type: long -- -*`package.description`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Description of the package. +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -example: Open source programming language to build simple/reliable/efficient software. - -- -*`package.install_scope`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Indicating how the package was installed, e.g. user-local, global. +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -example: global - -- -*`package.installed`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Time when package was installed. +This is a generic ratio string key that should be used with the label dclass.r1 only -type: date +type: keyword -- -*`package.license`*:: +*`rsa.counters.dclass_r2`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -example: Apache License 2.0 - -- -*`package.name`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -Package name +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -example: go - -- -*`package.path`*:: +*`rsa.counters.dclass_r3`*:: + -- -Path where the package is installed. +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -example: /usr/local/Cellar/go/1.12.9/ - -- -*`package.reference`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Home page or reference URL of the software in this package, if available. +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -example: https://golang.org - -- -*`package.size`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -Package size in bytes. - -type: long - -example: 62231 +This is a generic ratio string key that should be used with the label dclass.r3 only -format: string +type: keyword -- -*`package.type`*:: + +*`rsa.identity.auth_method`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. +This key is used to capture authentication methods used only type: keyword -example: rpm - -- -*`package.version`*:: +*`rsa.identity.user_role`*:: + -- -Package version +This key is used to capture the Role of a user only type: keyword -example: 1.12.9 - -- -[float] -=== pe +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name -These fields contain Windows Portable Executable (PE) metadata. +type: keyword +-- -*`pe.company`*:: +*`rsa.identity.logon_type`*:: + -- -Internal company name of the file, provided at compile-time. +This key is used to capture the type of logon method used. type: keyword -example: Microsoft Corporation - -- -*`pe.description`*:: +*`rsa.identity.profile`*:: + -- -Internal description of the file, provided at compile-time. +This key is used to capture the user profile type: keyword -example: Paint - -- -*`pe.file_version`*:: +*`rsa.identity.accesses`*:: + -- -Internal version of the file, provided at compile-time. +This key is used to capture actual privileges used in accessing an object type: keyword -example: 6.3.9600.17415 - -- -*`pe.original_file_name`*:: +*`rsa.identity.realm`*:: + -- -Internal name of the file, provided at compile-time. +Radius realm or similar grouping of accounts type: keyword -example: MSPAINT.EXE - -- -*`pe.product`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Internal product name of the file, provided at compile-time. +This key captures Destination User Session ID type: keyword -example: Microsoft® Windows® Operating System - -- -[float] -=== process +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +type: keyword +-- -*`process.args`*:: +*`rsa.identity.org`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +This key captures the User organization type: keyword -example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] - -- -*`process.args_count`*:: +*`rsa.identity.dn_dst`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - -type: long +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn -example: 4 +type: keyword -- -*`process.code_signature.exists`*:: +*`rsa.identity.firstname`*:: + -- -Boolean to capture if a signature is present. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: boolean - -example: true +type: keyword -- -*`process.code_signature.status`*:: +*`rsa.identity.lastname`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.code_signature.subject_name`*:: +*`rsa.identity.user_dept`*:: + -- -Subject name of the code signer +User's Department Names only type: keyword -example: Microsoft Corporation - -- -*`process.code_signature.trusted`*:: +*`rsa.identity.user_sid_src`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +This key captures Source User Session ID -type: boolean - -example: true +type: keyword -- -*`process.code_signature.valid`*:: +*`rsa.identity.federated_sp`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +This key is the Federated Service Provider. This is the application requesting authentication. -example: true +type: keyword -- -*`process.command_line`*:: +*`rsa.identity.federated_idp`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.command_line.text`*:: +*`rsa.identity.logon_type_desc`*:: + -- -type: text +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword -- -*`process.entity_id`*:: +*`rsa.identity.middlename`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: c2c455d9f99375d - -- -*`process.executable`*:: +*`rsa.identity.password`*:: + -- -Absolute path to the process executable. +This key is for Passwords seen in any session, plain text or encrypted type: keyword -example: /usr/bin/ssh - -- -*`process.executable.text`*:: +*`rsa.identity.host_role`*:: + -- -type: text +This key should only be used to capture the role of a Host Machine + +type: keyword -- -*`process.exit_code`*:: +*`rsa.identity.ldap`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). - -type: long +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context -example: 137 +type: keyword -- -*`process.hash.md5`*:: +*`rsa.identity.ldap_query`*:: + -- -MD5 hash. +This key is the Search criteria from an LDAP search type: keyword -- -*`process.hash.sha1`*:: +*`rsa.identity.ldap_response`*:: + -- -SHA1 hash. +This key is to capture Results from an LDAP search type: keyword -- -*`process.hash.sha256`*:: +*`rsa.identity.owner`*:: + -- -SHA256 hash. +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`process.hash.sha512`*:: +*`rsa.identity.service_account`*:: + -- -SHA512 hash. +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`process.name`*:: + +*`rsa.email.email_dst`*:: + -- -Process name. -Sometimes called program name or similar. +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -example: ssh - -- -*`process.name.text`*:: +*`rsa.email.email_src`*:: + -- -type: text +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword -- -*`process.parent.args`*:: +*`rsa.email.subject`*:: + -- -Array of process arguments. -May be filtered to protect sensitive information. +This key is used to capture the subject string from an Email only. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] - -- -*`process.parent.args_count`*:: +*`rsa.email.email`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - -type: long +This key is used to capture a generic email address where the source or destination context is not clear -example: 4 +type: keyword -- -*`process.parent.code_signature.exists`*:: +*`rsa.email.trans_from`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +Deprecated key defined only in table map. -example: true +type: keyword -- -*`process.parent.code_signature.status`*:: +*`rsa.email.trans_to`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Deprecated key defined only in table map. type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.parent.code_signature.subject_name`*:: + +*`rsa.file.privilege`*:: + -- -Subject name of the code signer +Deprecated, use permissions type: keyword -example: Microsoft Corporation - -- -*`process.parent.code_signature.trusted`*:: +*`rsa.file.attachment`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +This key captures the attachment file name -example: true +type: keyword -- -*`process.parent.code_signature.valid`*:: +*`rsa.file.filesystem`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true +type: keyword -- -*`process.parent.command_line`*:: +*`rsa.file.binary`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +Deprecated key defined only in table map. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.parent.command_line.text`*:: +*`rsa.file.filename_dst`*:: + -- -type: text +This is used to capture name of the file targeted by the action + +type: keyword -- -*`process.parent.entity_id`*:: +*`rsa.file.filename_src`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +This is used to capture name of the parent filename, the file which performed the action type: keyword -example: c2c455d9f99375d +-- +*`rsa.file.filename_tmp`*:: ++ -- +type: keyword -*`process.parent.executable`*:: +-- + +*`rsa.file.directory_dst`*:: + -- -Absolute path to the process executable. +This key is used to capture the directory of the target process or file type: keyword -example: /usr/bin/ssh - -- -*`process.parent.executable.text`*:: +*`rsa.file.directory_src`*:: + -- -type: text +This key is used to capture the directory of the source process or file + +type: keyword -- -*`process.parent.exit_code`*:: +*`rsa.file.file_entropy`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). +This is used to capture entropy vale of a file -type: long - -example: 137 +type: double -- -*`process.parent.hash.md5`*:: +*`rsa.file.file_vendor`*:: + -- -MD5 hash. +This is used to capture Company name of file located in version_info type: keyword -- -*`process.parent.hash.sha1`*:: +*`rsa.file.task_name`*:: + -- -SHA1 hash. +This is used to capture name of the task type: keyword -- -*`process.parent.hash.sha256`*:: + +*`rsa.web.fqdn`*:: + -- -SHA256 hash. +Fully Qualified Domain Names type: keyword -- -*`process.parent.hash.sha512`*:: +*`rsa.web.web_cookie`*:: + -- -SHA512 hash. +This key is used to capture the Web cookies specifically. type: keyword -- -*`process.parent.name`*:: +*`rsa.web.alias_host`*:: + -- -Process name. -Sometimes called program name or similar. - type: keyword -example: ssh - -- -*`process.parent.name.text`*:: +*`rsa.web.reputation_num`*:: + -- -type: text +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`process.parent.pgid`*:: +*`rsa.web.web_ref_domain`*:: + -- -Identifier of the group of processes the process belongs to. - -type: long +Web referer's domain -format: string +type: keyword -- -*`process.parent.pid`*:: +*`rsa.web.web_ref_query`*:: + -- -Process id. +This key captures Web referer's query portion of the URL -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword -- -*`process.parent.ppid`*:: +*`rsa.web.web_ref_page`*:: + -- -Parent process' pid. +This key captures Web referer's page information -type: long +type: keyword -example: 4241 +-- -format: string +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword -- -*`process.parent.start`*:: +*`rsa.web.cn_asn_dst`*:: + -- -The time the process started. +type: keyword -type: date +-- -example: 2016-05-23T08:05:34.853Z +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword -- -*`process.parent.thread.id`*:: +*`rsa.web.urlpage`*:: + -- -Thread ID. - -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.web.urlroot`*:: ++ +-- +type: keyword -- -*`process.parent.thread.name`*:: +*`rsa.web.p_url`*:: + -- -Thread name. - type: keyword -example: thread-0 - -- -*`process.parent.title`*:: +*`rsa.web.p_user_agent`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - type: keyword -- -*`process.parent.title.text`*:: +*`rsa.web.p_web_cookie`*:: + -- -type: text +type: keyword -- -*`process.parent.uptime`*:: +*`rsa.web.p_web_method`*:: + -- -Seconds the process has been up. +type: keyword -type: long +-- -example: 1325 +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword -- -*`process.parent.working_directory`*:: +*`rsa.web.web_extension_tmp`*:: + -- -The working directory of the process. - type: keyword -example: /home/alice - -- -*`process.parent.working_directory.text`*:: +*`rsa.web.web_page`*:: + -- -type: text +type: keyword -- -*`process.pe.company`*:: + +*`rsa.threat.threat_category`*:: + -- -Internal company name of the file, provided at compile-time. +This key captures Threat Name/Threat Category/Categorization of alert type: keyword -example: Microsoft Corporation - -- -*`process.pe.description`*:: +*`rsa.threat.threat_desc`*:: + -- -Internal description of the file, provided at compile-time. +This key is used to capture the threat description from the session directly or inferred type: keyword -example: Paint - -- -*`process.pe.file_version`*:: +*`rsa.threat.alert`*:: + -- -Internal version of the file, provided at compile-time. +This key is used to capture name of the alert type: keyword -example: 6.3.9600.17415 - -- -*`process.pe.original_file_name`*:: +*`rsa.threat.threat_source`*:: + -- -Internal name of the file, provided at compile-time. +This key is used to capture source of the threat type: keyword -example: MSPAINT.EXE - -- -*`process.pe.product`*:: + +*`rsa.crypto.crypto`*:: + -- -Internal product name of the file, provided at compile-time. +This key is used to capture the Encryption Type or Encryption Key only type: keyword -example: Microsoft® Windows® Operating System - -- -*`process.pgid`*:: +*`rsa.crypto.cipher_src`*:: + -- -Identifier of the group of processes the process belongs to. - -type: long +This key is for Source (Client) Cipher -format: string +type: keyword -- -*`process.pid`*:: +*`rsa.crypto.cert_subject`*:: + -- -Process id. +This key is used to capture the Certificate organization only -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword -- -*`process.ppid`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Parent process' pid. +This key captures Source (Client) Cipher Size type: long -example: 4241 - -format: string - -- -*`process.start`*:: +*`rsa.crypto.ike`*:: + -- -The time the process started. - -type: date +IKE negotiation phase. -example: 2016-05-23T08:05:34.853Z +type: keyword -- -*`process.thread.id`*:: +*`rsa.crypto.scheme`*:: + -- -Thread ID. - -type: long - -example: 4242 +This key captures the Encryption scheme used -format: string +type: keyword -- -*`process.thread.name`*:: +*`rsa.crypto.peer_id`*:: + -- -Thread name. +This key is for Encryption peer’s identity type: keyword -example: thread-0 - -- -*`process.title`*:: +*`rsa.crypto.sig_type`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +This key captures the Signature Type type: keyword -- -*`process.title.text`*:: +*`rsa.crypto.cert_issuer`*:: + -- -type: text +type: keyword -- -*`process.uptime`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Seconds the process has been up. - -type: long +Deprecated key defined only in table map. -example: 1325 +type: keyword -- -*`process.working_directory`*:: +*`rsa.crypto.cert_error`*:: + -- -The working directory of the process. +This key captures the Certificate Error String type: keyword -example: /home/alice - -- -*`process.working_directory.text`*:: +*`rsa.crypto.cipher_dst`*:: + -- -type: text +This key is for Destination (Server) Cipher + +type: keyword -- -[float] -=== registry +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size -Fields related to Windows Registry operations. +type: long +-- -*`registry.data.bytes`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +Deprecated, use version type: keyword -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - -- -*`registry.data.strings`*:: +*`rsa.crypto.d_certauth`*:: + -- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - type: keyword -example: ["C:\rta\red_ttp\bin\myapp.exe"] - -- -*`registry.data.type`*:: +*`rsa.crypto.s_certauth`*:: + -- -Standard registry type for encoding contents - type: keyword -example: REG_SZ - -- -*`registry.hive`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -Abbreviated name for the hive. +ID of the negotiation — sent for ISAKMP Phase One type: keyword -example: HKLM - -- -*`registry.key`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Hive-relative path of keys. +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - -- -*`registry.path`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Full path, including hive, key and value - type: keyword -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - -- -*`registry.value`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Name of the value written. +This key is used for the hostname category value of a certificate type: keyword -example: Debugger - -- -[float] -=== related - -This field set is meant to facilitate pivoting around a piece of data. -Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. - - -*`related.hash`*:: +*`rsa.crypto.cert_serial`*:: + -- -All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). +This key is used to capture the Certificate serial number only type: keyword -- -*`related.ip`*:: +*`rsa.crypto.cert_status`*:: + -- -All of the IPs seen on your event. +This key captures Certificate validation status -type: ip +type: keyword -- -*`related.user`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -All the user names seen on your event. +Deprecated, use version type: keyword -- -[float] -=== rule - -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. - - -*`rule.author`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - type: keyword -example: ['Star-Lord'] - -- -*`rule.category`*:: +*`rsa.crypto.cert_username`*:: + -- -A categorization value keyword used by the entity using the rule for detection of this event. - type: keyword -example: Attempted Information Leak - -- -*`rule.description`*:: +*`rsa.crypto.https_insact`*:: + -- -The description of the rule generating the event. - type: keyword -example: Block requests to public DNS over HTTPS / TLS protocols - -- -*`rule.id`*:: +*`rsa.crypto.https_valid`*:: + -- -A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - type: keyword -example: 101 - -- -*`rule.license`*:: +*`rsa.crypto.cert_ca`*:: + -- -Name of the license under which the rule used to generate this event is made available. +This key is used to capture the Certificate signing authority only type: keyword -example: Apache 2.0 - -- -*`rule.name`*:: +*`rsa.crypto.cert_common`*:: + -- -The name of the rule or signature generating the event. +This key is used to capture the Certificate common name only type: keyword -example: BLOCK_DNS_over_TLS - -- -*`rule.reference`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Reference URL to additional information about the rule used to generate this event. -The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. +This key is used to capture the ssid of a Wireless Session type: keyword -example: https://en.wikipedia.org/wiki/DNS_over_TLS - -- -*`rule.ruleset`*:: +*`rsa.wireless.access_point`*:: + -- -Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. +This key is used to capture the access point name. type: keyword -example: Standard_Protocol_Filters - -- -*`rule.uuid`*:: +*`rsa.wireless.wlan_channel`*:: + -- -A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - -type: keyword +This is used to capture the channel names -example: 1100110011 +type: long -- -*`rule.version`*:: +*`rsa.wireless.wlan_name`*:: + -- -The version / revision of the rule being used for analysis. +This key captures either WLAN number/name type: keyword -example: 1.1 - -- -[float] -=== server - -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. - -*`server.address`*:: +*`rsa.storage.disk_volume`*:: + -- -Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`server.as.number`*:: +*`rsa.storage.lun`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +Logical Unit Number.This key is a very useful concept in Storage. -example: 15169 +type: keyword -- -*`server.as.organization.name`*:: +*`rsa.storage.pwwn`*:: + -- -Organization name. +This uniquely identifies a port on a HBA. type: keyword -example: Google LLC - --- - -*`server.as.organization.name.text`*:: -+ -- -type: text --- -*`server.bytes`*:: +*`rsa.physical.org_dst`*:: + -- -Bytes sent from the server to the client. - -type: long - -example: 184 +This is used to capture the destination organization based on the GEOPIP Maxmind database. -format: bytes +type: keyword -- -*`server.domain`*:: +*`rsa.physical.org_src`*:: + -- -Server domain. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`server.geo.city_name`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -City name. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: Montreal - -- -*`server.geo.continent_name`*:: +*`rsa.healthcare.patient_id`*:: + -- -Name of the continent. +This key captures the unique ID for a patient type: keyword -example: North America - -- -*`server.geo.country_iso_code`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Country ISO code. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: CA - -- -*`server.geo.country_name`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Country name. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: Canada - --- - -*`server.geo.location`*:: -+ -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } --- -*`server.geo.name`*:: +*`rsa.endpoint.host_state`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -example: boston-dc - -- -*`server.geo.region_iso_code`*:: +*`rsa.endpoint.registry_key`*:: + -- -Region ISO code. +This key captures the path to the registry key type: keyword -example: CA-QC - -- -*`server.geo.region_name`*:: +*`rsa.endpoint.registry_value`*:: + -- -Region name. +This key captures values or decorators used within a registry entry type: keyword -example: Quebec - --- - -*`server.ip`*:: -+ -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. -type: ip +[[exported-fields-cef]] +== Decode CEF processor fields fields --- +Common Event Format (CEF) data. -*`server.mac`*:: -+ --- -MAC address of the server. -type: keyword --- +[float] +=== cef -*`server.nat.ip`*:: -+ --- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data. -type: ip --- -*`server.nat.port`*:: +*`cef.version`*:: + -- -Translated port of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +Version of the CEF specification used by the message. -type: long -format: string +type: keyword -- -*`server.packets`*:: +*`cef.device.vendor`*:: + -- -Packets sent from the server to the client. +Vendor of the device that produced the message. -type: long -example: 12 +type: keyword -- -*`server.port`*:: +*`cef.device.product`*:: + -- -Port of the server. +Product of the device that produced the message. -type: long -format: string +type: keyword -- -*`server.registered_domain`*:: +*`cef.device.version`*:: + -- -The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Version of the product that produced the message. -type: keyword -example: google.com +type: keyword -- -*`server.top_level_domain`*:: +*`cef.device.event_class_id`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Unique identifier of the event type. -type: keyword -example: co.uk +type: keyword -- -*`server.user.domain`*:: +*`cef.severity`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. + type: keyword +example: Very-High + -- -*`server.user.email`*:: +*`cef.name`*:: + -- -User email address. +Short description of the event. + type: keyword -- -*`server.user.full_name`*:: -+ --- -User's full name, if available. +[float] +=== extensions -type: keyword +Collection of key-value pairs carried in the CEF extension field. -example: Albert Einstein --- -*`server.user.full_name.text`*:: +*`cef.extensions.agentAddress`*:: + -- -type: text +The IP address of the ArcSight connector that processed the event. + +type: ip -- -*`server.user.group.domain`*:: +*`cef.extensions.agentDnsDomain`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +The DNS domain name of the ArcSight connector that processed the event. type: keyword -- -*`server.user.group.id`*:: +*`cef.extensions.agentHostName`*:: + -- -Unique identifier for the group on the system/platform. +The hostname of the ArcSight connector that processed the event. type: keyword -- -*`server.user.group.name`*:: +*`cef.extensions.agentId`*:: + -- -Name of the group. +The agent ID of the ArcSight connector that processed the event. type: keyword -- -*`server.user.hash`*:: +*`cef.extensions.agentMacAddress`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +The MAC address of the ArcSight connector that processed the event. type: keyword -- -*`server.user.id`*:: +*`cef.extensions.agentNtDomain`*:: + -- -Unique identifiers of the user. +None type: keyword -- -*`server.user.name`*:: +*`cef.extensions.agentReceiptTime`*:: + -- -Short name or login of the user. - -type: keyword +The time at which information about the event was received by the ArcSight connector. -example: albert +type: date -- -*`server.user.name.text`*:: +*`cef.extensions.agentTimeZone`*:: + -- -type: text - --- - -[float] -=== service +The agent time zone of the ArcSight connector that processed the event. -The service fields describe the service for or from which the data was collected. -These fields help you find and correlate logs for a specific service and version. +type: keyword +-- -*`service.ephemeral_id`*:: +*`cef.extensions.agentTranslatedAddress`*:: + -- -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -type: keyword +None -example: 8a4f500f +type: ip -- -*`service.id`*:: +*`cef.extensions.agentTranslatedZoneExternalID`*:: + -- -Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. -This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. -Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. +None type: keyword -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - -- -*`service.name`*:: +*`cef.extensions.agentTranslatedZoneURI`*:: + -- -Name of the service data is collected from. -The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. +None type: keyword -example: elasticsearch-metrics - -- -*`service.node.name`*:: +*`cef.extensions.agentType`*:: + -- -Name of a service node. -This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. -In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +The agent type of the ArcSight connector that processed the event type: keyword -example: instance-0000000016 - -- -*`service.state`*:: +*`cef.extensions.agentVersion`*:: + -- -Current state of the service. +The version of the ArcSight connector that processed the event. type: keyword -- -*`service.type`*:: +*`cef.extensions.agentZoneExternalID`*:: + -- -The type of the service data is collected from. -The type can be used to group and correlate logs and metrics from one service type. -Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +None type: keyword -example: elasticsearch - -- -*`service.version`*:: +*`cef.extensions.agentZoneURI`*:: + -- -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. +None type: keyword -example: 3.2.4 - -- -[float] -=== source - -Source fields describe details about the source of a packet/event. -Source fields are usually populated in conjunction with destination fields. - - -*`source.address`*:: +*`cef.extensions.applicationProtocol`*:: + -- -Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. type: keyword -- -*`source.as.number`*:: +*`cef.extensions.baseEventCount`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. type: long -example: 15169 - -- -*`source.as.organization.name`*:: +*`cef.extensions.bytesIn`*:: + -- -Organization name. - -type: keyword +Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. -example: Google LLC +type: long -- -*`source.as.organization.name.text`*:: +*`cef.extensions.bytesOut`*:: + -- -type: text +Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. + +type: long -- -*`source.bytes`*:: +*`cef.extensions.customerExternalID`*:: + -- -Bytes sent from the source to the destination. - -type: long - -example: 184 +None -format: bytes +type: keyword -- -*`source.domain`*:: +*`cef.extensions.customerURI`*:: + -- -Source domain. +None type: keyword -- -*`source.geo.city_name`*:: +*`cef.extensions.destinationAddress`*:: + -- -City name. - -type: keyword +Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. -example: Montreal +type: ip -- -*`source.geo.continent_name`*:: +*`cef.extensions.destinationDnsDomain`*:: + -- -Name of the continent. +The DNS domain part of the complete fully qualified domain name (FQDN). type: keyword -example: North America - -- -*`source.geo.country_iso_code`*:: +*`cef.extensions.destinationGeoLatitude`*:: + -- -Country ISO code. - -type: keyword +The latitudinal value from which the destination's IP address belongs. -example: CA +type: double -- -*`source.geo.country_name`*:: +*`cef.extensions.destinationGeoLongitude`*:: + -- -Country name. - -type: keyword +The longitudinal value from which the destination's IP address belongs. -example: Canada +type: double -- -*`source.geo.location`*:: +*`cef.extensions.destinationHostName`*:: + -- -Longitude and latitude. - -type: geo_point +Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`source.geo.name`*:: +*`cef.extensions.destinationMacAddress`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +Six colon-seperated hexadecimal numbers. type: keyword -example: boston-dc - -- -*`source.geo.region_iso_code`*:: +*`cef.extensions.destinationNtDomain`*:: + -- -Region ISO code. +The Windows domain name of the destination address. type: keyword -example: CA-QC - -- -*`source.geo.region_name`*:: +*`cef.extensions.destinationPort`*:: + -- -Region name. - -type: keyword +The valid port numbers are between 0 and 65535. -example: Quebec +type: long -- -*`source.ip`*:: +*`cef.extensions.destinationProcessId`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID. -type: ip +type: long -- -*`source.mac`*:: +*`cef.extensions.destinationProcessName`*:: + -- -MAC address of the source. +The name of the event's destination process. type: keyword -- -*`source.nat.ip`*:: +*`cef.extensions.destinationServiceName`*:: + -- -Translated ip of source based NAT sessions (e.g. internal client to internet) -Typically connections traversing load balancers, firewalls, or routers. +The service targeted by this event. -type: ip +type: keyword -- -*`source.nat.port`*:: +*`cef.extensions.destinationTranslatedAddress`*:: + -- -Translated port of source based NAT sessions. (e.g. internal client to internet) -Typically used with load balancers, firewalls, or routers. - -type: long +Identifies the translated destination that the event refers to in an IP network. -format: string +type: ip -- -*`source.packets`*:: +*`cef.extensions.destinationTranslatedPort`*:: + -- -Packets sent from the source to the destination. +Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. type: long -example: 12 - -- -*`source.port`*:: +*`cef.extensions.destinationTranslatedZoneExternalID`*:: + -- -Port of the source. - -type: long +None -format: string +type: keyword -- -*`source.registered_domain`*:: +*`cef.extensions.destinationTranslatedZoneURI`*:: + -- -The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. type: keyword -example: google.com - -- -*`source.top_level_domain`*:: +*`cef.extensions.destinationUserId`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. type: keyword -example: co.uk - -- -*`source.user.domain`*:: +*`cef.extensions.destinationUserName`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. type: keyword -- -*`source.user.email`*:: +*`cef.extensions.destinationUserPrivileges`*:: + -- -User email address. +The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". type: keyword -- -*`source.user.full_name`*:: +*`cef.extensions.destinationZoneExternalID`*:: + -- -User's full name, if available. +None type: keyword -example: Albert Einstein - -- -*`source.user.full_name.text`*:: +*`cef.extensions.destinationZoneURI`*:: + -- -type: text +The URI for the Zone that the destination asset has been assigned to in ArcSight. + +type: keyword -- -*`source.user.group.domain`*:: +*`cef.extensions.deviceAction`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Action taken by the device. type: keyword -- -*`source.user.group.id`*:: +*`cef.extensions.deviceAddress`*:: + -- -Unique identifier for the group on the system/platform. +Identifies the device address that an event refers to in an IP network. -type: keyword +type: ip -- -*`source.user.group.name`*:: +*`cef.extensions.deviceCustomFloatingPoint1Label`*:: + -- -Name of the group. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -- -*`source.user.hash`*:: +*`cef.extensions.deviceCustomFloatingPoint3Label`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -- -*`source.user.id`*:: +*`cef.extensions.deviceCustomFloatingPoint4Label`*:: + -- -Unique identifiers of the user. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -- -*`source.user.name`*:: +*`cef.extensions.deviceCustomDate1`*:: + -- -Short name or login of the user. - -type: keyword +One of two timestamp fields available to map fields that do not apply to any other in this dictionary. -example: albert +type: date -- -*`source.user.name.text`*:: +*`cef.extensions.deviceCustomDate1Label`*:: + -- -type: text +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword -- -[float] -=== threat +*`cef.extensions.deviceCustomDate2`*:: ++ +-- +One of two timestamp fields available to map fields that do not apply to any other in this dictionary. -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. -These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +type: date +-- -*`threat.framework`*:: +*`cef.extensions.deviceCustomDate2Label`*:: + -- -Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: MITRE ATT&CK - -- -*`threat.tactic.id`*:: +*`cef.extensions.deviceCustomFloatingPoint1`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: TA0040 +type: double -- -*`threat.tactic.name`*:: +*`cef.extensions.deviceCustomFloatingPoint2`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: impact +type: double -- -*`threat.tactic.reference`*:: +*`cef.extensions.deviceCustomFloatingPoint2Label`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: https://attack.mitre.org/tactics/TA0040/ - -- -*`threat.technique.id`*:: +*`cef.extensions.deviceCustomFloatingPoint3`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: T1499 +type: double -- -*`threat.technique.name`*:: +*`cef.extensions.deviceCustomFloatingPoint4`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: endpoint denial of service +type: double -- -*`threat.technique.name.text`*:: +*`cef.extensions.deviceCustomIPv6Address1`*:: + -- -type: text +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + +type: ip -- -*`threat.technique.reference`*:: +*`cef.extensions.deviceCustomIPv6Address1Label`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: https://attack.mitre.org/techniques/T1499/ - -- -[float] -=== tls - -Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. - - -*`tls.cipher`*:: +*`cef.extensions.deviceCustomIPv6Address2`*:: + -- -String indicating the cipher used during the current connection. - -type: keyword +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +type: ip -- -*`tls.client.certificate`*:: +*`cef.extensions.deviceCustomIPv6Address2Label`*:: + -- -PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: MII... - -- -*`tls.client.certificate_chain`*:: +*`cef.extensions.deviceCustomIPv6Address3`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - -type: keyword +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: ['MII...', 'MII...'] +type: ip -- -*`tls.client.hash.md5`*:: +*`cef.extensions.deviceCustomIPv6Address3Label`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - -- -*`tls.client.hash.sha1`*:: +*`cef.extensions.deviceCustomIPv6Address4`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +type: ip -- -*`tls.client.hash.sha256`*:: +*`cef.extensions.deviceCustomIPv6Address4Label`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - -- -*`tls.client.issuer`*:: +*`cef.extensions.deviceCustomNumber1`*:: + -- -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - -type: keyword +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +type: long -- -*`tls.client.ja3`*:: +*`cef.extensions.deviceCustomNumber1Label`*:: + -- -A hash that identifies clients based on how they perform an SSL/TLS handshake. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: d4e5b18d6b55c71272893221c96ba240 - -- -*`tls.client.not_after`*:: +*`cef.extensions.deviceCustomNumber2`*:: + -- -Date/Time indicating when client certificate is no longer considered valid. - -type: date +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: 2021-01-01T00:00:00.000Z +type: long -- -*`tls.client.not_before`*:: +*`cef.extensions.deviceCustomNumber2Label`*:: + -- -Date/Time indicating when client certificate is first considered valid. - -type: date +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. -example: 1970-01-01T00:00:00.000Z +type: keyword -- -*`tls.client.server_name`*:: +*`cef.extensions.deviceCustomNumber3`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. - -type: keyword +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: www.elastic.co +type: long -- -*`tls.client.subject`*:: +*`cef.extensions.deviceCustomNumber3Label`*:: + -- -Distinguished name of subject of the x.509 certificate presented by the client. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com - -- -*`tls.client.supported_ciphers`*:: +*`cef.extensions.deviceCustomString1`*:: + -- -Array of ciphers offered by the client during the client hello. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] - -- -*`tls.curve`*:: +*`cef.extensions.deviceCustomString1Label`*:: + -- -String indicating the curve used for the given cipher, when applicable. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: secp256r1 - -- -*`tls.established`*:: +*`cef.extensions.deviceCustomString2`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -type: boolean +type: keyword -- -*`tls.next_protocol`*:: +*`cef.extensions.deviceCustomString2Label`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: http/1.1 - -- -*`tls.resumed`*:: +*`cef.extensions.deviceCustomString3`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -type: boolean +type: keyword -- -*`tls.server.certificate`*:: +*`cef.extensions.deviceCustomString3Label`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: MII... - -- -*`tls.server.certificate_chain`*:: +*`cef.extensions.deviceCustomString4`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: ['MII...', 'MII...'] - -- -*`tls.server.hash.md5`*:: +*`cef.extensions.deviceCustomString4Label`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - -- -*`tls.server.hash.sha1`*:: +*`cef.extensions.deviceCustomString5`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A - -- -*`tls.server.hash.sha256`*:: +*`cef.extensions.deviceCustomString5Label`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - -- -*`tls.server.issuer`*:: +*`cef.extensions.deviceCustomString6`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com - -- -*`tls.server.ja3s`*:: +*`cef.extensions.deviceCustomString6Label`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 394441ab65754e2207b1e1b457b3641d - -- -*`tls.server.not_after`*:: +*`cef.extensions.deviceDirection`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. - -type: date +Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. -example: 2021-01-01T00:00:00.000Z +type: long -- -*`tls.server.not_before`*:: +*`cef.extensions.deviceDnsDomain`*:: + -- -Timestamp indicating when server certificate is first considered valid. - -type: date +The DNS domain part of the complete fully qualified domain name (FQDN). -example: 1970-01-01T00:00:00.000Z +type: keyword -- -*`tls.server.subject`*:: +*`cef.extensions.deviceEventCategory`*:: + -- -Subject of the x.509 certificate presented by the server. +Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". type: keyword -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com - -- -*`tls.version`*:: +*`cef.extensions.deviceExternalId`*:: + -- -Numeric part of the version parsed from the original string. +A name that uniquely identifies the device generating this event. type: keyword -example: 1.2 - -- -*`tls.version_protocol`*:: +*`cef.extensions.deviceFacility`*:: + -- -Normalized lowercase protocol name parsed from original string. +The facility generating this event. For example, Syslog has an explicit facility associated with every event. type: keyword -example: tls - -- -[float] -=== tracing +*`cef.extensions.deviceFlexNumber1`*:: ++ +-- +One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. +type: long +-- -*`tracing.trace.id`*:: +*`cef.extensions.deviceFlexNumber1Label`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 - -- -*`tracing.transaction.id`*:: +*`cef.extensions.deviceFlexNumber2`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. - -type: keyword +One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: 00f067aa0ba902b7 +type: long -- -[float] -=== url +*`cef.extensions.deviceFlexNumber2Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +-- -*`url.domain`*:: +*`cef.extensions.deviceHostName`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. type: keyword -example: www.elastic.co - -- -*`url.extension`*:: +*`cef.extensions.deviceInboundInterface`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +Interface on which the packet or data entered the device. type: keyword -example: png - -- -*`url.fragment`*:: +*`cef.extensions.deviceMacAddress`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +Six colon-separated hexadecimal numbers. type: keyword -- -*`url.full`*:: +*`cef.extensions.deviceNtDomain`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +The Windows domain name of the device address. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top - -- -*`url.full.text`*:: +*`cef.extensions.deviceOutboundInterface`*:: + -- -type: text +Interface on which the packet or data left the device. + +type: keyword -- -*`url.original`*:: +*`cef.extensions.devicePayloadId`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +Unique identifier for the payload associated with the event. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - -- -*`url.original.text`*:: +*`cef.extensions.deviceProcessId`*:: + -- -type: text +Provides the ID of the process on the device generating the event. + +type: long -- -*`url.password`*:: +*`cef.extensions.deviceProcessName`*:: + -- -Password of the request. +Process name associated with the event. An example might be the process generating the syslog entry in UNIX. type: keyword -- -*`url.path`*:: +*`cef.extensions.deviceReceiptTime`*:: + -- -Path of the request, such as "/search". +The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) -type: keyword +type: date -- -*`url.port`*:: +*`cef.extensions.deviceTimeZone`*:: + -- -Port of the request, such as 443. - -type: long - -example: 443 +The time zone for the device generating the event. -format: string +type: keyword -- -*`url.query`*:: +*`cef.extensions.deviceTranslatedAddress`*:: + -- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +Identifies the translated device address that the event refers to in an IP network. -type: keyword +type: ip -- -*`url.registered_domain`*:: +*`cef.extensions.deviceTranslatedZoneExternalID`*:: + -- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +None type: keyword -example: google.com - -- -*`url.scheme`*:: +*`cef.extensions.deviceTranslatedZoneURI`*:: + -- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. +The URI for the Translated Zone that the device asset has been assigned to in ArcSight. type: keyword -example: https - -- -*`url.top_level_domain`*:: +*`cef.extensions.deviceZoneExternalID`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +None type: keyword -example: co.uk - -- -*`url.username`*:: +*`cef.extensions.deviceZoneURI`*:: + -- -Username of the request. +Thee URI for the Zone that the device asset has been assigned to in ArcSight. type: keyword -- -[float] -=== user +*`cef.extensions.endTime`*:: ++ +-- +The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. -The user fields describe information about the user that is relevant to the event. -Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +type: date +-- -*`user.domain`*:: +*`cef.extensions.eventId`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +This is a unique ID that ArcSight assigns to each event. -type: keyword +type: long -- -*`user.email`*:: +*`cef.extensions.eventOutcome`*:: + -- -User email address. +Displays the outcome, usually as 'success' or 'failure'. type: keyword -- -*`user.full_name`*:: +*`cef.extensions.externalId`*:: + -- -User's full name, if available. +The ID used by an originating device. They are usually increasing numbers, associated with events. type: keyword -example: Albert Einstein - -- -*`user.full_name.text`*:: +*`cef.extensions.fileCreateTime`*:: + -- -type: text +Time when the file was created. + +type: date -- -*`user.group.domain`*:: +*`cef.extensions.fileHash`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Hash of a file. type: keyword -- -*`user.group.id`*:: +*`cef.extensions.fileId`*:: + -- -Unique identifier for the group on the system/platform. +An ID associated with a file could be the inode. type: keyword -- -*`user.group.name`*:: +*`cef.extensions.fileModificationTime`*:: + -- -Name of the group. +Time when the file was last modified. -type: keyword +type: date -- -*`user.hash`*:: +*`cef.extensions.filename`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Name of the file only (without its path). type: keyword -- -*`user.id`*:: +*`cef.extensions.filePath`*:: + -- -Unique identifiers of the user. +Full path to the file, including file name itself. type: keyword -- -*`user.name`*:: +*`cef.extensions.filePermission`*:: + -- -Short name or login of the user. +Permissions of the file. type: keyword -example: albert - -- -*`user.name.text`*:: +*`cef.extensions.fileSize`*:: + -- -type: text - --- - -[float] -=== user_agent +Size of the file. -The user_agent fields normally come from a browser request. -They often show up in web service logs coming from the parsed user agent string. +type: long +-- -*`user_agent.device.name`*:: +*`cef.extensions.fileType`*:: + -- -Name of the device. +Type of file (pipe, socket, etc.) type: keyword -example: iPhone - -- -*`user_agent.name`*:: +*`cef.extensions.flexDate1`*:: + -- -Name of the user agent. - -type: keyword +A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. -example: Safari +type: date -- -*`user_agent.original`*:: +*`cef.extensions.flexDate1Label`*:: + -- -Unparsed user_agent string. +The label field is a string and describes the purpose of the flex field. type: keyword -example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - -- -*`user_agent.original.text`*:: +*`cef.extensions.flexString1`*:: + -- -type: text +One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. + +type: keyword -- -*`user_agent.os.family`*:: +*`cef.extensions.flexString2`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. type: keyword -example: debian - -- -*`user_agent.os.full`*:: +*`cef.extensions.flexString1Label`*:: + -- -Operating system name, including the version or code name. +The label field is a string and describes the purpose of the flex field. type: keyword -example: Mac OS Mojave - -- -*`user_agent.os.full.text`*:: +*`cef.extensions.flexString2Label`*:: + -- -type: text +The label field is a string and describes the purpose of the flex field. + +type: keyword -- -*`user_agent.os.kernel`*:: +*`cef.extensions.message`*:: + -- -Operating system kernel version as a raw string. +An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. type: keyword -example: 4.4.0-112-generic - -- -*`user_agent.os.name`*:: +*`cef.extensions.oldFileCreateTime`*:: + -- -Operating system name, without the version. - -type: keyword +Time when old file was created. -example: Mac OS X +type: date -- -*`user_agent.os.name.text`*:: +*`cef.extensions.oldFileHash`*:: + -- -type: text +Hash of the old file. + +type: keyword -- -*`user_agent.os.platform`*:: +*`cef.extensions.oldFileId`*:: + -- -Operating system platform (such centos, ubuntu, windows). +An ID associated with the old file could be the inode. type: keyword -example: darwin - -- -*`user_agent.os.version`*:: +*`cef.extensions.oldFileModificationTime`*:: + -- -Operating system version as a raw string. - -type: keyword +Time when old file was last modified. -example: 10.14.1 +type: date -- -*`user_agent.version`*:: +*`cef.extensions.oldFileName`*:: + -- -Version of the user agent. +Name of the old file. type: keyword -example: 12.0 - -- -[float] -=== vlan - -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. -Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. -Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. - - -*`vlan.id`*:: +*`cef.extensions.oldFilePath`*:: + -- -VLAN ID as reported by the observer. +Full path to the old file, including the file name itself. type: keyword -example: 10 - -- -*`vlan.name`*:: +*`cef.extensions.oldFilePermission`*:: + -- -Optional VLAN name as reported by the observer. +Permissions of the old file. type: keyword -example: outside - -- -[float] -=== vulnerability +*`cef.extensions.oldFileSize`*:: ++ +-- +Size of the old file. -The vulnerability fields describe information about a vulnerability that is relevant to an event. +type: long +-- -*`vulnerability.category`*:: +*`cef.extensions.oldFileType`*:: + -- -The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) -This field must be an array. +Type of the old file (pipe, socket, etc.) type: keyword -example: ["Firewall"] - -- -*`vulnerability.classification`*:: +*`cef.extensions.rawEvent`*:: + -- -The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) +None type: keyword -example: CVSS - -- -*`vulnerability.description`*:: +*`cef.extensions.Reason`*:: + -- -The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) +The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234". type: keyword -example: In macOS before 2.12.6, there is a vulnerability in the RPC... - -- -*`vulnerability.description.text`*:: +*`cef.extensions.requestClientApplication`*:: + -- -type: text +The User-Agent associated with the request. + +type: keyword -- -*`vulnerability.enumeration`*:: +*`cef.extensions.requestContext`*:: + -- -The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) +Description of the content from which the request originated (for example, HTTP Referrer) type: keyword -example: CVE - -- -*`vulnerability.id`*:: +*`cef.extensions.requestCookies`*:: + -- -The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] +Cookies associated with the request. type: keyword -example: CVE-2019-00001 - -- -*`vulnerability.reference`*:: +*`cef.extensions.requestMethod`*:: + -- -A resource that provides additional information, context, and mitigations for the identified vulnerability. +The HTTP method used to access a URL. type: keyword -example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - -- -*`vulnerability.report_id`*:: +*`cef.extensions.requestUrl`*:: + -- -The report or scan identification number. +In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. type: keyword -example: 20191018.0001 - -- -*`vulnerability.scanner.vendor`*:: +*`cef.extensions.sourceAddress`*:: + -- -The name of the vulnerability scanner vendor. - -type: keyword +Identifies the source that an event refers to in an IP network. -example: Tenable +type: ip -- -*`vulnerability.score.base`*:: +*`cef.extensions.sourceDnsDomain`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - -type: float +The DNS domain part of the complete fully qualified domain name (FQDN). -example: 5.5 +type: keyword -- -*`vulnerability.score.environmental`*:: +*`cef.extensions.sourceGeoLatitude`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) - -type: float +None -example: 5.5 +type: double -- -*`vulnerability.score.temporal`*:: +*`cef.extensions.sourceGeoLongitude`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) +None -type: float +type: double -- -*`vulnerability.score.version`*:: +*`cef.extensions.sourceHostName`*:: + -- -The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'. -type: keyword -example: 2.0 +type: keyword -- -*`vulnerability.severity`*:: +*`cef.extensions.sourceMacAddress`*:: + -- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Six colon-separated hexadecimal numbers. type: keyword -example: Critical +example: 00:0d:60:af:1b:61 -- -[[exported-fields-elasticsearch]] -== Elasticsearch fields - -elasticsearch Module - +*`cef.extensions.sourceNtDomain`*:: ++ +-- +The Windows domain name for the source address. +type: keyword -[float] -=== elasticsearch +-- +*`cef.extensions.sourcePort`*:: ++ +-- +The valid port numbers are 0 to 65535. +type: long +-- -*`elasticsearch.component`*:: +*`cef.extensions.sourceProcessId`*:: + -- -Elasticsearch component from where the log event originated - -type: keyword +The ID of the source process associated with the event. -example: o.e.c.m.MetaDataCreateIndexService +type: long -- -*`elasticsearch.cluster.uuid`*:: +*`cef.extensions.sourceProcessName`*:: + -- -UUID of the cluster +The name of the event's source process. type: keyword -example: GmvrbHlNTiSVYiPf8kxg9g - -- -*`elasticsearch.cluster.name`*:: +*`cef.extensions.sourceServiceName`*:: + -- -Name of the cluster +The service that is responsible for generating this event. type: keyword -example: docker-cluster - -- -*`elasticsearch.node.id`*:: +*`cef.extensions.sourceTranslatedAddress`*:: + -- -ID of the node - -type: keyword +Identifies the translated source that the event refers to in an IP network. -example: DSiWcTyeThWtUXLB9J0BMw +type: ip -- -*`elasticsearch.node.name`*:: +*`cef.extensions.sourceTranslatedPort`*:: + -- -Name of the node - -type: keyword +A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. -example: vWNJsZ3 +type: long -- -*`elasticsearch.index.name`*:: +*`cef.extensions.sourceTranslatedZoneExternalID`*:: + -- -Index name +None type: keyword -example: filebeat-test-input - -- -*`elasticsearch.index.id`*:: +*`cef.extensions.sourceTranslatedZoneURI`*:: + -- -Index id +The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. type: keyword -example: aOGgDwbURfCV57AScqbCgw - -- -*`elasticsearch.shard.id`*:: +*`cef.extensions.sourceUserId`*:: + -- -Id of the shard +Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. type: keyword -example: 0 - -- -[float] -=== audit - +*`cef.extensions.sourceUserName`*:: ++ +-- +Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. +type: keyword +-- -*`elasticsearch.audit.layer`*:: +*`cef.extensions.sourceUserPrivileges`*:: + -- -The layer from which this event originated: rest, transport or ip_filter +The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". type: keyword -example: rest - -- -*`elasticsearch.audit.event_type`*:: +*`cef.extensions.sourceZoneExternalID`*:: + -- -The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied +None type: keyword -example: access_granted - -- -*`elasticsearch.audit.origin.type`*:: +*`cef.extensions.sourceZoneURI`*:: + -- -Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) +The URI for the Zone that the source asset has been assigned to in ArcSight. type: keyword -example: local_node - -- -*`elasticsearch.audit.realm`*:: +*`cef.extensions.startTime`*:: + -- -The authentication realm the authentication was validated against +The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) -type: keyword +type: date -- -*`elasticsearch.audit.user.realm`*:: +*`cef.extensions.transportProtocol`*:: + -- -The user's authentication realm, if authenticated +Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. type: keyword -- -*`elasticsearch.audit.user.roles`*:: +*`cef.extensions.type`*:: + -- -Roles to which the principal belongs - -type: keyword +0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). -example: ['kibana_user', 'beats_admin'] +type: long -- -*`elasticsearch.audit.action`*:: +*`cef.extensions.categoryDeviceType`*:: + -- -The name of the action that was executed +Device type. Examples - Proxy, IDS, Web Server type: keyword -example: cluster:monitor/main - -- -*`elasticsearch.audit.url.params`*:: +*`cef.extensions.categoryObject`*:: + -- -REST URI parameters +Object that the event is about. For example it can be an operating sytem, database, file, etc. -example: {username=jacknich2} +type: keyword -- -*`elasticsearch.audit.indices`*:: +*`cef.extensions.categoryBehavior`*:: + -- -Indices accessed by action +Action or a behavior associated with an event. It's what is being done to the object. type: keyword -example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] - -- -*`elasticsearch.audit.request.id`*:: +*`cef.extensions.categoryTechnique`*:: + -- -Unique ID of request +Technique being used (e.g. /DoS). type: keyword -example: WzL_kb6VSvOhAq0twPvHOQ - -- -*`elasticsearch.audit.request.name`*:: +*`cef.extensions.categoryDeviceGroup`*:: + -- -The type of request that was executed +General device group like Firewall. type: keyword -example: ClearScrollRequest - -- -*`elasticsearch.audit.request_body`*:: +*`cef.extensions.categorySignificance`*:: + -- -type: alias +Characterization of the importance of the event. -alias to: http.request.body.content +type: keyword -- -*`elasticsearch.audit.origin_address`*:: +*`cef.extensions.categoryOutcome`*:: + -- -type: alias +Outcome of the event (e.g. sucess, failure, or attempt). -alias to: source.ip +type: keyword -- -*`elasticsearch.audit.uri`*:: +*`cef.extensions.managerReceiptTime`*:: + -- -type: alias +When the Arcsight ESM received the event. -alias to: url.original +type: date -- -*`elasticsearch.audit.principal`*:: +*`source.service.name`*:: + -- -type: alias +Service that is the source of the event. -alias to: user.name +type: keyword -- -*`elasticsearch.audit.message`*:: +*`destination.service.name`*:: + -- -type: text +Service that is the target of the event. + +type: keyword -- -[float] -=== deprecation +[[exported-fields-cef-module]] +== CEF fields + +Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. [float] -=== gc +=== forcepoint + +Fields for Forcepoint Custom String mappings + + + +*`forcepoint.virus_id`*:: ++ +-- +Virus ID -GC fileset fields. +type: keyword +-- [float] -=== phase +=== checkpoint -Fields specific to GC phase. +Fields for Check Point custom string mappings. -*`elasticsearch.gc.phase.name`*:: +*`checkpoint.app_risk`*:: + -- -Name of the GC collection phase. - +Application risk. type: keyword -- -*`elasticsearch.gc.phase.duration_sec`*:: +*`checkpoint.app_severity`*:: + -- -Collection phase duration according to the Java virtual machine. - +Application threat severity. -type: float +type: keyword -- -*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: +*`checkpoint.app_sig_id`*:: + -- -Pause time in seconds cleaning up symbol tables. - +The signature ID which the application was detected by. -type: float +type: keyword -- -*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: +*`checkpoint.auth_method`*:: + -- -Pause time in seconds cleaning up string tables. - +Password authentication protocol used. -type: float +type: keyword -- -*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: +*`checkpoint.category`*:: + -- -Time spent processing weak references in seconds. - +Category. -type: float +type: keyword -- -*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: +*`checkpoint.confidence_level`*:: + -- -Time spent in seconds marking live objects while application is stopped. - +Confidence level determined. -type: float +type: integer -- -*`elasticsearch.gc.phase.class_unload_time_sec`*:: +*`checkpoint.connectivity_state`*:: + -- -Time spent unloading unused classes in seconds. - +Connectivity state. -type: float +type: keyword -- -[float] -=== cpu_time - -Process CPU time spent performing collections. +*`checkpoint.cookie`*:: ++ +-- +IKE cookie. +type: keyword +-- -*`elasticsearch.gc.phase.cpu_time.user_sec`*:: +*`checkpoint.dst_phone_number`*:: + -- -CPU time spent outside the kernel. - +Destination IP-Phone. -type: float +type: keyword -- -*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: +*`checkpoint.email_control`*:: + -- -CPU time spent inside the kernel. - +Engine name. -type: float +type: keyword -- -*`elasticsearch.gc.phase.cpu_time.real_sec`*:: +*`checkpoint.email_id`*:: + -- -Total elapsed CPU time spent to complete the collection from start to finish. - +Internal email ID. -type: float +type: keyword -- -*`elasticsearch.gc.jvm_runtime_sec`*:: +*`checkpoint.email_recipients_num`*:: + -- -The time from JVM start up in seconds, as a floating point number. - +Number of recipients. -type: float +type: long -- -*`elasticsearch.gc.threads_total_stop_time_sec`*:: +*`checkpoint.email_session_id`*:: + -- -Garbage collection threads total stop time seconds. - +Internal email session ID. -type: float +type: keyword -- -*`elasticsearch.gc.stopping_threads_time_sec`*:: +*`checkpoint.email_spool_id`*:: + -- -Time took to stop threads seconds. - +Internal email spool ID. -type: float +type: keyword -- -*`elasticsearch.gc.tags`*:: +*`checkpoint.email_subject`*:: + -- -GC logging tags. - +Email subject. type: keyword -- -[float] -=== heap - -Heap allocation and total size. +*`checkpoint.event_count`*:: ++ +-- +Number of events associated with the log. +type: long +-- -*`elasticsearch.gc.heap.size_kb`*:: +*`checkpoint.frequency`*:: + -- -Total heap size in kilobytes. - +Scan frequency. -type: integer +type: keyword -- -*`elasticsearch.gc.heap.used_kb`*:: +*`checkpoint.icmp_type`*:: + -- -Used heap in kilobytes. - +ICMP type. -type: integer +type: long -- -[float] -=== old_gen - -Old generation occupancy and total size. +*`checkpoint.icmp_code`*:: ++ +-- +ICMP code. +type: long +-- -*`elasticsearch.gc.old_gen.size_kb`*:: +*`checkpoint.identity_type`*:: + -- -Total size of old generation in kilobytes. - +Identity type. -type: integer +type: keyword -- -*`elasticsearch.gc.old_gen.used_kb`*:: +*`checkpoint.incident_extension`*:: + -- -Old generation occupancy in kilobytes. - +Format of original data. -type: integer +type: keyword -- -[float] -=== young_gen - -Young generation occupancy and total size. +*`checkpoint.integrity_av_invoke_type`*:: ++ +-- +Scan invoke type. +type: keyword +-- -*`elasticsearch.gc.young_gen.size_kb`*:: +*`checkpoint.malware_family`*:: + -- -Total size of young generation in kilobytes. - +Malware family. -type: integer +type: keyword -- -*`elasticsearch.gc.young_gen.used_kb`*:: +*`checkpoint.peer_gateway`*:: + -- -Young generation occupancy in kilobytes. - +Main IP of the peer Security Gateway. -type: integer +type: ip -- -[float] -=== server +*`checkpoint.performance_impact`*:: ++ +-- +Protection performance impact. -Server log file +type: integer +-- -*`elasticsearch.server.stacktrace`*:: +*`checkpoint.protection_id`*:: + -- -Field is not indexed. +Protection malware ID. + +type: keyword -- -[float] -=== gc +*`checkpoint.protection_name`*:: ++ +-- +Specific signature name of the attack. -GC log +type: keyword +-- -[float] -=== young +*`checkpoint.protection_type`*:: ++ +-- +Type of protection used to detect the attack. -Young GC +type: keyword +-- -*`elasticsearch.server.gc.young.one`*:: +*`checkpoint.scan_result`*:: + -- +Scan result. - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.young.two`*:: +*`checkpoint.sensor_mode`*:: + -- +Sensor mode. - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.overhead_seq`*:: +*`checkpoint.severity`*:: + -- -Sequence number - -type: long +Threat severity. -example: 3449992 +type: keyword -- -*`elasticsearch.server.gc.collection_duration.ms`*:: +*`checkpoint.spyware_name`*:: + -- -Time spent in GC, in milliseconds - -type: float +Spyware name. -example: 1600 +type: keyword -- -*`elasticsearch.server.gc.observation_duration.ms`*:: +*`checkpoint.spyware_status`*:: + -- -Total time over which collection was observed, in milliseconds - -type: float +Spyware status. -example: 1800 +type: keyword -- -[float] -=== slowlog +*`checkpoint.subs_exp`*:: ++ +-- +The expiration date of the subscription. -Slowlog events from Elasticsearch +type: date +-- -*`elasticsearch.slowlog.logger`*:: +*`checkpoint.tcp_flags`*:: + -- -Logger name +TCP packet flags. type: keyword -example: index.search.slowlog.fetch - -- -*`elasticsearch.slowlog.took`*:: +*`checkpoint.termination_reason`*:: + -- -Time it took to execute the query +Termination reason. type: keyword -example: 300ms - -- -*`elasticsearch.slowlog.types`*:: +*`checkpoint.update_status`*:: + -- -Types +Update status. type: keyword -example: - -- -*`elasticsearch.slowlog.stats`*:: +*`checkpoint.user_status`*:: + -- -Stats groups +User response. type: keyword -example: group1 - -- -*`elasticsearch.slowlog.search_type`*:: +*`checkpoint.uuid`*:: + -- -Search type +External ID. type: keyword -example: QUERY_THEN_FETCH - -- -*`elasticsearch.slowlog.source_query`*:: +*`checkpoint.virus_name`*:: + -- -Slow query +Virus name. type: keyword -example: {"query":{"match_all":{"boost":1.0}}} - -- -*`elasticsearch.slowlog.extra_source`*:: +*`checkpoint.voip_log_type`*:: + -- -Extra source information +VoIP log types. type: keyword -example: - -- -*`elasticsearch.slowlog.total_hits`*:: -+ --- -Total hits +[float] +=== cef.extensions -type: keyword +Extra vendor-specific extensions. -example: 42 --- -*`elasticsearch.slowlog.total_shards`*:: +*`cef.extensions.cp_app_risk`*:: + -- -Total queried shards - type: keyword -example: 22 - -- -*`elasticsearch.slowlog.routing`*:: +*`cef.extensions.cp_severity`*:: + -- -Routing - type: keyword -example: s01HZ2QBk9jw4gtgaFtn - -- -*`elasticsearch.slowlog.id`*:: +*`cef.extensions.ifname`*:: + -- -Id - type: keyword -example: - -- -*`elasticsearch.slowlog.type`*:: +*`cef.extensions.inzone`*:: + -- -Type - type: keyword -example: doc - -- -*`elasticsearch.slowlog.source`*:: +*`cef.extensions.layer_uuid`*:: + -- -Source of document that was indexed - type: keyword -- -[[exported-fields-envoyproxy]] -== Envoyproxy fields +*`cef.extensions.layer_name`*:: ++ +-- +type: keyword -Module for handling logs produced by envoy +-- +*`cef.extensions.logid`*:: ++ +-- +type: keyword +-- -[float] -=== envoyproxy +*`cef.extensions.loguid`*:: ++ +-- +type: keyword -Fields from envoy proxy logs after normalization +-- +*`cef.extensions.match_id`*:: ++ +-- +type: keyword +-- -*`envoyproxy.log_type`*:: +*`cef.extensions.nat_addtnl_rulenum`*:: + -- -Envoy log type, normally ACCESS +type: keyword +-- +*`cef.extensions.nat_rulenum`*:: ++ +-- type: keyword -- -*`envoyproxy.response_flags`*:: +*`cef.extensions.origin`*:: + -- -Response flags +type: keyword +-- +*`cef.extensions.originsicname`*:: ++ +-- type: keyword -- -*`envoyproxy.upstream_service_time`*:: +*`cef.extensions.outzone`*:: + -- -Upstream service time in nanoseconds - +type: keyword -type: long +-- -format: duration +*`cef.extensions.parent_rule`*:: ++ +-- +type: keyword -- -*`envoyproxy.request_id`*:: +*`cef.extensions.product`*:: + -- -ID of the request +type: keyword +-- +*`cef.extensions.rule_action`*:: ++ +-- type: keyword -- -*`envoyproxy.authority`*:: +*`cef.extensions.rule_uid`*:: + -- -Envoy proxy authority field +type: keyword +-- +*`cef.extensions.sequencenum`*:: ++ +-- type: keyword -- -*`envoyproxy.proxy_type`*:: +*`cef.extensions.service_id`*:: + -- -Envoy proxy type, tcp or http +type: keyword +-- +*`cef.extensions.version`*:: ++ +-- type: keyword -- -[[exported-fields-fortinet]] -== Fortinet fields +[[exported-fields-checkpoint]] +== Checkpoint fields -fortinet Module +Some checkpoint module [float] -=== fortinet +=== checkpoint -Fields from fortinet FortiOS +Module for parsing Checkpoint syslog. -*`fortinet.file.hash.crc32`*:: +*`checkpoint.confidence_level`*:: + -- -CRC32 Hash of file +Confidence level determined by ThreatCloud. -type: keyword +type: integer -- -[float] -=== firewall - -Module for parsing Fortinet syslog. - - - -*`fortinet.firewall.acct_stat`*:: +*`checkpoint.calc_desc`*:: + -- -Accounting state (RADIUS) +Log description. type: keyword -- -*`fortinet.firewall.acktime`*:: +*`checkpoint.dst_country`*:: + -- -Alarm Acknowledge Time +Destination country. type: keyword -- -*`fortinet.firewall.act`*:: +*`checkpoint.dst_user_name`*:: + -- -Action +Connected user name on the destination IP. type: keyword -- -*`fortinet.firewall.action`*:: +*`checkpoint.email_id`*:: + -- -Status of the session +Email number in smtp connection. type: keyword -- -*`fortinet.firewall.activity`*:: +*`checkpoint.email_subject`*:: + -- -HA activity message +Original email subject. type: keyword -- -*`fortinet.firewall.addr`*:: +*`checkpoint.email_session_id`*:: + -- -IP Address +Connection uuid. -type: ip +type: keyword -- -*`fortinet.firewall.addr_type`*:: +*`checkpoint.event_count`*:: + -- -Address Type +Number of events associated with the log. -type: keyword +type: long -- -*`fortinet.firewall.addrgrp`*:: +*`checkpoint.sys_message`*:: + -- -Address Group +System messages type: keyword -- -*`fortinet.firewall.adgroup`*:: +*`checkpoint.logid`*:: + -- -AD Group Name +System messages type: keyword -- -*`fortinet.firewall.admin`*:: +*`checkpoint.failure_impact`*:: + -- -Admin User +The impact of update service failure. type: keyword -- -*`fortinet.firewall.age`*:: +*`checkpoint.id`*:: + -- -Time in seconds - time passed since last seen +Override application ID. type: integer -- -*`fortinet.firewall.agent`*:: +*`checkpoint.information`*:: + -- -User agent - eg. agent="Mozilla/5.0" +Policy installation status for a specific blade. type: keyword -- -*`fortinet.firewall.alarmid`*:: +*`checkpoint.layer_name`*:: + -- -Alarm ID +Layer name. -type: integer +type: keyword -- -*`fortinet.firewall.alert`*:: +*`checkpoint.layer_uuid`*:: + -- -Alert +Layer UUID. type: keyword -- -*`fortinet.firewall.analyticscksum`*:: +*`checkpoint.log_id`*:: + -- -The checksum of the file submitted for analytics +Unique identity for logs. -type: keyword +type: integer -- -*`fortinet.firewall.analyticssubmit`*:: +*`checkpoint.malware_family`*:: + -- -The flag for analytics submission +Additional information on protection. type: keyword -- -*`fortinet.firewall.ap`*:: +*`checkpoint.origin_sic_name`*:: + -- -Access Point +Machine SIC. type: keyword -- -*`fortinet.firewall.app-type`*:: +*`checkpoint.policy_mgmt`*:: + -- -Address Type +Name of the Management Server that manages this Security Gateway. type: keyword -- -*`fortinet.firewall.appact`*:: +*`checkpoint.policy_name`*:: + -- -The security action from app control +Name of the last policy that this Security Gateway fetched. type: keyword -- -*`fortinet.firewall.appid`*:: +*`checkpoint.protection_id`*:: + -- -Application ID +Protection malware id. -type: integer +type: keyword -- -*`fortinet.firewall.applist`*:: +*`checkpoint.protection_name`*:: + -- -Application Control profile +Specific signature name of the attack. type: keyword -- -*`fortinet.firewall.apprisk`*:: +*`checkpoint.protection_type`*:: + -- -Application Risk Level +Type of protection used to detect the attack. type: keyword -- -*`fortinet.firewall.apscan`*:: +*`checkpoint.protocol`*:: + -- -The name of the AP, which scanned and detected the rogue AP +Protocol detected on the connection. type: keyword -- -*`fortinet.firewall.apsn`*:: +*`checkpoint.proxy_src_ip`*:: + -- -Access Point +Sender source IP (even when using proxy). -type: keyword +type: ip -- -*`fortinet.firewall.apstatus`*:: +*`checkpoint.rule`*:: + -- -Access Point status +Matched rule number. -type: keyword +type: integer -- -*`fortinet.firewall.aptype`*:: +*`checkpoint.rule_action`*:: + -- -Access Point type +Action of the matched rule in the access policy. type: keyword -- -*`fortinet.firewall.assigned`*:: +*`checkpoint.scan_direction`*:: + -- -Assigned IP Address +Scan direction. -type: ip +type: keyword -- -*`fortinet.firewall.assignip`*:: +*`checkpoint.session_id`*:: + -- -Assigned IP Address +Log uuid. -type: ip +type: keyword -- -*`fortinet.firewall.attachment`*:: +*`checkpoint.source_os`*:: + -- -The flag for email attachement +OS which generated the attack. type: keyword -- -*`fortinet.firewall.attack`*:: +*`checkpoint.src_country`*:: + -- -Attack Name +Country name, derived from connection source IP address. type: keyword -- -*`fortinet.firewall.attackcontext`*:: +*`checkpoint.src_user_name`*:: + -- -The trigger patterns and the packetdata with base64 encoding +User name connected to source IP type: keyword -- -*`fortinet.firewall.attackcontextid`*:: +*`checkpoint.ticket_id`*:: + -- -Attack context id / total +Unique ID per file. type: keyword -- -*`fortinet.firewall.attackid`*:: +*`checkpoint.tls_server_host_name`*:: + -- -Attack ID +SNI/CN from encrypted TLS connection used by URLF for categorization. -type: integer +type: keyword -- -*`fortinet.firewall.auditid`*:: +*`checkpoint.verdict`*:: + -- -Audit ID +TE engine verdict Possible values: Malicious/Benign/Error. -type: long +type: keyword -- -*`fortinet.firewall.auditscore`*:: +*`checkpoint.user`*:: + -- -The Audit Score +Source user name. type: keyword -- -*`fortinet.firewall.audittime`*:: +*`checkpoint.vendor_list`*:: + -- -The time of the audit +The vendor name that provided the verdict for a malicious URL. -type: long +type: keyword -- -*`fortinet.firewall.authgrp`*:: +*`checkpoint.web_server_type`*:: + -- -Authorization Group +Web server detected in the HTTP response. type: keyword -- -*`fortinet.firewall.authid`*:: +*`checkpoint.client_name`*:: + -- -Authentication ID +Client Application or Software Blade that detected the event. type: keyword -- -*`fortinet.firewall.authproto`*:: +*`checkpoint.client_version`*:: + -- -The protocol that initiated the authentication +Build version of SandBlast Agent client installed on the computer. type: keyword -- -*`fortinet.firewall.authserver`*:: +*`checkpoint.extension_version`*:: + -- -Authentication server +Build version of the SandBlast Agent browser extension. type: keyword -- -*`fortinet.firewall.bandwidth`*:: +*`checkpoint.host_time`*:: + -- -Bandwidth +Local time on the endpoint computer. type: keyword -- -*`fortinet.firewall.banned_rule`*:: +*`checkpoint.installed_products`*:: + -- -NAC quarantine Banned Rule Name +List of installed Endpoint Software Blades. type: keyword -- -*`fortinet.firewall.banned_src`*:: +*`checkpoint.cc`*:: + -- -NAC quarantine Banned Source IP +The Carbon Copy address of the email. type: keyword -- -*`fortinet.firewall.banword`*:: +*`checkpoint.parent_process_username`*:: + -- -Banned word +Owner username of the parent process of the process that triggered the attack. type: keyword -- -*`fortinet.firewall.botnetdomain`*:: +*`checkpoint.process_username`*:: + -- -Botnet Domain Name +Owner username of the process that triggered the attack. type: keyword -- -*`fortinet.firewall.botnetip`*:: +*`checkpoint.audit_status`*:: + -- -Botnet IP Address +Audit Status. Can be Success or Failure. -type: ip +type: keyword -- -*`fortinet.firewall.bssid`*:: +*`checkpoint.objecttable`*:: + -- -Service Set ID +Table of affected objects. type: keyword -- -*`fortinet.firewall.call_id`*:: +*`checkpoint.objecttype`*:: + -- -Caller ID +The type of the affected object. type: keyword -- -*`fortinet.firewall.carrier_ep`*:: +*`checkpoint.operation_number`*:: + -- -The FortiOS Carrier end-point identification +The operation nuber. type: keyword -- -*`fortinet.firewall.cat`*:: +*`checkpoint.email_recipients_num`*:: + -- -DNS category ID +Amount of recipients whom the mail was sent to. type: integer -- -*`fortinet.firewall.category`*:: +*`checkpoint.suppressed_logs`*:: + -- -Authentication category +Aggregated connections for five minutes on the same source, destination and port. -type: keyword +type: integer -- -*`fortinet.firewall.cc`*:: +*`checkpoint.blade_name`*:: + -- -CC Email Address +Blade name. type: keyword -- -*`fortinet.firewall.cdrcontent`*:: +*`checkpoint.status`*:: + -- -Cdrcontent +Ok/Warning/Error. type: keyword -- -*`fortinet.firewall.centralnatid`*:: +*`checkpoint.short_desc`*:: + -- -Central NAT ID +Short description of the process that was executed. -type: integer +type: keyword -- -*`fortinet.firewall.cert`*:: +*`checkpoint.long_desc`*:: + -- -Certificate +More information on the process (usually describing error reason in failure). type: keyword -- -*`fortinet.firewall.cert-type`*:: +*`checkpoint.scan_hosts_hour`*:: + -- -Certificate type +Number of unique hosts during the last hour. -type: keyword +type: integer -- -*`fortinet.firewall.certhash`*:: +*`checkpoint.scan_hosts_day`*:: + -- -Certificate hash +Number of unique hosts during the last day. -type: keyword +type: integer -- -*`fortinet.firewall.cfgattr`*:: +*`checkpoint.scan_hosts_week`*:: + -- -Configuration attribute +Number of unique hosts during the last week. -type: keyword +type: integer -- -*`fortinet.firewall.cfgobj`*:: +*`checkpoint.unique_detected_hour`*:: + -- -Configuration object +Detected virus for a specific host during the last hour. -type: keyword +type: integer -- -*`fortinet.firewall.cfgpath`*:: +*`checkpoint.unique_detected_day`*:: + -- -Configuration path +Detected virus for a specific host during the last day. -type: keyword +type: integer -- -*`fortinet.firewall.cfgtid`*:: +*`checkpoint.unique_detected_week`*:: + -- -Configuration transaction ID +Detected virus for a specific host during the last week. -type: keyword +type: integer -- -*`fortinet.firewall.cfgtxpower`*:: +*`checkpoint.scan_mail`*:: + -- -Configuration TX power +Number of emails that were scanned by "AB malicious activity" engine. type: integer -- -*`fortinet.firewall.channel`*:: +*`checkpoint.additional_ip`*:: + -- -Wireless Channel +DNS host name. -type: integer +type: keyword -- -*`fortinet.firewall.channeltype`*:: +*`checkpoint.description`*:: + -- -SSH channel type +Additional explanation how the security gateway enforced the connection. type: keyword -- -*`fortinet.firewall.chassisid`*:: +*`checkpoint.email_spam_category`*:: + -- -Chassis ID +Email categories. Possible values: spam/not spam/phishing. -type: integer +type: keyword -- -*`fortinet.firewall.checksum`*:: +*`checkpoint.email_control_analysis`*:: + -- -The checksum of the scanned file +Message classification, received from spam vendor engine. type: keyword -- -*`fortinet.firewall.chgheaders`*:: +*`checkpoint.scan_results`*:: + -- -HTTP Headers +"Infected"/description of a failure. type: keyword -- -*`fortinet.firewall.cldobjid`*:: +*`checkpoint.original_queue_id`*:: + -- -Connector object ID +Original postfix email queue id. type: keyword -- -*`fortinet.firewall.client_addr`*:: +*`checkpoint.risk`*:: + -- -Wifi client address +Risk level we got from the engine. type: keyword -- -*`fortinet.firewall.cloudaction`*:: +*`checkpoint.observable_name`*:: + -- -Cloud Action +IOC observable signature name. type: keyword -- -*`fortinet.firewall.clouduser`*:: +*`checkpoint.observable_id`*:: + -- -Cloud User +IOC observable signature id. type: keyword -- -*`fortinet.firewall.column`*:: +*`checkpoint.observable_comment`*:: + -- -VOIP Column +IOC observable signature description. -type: integer +type: keyword -- -*`fortinet.firewall.command`*:: +*`checkpoint.indicator_name`*:: + -- -CLI Command +IOC indicator name. type: keyword -- -*`fortinet.firewall.community`*:: +*`checkpoint.indicator_description`*:: + -- -SNMP Community +IOC indicator description. type: keyword -- -*`fortinet.firewall.configcountry`*:: +*`checkpoint.indicator_reference`*:: + -- -Configuration country +IOC indicator reference. type: keyword -- -*`fortinet.firewall.connection_type`*:: +*`checkpoint.indicator_uuid`*:: + -- -FortiClient Connection Type +IOC indicator uuid. type: keyword -- -*`fortinet.firewall.conserve`*:: +*`checkpoint.app_desc`*:: + -- -Flag for conserve mode +Application description. type: keyword -- -*`fortinet.firewall.constraint`*:: +*`checkpoint.app_id`*:: + -- -WAF http protocol restrictions +Application ID. -type: keyword +type: integer -- -*`fortinet.firewall.contentdisarmed`*:: +*`checkpoint.app_sig_id`*:: + -- -Email scanned content +IOC indicator description. type: keyword -- -*`fortinet.firewall.contenttype`*:: +*`checkpoint.certificate_resource`*:: + -- -Content Type from HTTP header +HTTPS resource Possible values: SNI or domain name (DN). type: keyword -- -*`fortinet.firewall.cookies`*:: +*`checkpoint.certificate_validation`*:: + -- -VPN Cookie +Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. type: keyword -- -*`fortinet.firewall.count`*:: +*`checkpoint.browse_time`*:: + -- -Counts of action type +Application session browse time. -type: integer +type: keyword -- -*`fortinet.firewall.countapp`*:: +*`checkpoint.limit_requested`*:: + -- -Number of App Ctrl logs associated with the session +Indicates whether data limit was requested for the session. type: integer -- -*`fortinet.firewall.countav`*:: +*`checkpoint.limit_applied`*:: + -- -Number of AV logs associated with the session +Indicates whether the session was actually date limited. type: integer -- -*`fortinet.firewall.countcifs`*:: +*`checkpoint.dropped_total`*:: + -- -Number of CIFS logs associated with the session +Amount of dropped packets (both incoming and outgoing). type: integer -- -*`fortinet.firewall.countdlp`*:: +*`checkpoint.client_type_os`*:: + -- -Number of DLP logs associated with the session +Client OS detected in the HTTP request. -type: integer +type: keyword -- -*`fortinet.firewall.countdns`*:: +*`checkpoint.name`*:: + -- -Number of DNS logs associated with the session +Application name. -type: integer +type: keyword -- -*`fortinet.firewall.countemail`*:: +*`checkpoint.properties`*:: + -- -Number of email logs associated with the session +Application categories. -type: integer +type: keyword -- -*`fortinet.firewall.countff`*:: +*`checkpoint.sig_id`*:: + -- -Number of ff logs associated with the session +Application's signature ID which how it was detected by. -type: integer +type: keyword -- -*`fortinet.firewall.countips`*:: +*`checkpoint.desc`*:: + -- -Number of IPS logs associated with the session +Override application description. -type: integer +type: keyword -- -*`fortinet.firewall.countssh`*:: +*`checkpoint.referrer_self_uid`*:: + -- -Number of SSH logs associated with the session +UUID of the current log. -type: integer +type: keyword -- -*`fortinet.firewall.countssl`*:: +*`checkpoint.referrer_parent_uid`*:: + -- -Number of SSL logs associated with the session +Log UUID of the referring application. -type: integer +type: keyword -- -*`fortinet.firewall.countwaf`*:: +*`checkpoint.needs_browse_time`*:: + -- -Number of WAF logs associated with the session +Browse time required for the connection. type: integer -- -*`fortinet.firewall.countweb`*:: +*`checkpoint.cluster_info`*:: + -- -Number of Web filter logs associated with the session +Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. -type: integer +type: keyword -- -*`fortinet.firewall.cpu`*:: +*`checkpoint.sync`*:: + -- -CPU Usage +Sync status and the reason (stable, at risk). -type: integer +type: keyword -- -*`fortinet.firewall.craction`*:: +*`checkpoint.file_direction`*:: + -- -Client Reputation Action +File direction. Possible options: upload/download. -type: integer +type: keyword -- -*`fortinet.firewall.criticalcount`*:: +*`checkpoint.invalid_file_size`*:: + -- -Number of critical ratings +File_size field is valid only if this field is set to 0. type: integer -- -*`fortinet.firewall.crl`*:: +*`checkpoint.top_archive_file_name`*:: + -- -Client Reputation Level +In case of archive file: the file that was sent/received. type: keyword -- -*`fortinet.firewall.crlevel`*:: +*`checkpoint.data_type_name`*:: + -- -Client Reputation Level +Data type in rulebase that was matched. type: keyword -- -*`fortinet.firewall.crscore`*:: +*`checkpoint.specific_data_type_name`*:: + -- -Some description +Compound/Group scenario, data type that was matched. -type: integer +type: keyword -- -*`fortinet.firewall.cveid`*:: +*`checkpoint.word_list`*:: + -- -CVE ID +Words matched by data type. type: keyword -- -*`fortinet.firewall.daemon`*:: +*`checkpoint.info`*:: + -- -Daemon name +Special log message. type: keyword -- -*`fortinet.firewall.datarange`*:: +*`checkpoint.outgoing_url`*:: + -- -Data range for reports +URL related to this log (for HTTP). type: keyword -- -*`fortinet.firewall.date`*:: +*`checkpoint.dlp_rule_name`*:: + -- -Date +Matched rule name. type: keyword -- -*`fortinet.firewall.ddnsserver`*:: +*`checkpoint.dlp_recipients`*:: + -- -DDNS server +Mail recipients. -type: ip +type: keyword -- -*`fortinet.firewall.desc`*:: +*`checkpoint.dlp_subject`*:: + -- -Description +Mail subject. type: keyword -- -*`fortinet.firewall.detectionmethod`*:: +*`checkpoint.dlp_word_list`*:: + -- -Detection method +Phrases matched by data type. type: keyword -- -*`fortinet.firewall.devcategory`*:: +*`checkpoint.dlp_template_score`*:: + -- -Device category +Template data type match score. type: keyword -- -*`fortinet.firewall.devintfname`*:: +*`checkpoint.message_size`*:: + -- -HA device Interface Name +Mail/post size. -type: keyword +type: integer -- -*`fortinet.firewall.devtype`*:: +*`checkpoint.dlp_incident_uid`*:: + -- -Device type +Unique ID of the matched rule. type: keyword -- -*`fortinet.firewall.dhcp_msg`*:: +*`checkpoint.dlp_related_incident_uid`*:: + -- -DHCP Message +Other ID related to this one. type: keyword -- -*`fortinet.firewall.dintf`*:: +*`checkpoint.dlp_data_type_name`*:: + -- -Destination interface +Matched data type. type: keyword -- -*`fortinet.firewall.disk`*:: +*`checkpoint.dlp_data_type_uid`*:: + -- -Assosciated disk +Unique ID of the matched data type. type: keyword -- -*`fortinet.firewall.disklograte`*:: +*`checkpoint.dlp_violation_description`*:: + -- -Disk logging rate +Violation descriptions described in the rulebase. -type: long +type: keyword -- -*`fortinet.firewall.dlpextra`*:: +*`checkpoint.dlp_relevant_data_types`*:: + -- -DLP extra information +In case of Compound/Group: the inner data types that were matched. type: keyword -- -*`fortinet.firewall.docsource`*:: +*`checkpoint.dlp_action_reason`*:: + -- -DLP fingerprint document source +Action chosen reason. type: keyword -- -*`fortinet.firewall.domainctrlauthstate`*:: +*`checkpoint.dlp_categories`*:: + -- -CIFS domain auth state +Data type category. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlauthtype`*:: +*`checkpoint.dlp_transint`*:: + -- -CIFS domain auth type +HTTP/SMTP/FTP. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrldomain`*:: +*`checkpoint.duplicate`*:: + -- -CIFS domain auth domain +Log marked as duplicated, when mail is split and the Security Gateway sees it twice. type: keyword -- -*`fortinet.firewall.domainctrlip`*:: +*`checkpoint.incident_extension`*:: + -- -CIFS Domain IP +Matched data type. -type: ip +type: keyword -- -*`fortinet.firewall.domainctrlname`*:: +*`checkpoint.matched_file`*:: + -- -CIFS Domain name +Unique ID of the matched data type. type: keyword -- -*`fortinet.firewall.domainctrlprotocoltype`*:: +*`checkpoint.matched_file_text_segments`*:: + -- -CIFS Domain connection protocol +Fingerprint: number of text segments matched by this traffic. type: integer -- -*`fortinet.firewall.domainctrlusername`*:: +*`checkpoint.matched_file_percentage`*:: + -- -CIFS Domain username +Fingerprint: match percentage of the traffic. -type: keyword +type: integer -- -*`fortinet.firewall.domainfilteridx`*:: +*`checkpoint.dlp_additional_action`*:: + -- -Domain filter ID +Watermark/None. -type: integer +type: keyword -- -*`fortinet.firewall.domainfilterlist`*:: +*`checkpoint.dlp_watermark_profile`*:: + -- -Domain filter name +Watermark which was applied. type: keyword -- -*`fortinet.firewall.ds`*:: +*`checkpoint.dlp_repository_id`*:: + -- -Direction with distribution system +ID of scanned repository. type: keyword -- -*`fortinet.firewall.dst_int`*:: +*`checkpoint.dlp_repository_root_path`*:: + -- -Destination interface +Repository path. type: keyword -- -*`fortinet.firewall.dstintfrole`*:: +*`checkpoint.scan_id`*:: + -- -Destination interface role +Sequential number of scan. type: keyword -- -*`fortinet.firewall.dstcountry`*:: +*`checkpoint.special_properties`*:: + -- -Destination country +If this field is set to '1' the log will not be shown (in use for monitoring scan progress). -type: keyword +type: integer -- -*`fortinet.firewall.dstdevcategory`*:: +*`checkpoint.dlp_repository_total_size`*:: + -- -Destination device category +Repository size. -type: keyword +type: integer -- -*`fortinet.firewall.dstdevtype`*:: +*`checkpoint.dlp_repository_files_number`*:: + -- -Destination device type +Number of files in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dstfamily`*:: +*`checkpoint.dlp_repository_scanned_files_number`*:: + -- -Destination OS family +Number of scanned files in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dsthwvendor`*:: +*`checkpoint.duration`*:: + -- -Destination HW vendor +Scan duration. type: keyword -- -*`fortinet.firewall.dsthwversion`*:: +*`checkpoint.dlp_fingerprint_long_status`*:: + -- -Destination HW version +Scan status - long format. type: keyword -- -*`fortinet.firewall.dstinetsvc`*:: +*`checkpoint.dlp_fingerprint_short_status`*:: + -- -Destination interface service +Scan status - short format. type: keyword -- -*`fortinet.firewall.dstosname`*:: +*`checkpoint.dlp_repository_directories_number`*:: + -- -Destination OS name +Number of directories in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dstosversion`*:: +*`checkpoint.dlp_repository_unreachable_directories_number`*:: + -- -Destination OS version +Number of directories the Security Gateway was unable to read. -type: keyword +type: integer -- -*`fortinet.firewall.dstserver`*:: +*`checkpoint.dlp_fingerprint_files_number`*:: + -- -Destination server +Number of successfully scanned files in repository. type: integer -- -*`fortinet.firewall.dstssid`*:: +*`checkpoint.dlp_repository_skipped_files_number`*:: + -- -Destination SSID +Skipped number of files because of configuration. -type: keyword +type: integer -- -*`fortinet.firewall.dstswversion`*:: +*`checkpoint.dlp_repository_scanned_directories_number`*:: + -- -Destination software version +Amount of directories scanned. -type: keyword +type: integer -- -*`fortinet.firewall.dstunauthusersource`*:: +*`checkpoint.number_of_errors`*:: + -- -Destination unauthenticated source +Number of files that were not scanned due to an error. -type: keyword +type: integer -- -*`fortinet.firewall.dstuuid`*:: +*`checkpoint.next_scheduled_scan_date`*:: + -- -UUID of the Destination IP address +Next scan scheduled time according to time object. type: keyword -- -*`fortinet.firewall.duid`*:: +*`checkpoint.dlp_repository_scanned_total_size`*:: + -- -DHCP UID +Size scanned. -type: keyword +type: integer -- -*`fortinet.firewall.eapolcnt`*:: +*`checkpoint.dlp_repository_reached_directories_number`*:: + -- -EAPOL packet count +Number of scanned directories in repository. type: integer -- -*`fortinet.firewall.eapoltype`*:: +*`checkpoint.dlp_repository_not_scanned_directories_percentage`*:: + -- -EAPOL packet type +Percentage of directories the Security Gateway was unable to read. -type: keyword +type: integer -- -*`fortinet.firewall.encrypt`*:: +*`checkpoint.speed`*:: + -- -Whether the packet is encrypted or not +Current scan speed. type: integer -- -*`fortinet.firewall.encryption`*:: +*`checkpoint.dlp_repository_scan_progress`*:: + -- -Encryption method +Scan percentage. -type: keyword +type: integer -- -*`fortinet.firewall.epoch`*:: +*`checkpoint.sub_policy_name`*:: + -- -Epoch used for locating file +Layer name. -type: integer +type: keyword -- -*`fortinet.firewall.espauth`*:: +*`checkpoint.sub_policy_uid`*:: + -- -ESP Authentication +Layer uid. type: keyword -- -*`fortinet.firewall.esptransform`*:: +*`checkpoint.fw_message`*:: + -- -ESP Transform +Used for various firewall errors. type: keyword -- -*`fortinet.firewall.exch`*:: +*`checkpoint.message`*:: + -- -Mail Exchanges from DNS response answer section +ISP link has failed. type: keyword -- -*`fortinet.firewall.exchange`*:: +*`checkpoint.isp_link`*:: + -- -Mail Exchanges from DNS response answer section +Name of ISP link. type: keyword -- -*`fortinet.firewall.expectedsignature`*:: +*`checkpoint.fw_subproduct`*:: + -- -Expected SSL signature +Can be vpn/non vpn. type: keyword -- -*`fortinet.firewall.expiry`*:: +*`checkpoint.sctp_error`*:: + -- -FortiGuard override expiry timestamp +Error information, what caused sctp to fail on out_of_state. type: keyword -- -*`fortinet.firewall.fams_pause`*:: +*`checkpoint.chunk_type`*:: + -- -Fortinet Analysis and Management Service Pause +Chunck of the sctp stream. -type: integer +type: keyword -- -*`fortinet.firewall.fazlograte`*:: +*`checkpoint.sctp_association_state`*:: + -- -FortiAnalyzer Logging Rate +The bad state you were trying to update to. -type: long +type: keyword -- -*`fortinet.firewall.fctemssn`*:: +*`checkpoint.tcp_packet_out_of_state`*:: + -- -FortiClient Endpoint SSN +State violation. type: keyword -- -*`fortinet.firewall.fctuid`*:: +*`checkpoint.tcp_flags`*:: + -- -FortiClient UID +TCP packet flags (SYN, ACK, etc.,). type: keyword -- -*`fortinet.firewall.field`*:: +*`checkpoint.connectivity_level`*:: + -- -NTP status field +Log for a new connection in wire mode. type: keyword -- -*`fortinet.firewall.filefilter`*:: +*`checkpoint.ip_option`*:: + -- -The filter used to identify the affected file +IP option that was dropped. -type: keyword +type: integer -- -*`fortinet.firewall.filehashsrc`*:: +*`checkpoint.tcp_state`*:: + -- -Filehash source +Log reinting a tcp state change. type: keyword -- -*`fortinet.firewall.filtercat`*:: +*`checkpoint.expire_time`*:: + -- -DLP filter category +Connection closing time. type: keyword -- -*`fortinet.firewall.filteridx`*:: +*`checkpoint.icmp_type`*:: + -- -DLP filter ID +In case a connection is ICMP, type info will be added to the log. type: integer -- -*`fortinet.firewall.filtername`*:: +*`checkpoint.icmp_code`*:: + -- -DLP rule name +In case a connection is ICMP, code info will be added to the log. -type: keyword +type: integer -- -*`fortinet.firewall.filtertype`*:: +*`checkpoint.rpc_prog`*:: + -- -DLP filter type +Log for new RPC state - prog values. -type: keyword +type: integer -- -*`fortinet.firewall.fortiguardresp`*:: +*`checkpoint.dce-rpc_interface_uuid`*:: + -- -Antispam ESP value +Log for new RPC state - UUID values type: keyword -- -*`fortinet.firewall.forwardedfor`*:: +*`checkpoint.elapsed`*:: + -- -Email address forwarded +Time passed since start time. type: keyword -- -*`fortinet.firewall.fqdn`*:: +*`checkpoint.icmp`*:: + -- -FQDN +Number of packets, received by the client. type: keyword -- -*`fortinet.firewall.frametype`*:: +*`checkpoint.capture_uuid`*:: + -- -Wireless frametype +UUID generated for the capture. Used when enabling the capture when logging. type: keyword -- -*`fortinet.firewall.freediskstorage`*:: +*`checkpoint.diameter_app_ID`*:: + -- -Free disk integer +The ID of diameter application. type: integer -- -*`fortinet.firewall.from`*:: +*`checkpoint.diameter_cmd_code`*:: + -- -From email address +Diameter not allowed application command id. -type: keyword +type: integer -- -*`fortinet.firewall.from_vcluster`*:: +*`checkpoint.diameter_msg_type`*:: + -- -Source virtual cluster number +Diameter message type. -type: integer +type: keyword -- -*`fortinet.firewall.fsaverdict`*:: +*`checkpoint.cp_message`*:: + -- -FSA verdict +Used to log a general message. -type: keyword +type: integer -- -*`fortinet.firewall.fwserver_name`*:: +*`checkpoint.log_delay`*:: + -- -Web proxy server name +Time left before deleting template. -type: keyword +type: integer -- -*`fortinet.firewall.gateway`*:: +*`checkpoint.attack_status`*:: + -- -Gateway ip address for PPPoE status report +In case of a malicious event on an endpoint computer, the status of the attack. -type: ip +type: keyword -- -*`fortinet.firewall.green`*:: +*`checkpoint.impacted_files`*:: + -- -Memory status +In case of an infection on an endpoint computer, the list of files that the malware impacted. type: keyword -- -*`fortinet.firewall.groupid`*:: +*`checkpoint.remediated_files`*:: + -- -User Group ID +In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. -type: integer +type: keyword -- -*`fortinet.firewall.ha-prio`*:: +*`checkpoint.triggered_by`*:: + -- -HA Priority +The name of the mechanism that triggered the Software Blade to enforce a protection. -type: integer +type: keyword -- -*`fortinet.firewall.ha_group`*:: +*`checkpoint.https_inspection_rule_id`*:: + -- -HA Group +ID of the matched rule. type: keyword -- -*`fortinet.firewall.ha_role`*:: +*`checkpoint.https_inspection_rule_name`*:: + -- -HA Role +Name of the matched rule. type: keyword -- -*`fortinet.firewall.handshake`*:: +*`checkpoint.app_properties`*:: + -- -SSL Handshake +List of all found categories. type: keyword -- -*`fortinet.firewall.hash`*:: +*`checkpoint.https_validation`*:: + -- -Hash value of downloaded file +Precise error, describing HTTPS inspection failure. type: keyword -- -*`fortinet.firewall.hbdn_reason`*:: +*`checkpoint.https_inspection_action`*:: + -- -Heartbeat down reason +HTTPS inspection action (Inspect/Bypass/Error). type: keyword -- -*`fortinet.firewall.highcount`*:: +*`checkpoint.icap_service_id`*:: + -- -Highcount fabric summary +Service ID, can work with multiple servers, treated as services. type: integer -- -*`fortinet.firewall.host`*:: +*`checkpoint.icap_server_name`*:: + -- -Hostname +Server name. type: keyword -- -*`fortinet.firewall.iaid`*:: +*`checkpoint.internal_error`*:: + -- -DHCPv6 id +Internal error, for troubleshooting type: keyword -- -*`fortinet.firewall.icmpcode`*:: +*`checkpoint.icap_more_info`*:: + -- -Destination Port of the ICMP message +Free text for verdict. -type: keyword +type: integer -- -*`fortinet.firewall.icmpid`*:: +*`checkpoint.reply_status`*:: + -- -Source port of the ICMP message +ICAP reply status code, e.g. 200 or 204. -type: keyword +type: integer -- -*`fortinet.firewall.icmptype`*:: +*`checkpoint.icap_server_service`*:: + -- -The type of ICMP message +Service name, as given in the ICAP URI type: keyword -- -*`fortinet.firewall.identifier`*:: +*`checkpoint.mirror_and_decrypt_type`*:: + -- -Network traffic identifier +Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). -type: integer +type: keyword -- -*`fortinet.firewall.in_spi`*:: +*`checkpoint.interface_name`*:: + -- -IPSEC inbound SPI +Designated interface for mirror And decrypt. type: keyword -- -*`fortinet.firewall.incidentserialno`*:: +*`checkpoint.session_uid`*:: + -- -Incident serial number +HTTP session-id. -type: integer +type: keyword -- -*`fortinet.firewall.infected`*:: +*`checkpoint.broker_publisher`*:: + -- -Infected MMS +IP address of the broker publisher who shared the session information. -type: integer +type: ip -- -*`fortinet.firewall.infectedfilelevel`*:: +*`checkpoint.src_user_dn`*:: + -- -DLP infected file level +User distinguished name connected to source IP. -type: integer +type: keyword -- -*`fortinet.firewall.informationsource`*:: +*`checkpoint.proxy_user_name`*:: + -- -Information source +User name connected to proxy IP. type: keyword -- -*`fortinet.firewall.init`*:: +*`checkpoint.proxy_machine_name`*:: + -- -IPSEC init stage +Machine name connected to proxy IP. -type: keyword +type: integer -- -*`fortinet.firewall.initiator`*:: +*`checkpoint.proxy_user_dn`*:: + -- -Original login user name for Fortiguard override +User distinguished name connected to proxy IP. type: keyword -- -*`fortinet.firewall.interface`*:: +*`checkpoint.query`*:: + -- -Related interface +DNS query. type: keyword -- -*`fortinet.firewall.intf`*:: +*`checkpoint.dns_query`*:: + -- -Related interface +DNS query. type: keyword -- -*`fortinet.firewall.invalidmac`*:: +*`checkpoint.inspection_item`*:: + -- -The MAC address with invalid OUI +Blade element performed inspection. type: keyword -- -*`fortinet.firewall.ip`*:: +*`checkpoint.performance_impact`*:: + -- -Related IP +Protection performance impact. -type: ip +type: integer -- -*`fortinet.firewall.iptype`*:: +*`checkpoint.inspection_category`*:: + -- -Related IP type +Inspection category: protocol anomaly, signature etc. type: keyword -- -*`fortinet.firewall.keyword`*:: +*`checkpoint.inspection_profile`*:: + -- -Keyword used for search +Profile which the activated protection belongs to. type: keyword -- -*`fortinet.firewall.kind`*:: +*`checkpoint.summary`*:: + -- -VOIP kind +Summary message of a non-compliant DNS traffic drops or detects. type: keyword -- -*`fortinet.firewall.lanin`*:: +*`checkpoint.question_rdata`*:: + -- -LAN incoming traffic in bytes +List of question records domains. -type: long +type: keyword -- -*`fortinet.firewall.lanout`*:: +*`checkpoint.answer_rdata`*:: + -- -LAN outbound traffic in bytes +List of answer resource records to the questioned domains. -type: long +type: keyword -- -*`fortinet.firewall.lease`*:: +*`checkpoint.authority_rdata`*:: + -- -DHCP lease +List of authoritative servers. -type: integer +type: keyword -- -*`fortinet.firewall.license_limit`*:: +*`checkpoint.additional_rdata`*:: + -- -Maximum Number of FortiClients for the License +List of additional resource records. type: keyword -- -*`fortinet.firewall.limit`*:: +*`checkpoint.files_names`*:: + -- -Virtual Domain Resource Limit +List of files requested by FTP. -type: integer +type: keyword -- -*`fortinet.firewall.line`*:: +*`checkpoint.ftp_user`*:: + -- -VOIP line +FTP username. type: keyword -- -*`fortinet.firewall.live`*:: +*`checkpoint.mime_from`*:: + -- -Time in seconds +Sender's address. -type: integer +type: keyword -- -*`fortinet.firewall.local`*:: +*`checkpoint.mime_to`*:: + -- -Local IP for a PPPD Connection +List of receiver address. -type: ip +type: keyword -- -*`fortinet.firewall.log`*:: +*`checkpoint.bcc`*:: + -- -Log message +List of BCC addresses. type: keyword -- -*`fortinet.firewall.login`*:: +*`checkpoint.content_type`*:: + -- -SSH login +Mail content type. Possible values: application/msword, text/html, image/gif etc. type: keyword -- -*`fortinet.firewall.lowcount`*:: +*`checkpoint.user_agent`*:: + -- -Fabric lowcount +String identifying requesting software user agent. -type: integer +type: keyword -- -*`fortinet.firewall.mac`*:: +*`checkpoint.referrer`*:: + -- -DHCP mac address +Referrer HTTP request header, previous web page address. type: keyword -- -*`fortinet.firewall.malform_data`*:: +*`checkpoint.http_location`*:: + -- -VOIP malformed data +Response header, indicates the URL to redirect a page to. -type: integer +type: keyword -- -*`fortinet.firewall.malform_desc`*:: +*`checkpoint.content_disposition`*:: + -- -VOIP malformed data description +Indicates how the content is expected to be displayed inline in the browser. type: keyword -- -*`fortinet.firewall.manuf`*:: +*`checkpoint.via`*:: + -- -Manufacturer name +Via header is added by proxies for tracking purposes to avoid sending reqests in loop. type: keyword -- -*`fortinet.firewall.masterdstmac`*:: +*`checkpoint.http_server`*:: + -- -Master mac address for a host with multiple network interfaces +Server HTTP header value, contains information about the software used by the origin server, which handles the request. type: keyword -- -*`fortinet.firewall.mastersrcmac`*:: +*`checkpoint.content_length`*:: + -- -The master MAC address for a host that has multiple network interfaces +Indicates the size of the entity-body of the HTTP header. type: keyword -- -*`fortinet.firewall.mediumcount`*:: +*`checkpoint.authorization`*:: + -- -Fabric medium count +Authorization HTTP header value. -type: integer +type: keyword -- -*`fortinet.firewall.mem`*:: +*`checkpoint.http_host`*:: + -- -Memory usage system statistics +Domain name of the server that the HTTP request is sent to. type: keyword -- -*`fortinet.firewall.meshmode`*:: +*`checkpoint.inspection_settings_log`*:: + -- -Wireless mesh mode +Indicats that the log was released by inspection settings. type: keyword -- -*`fortinet.firewall.message_type`*:: +*`checkpoint.cvpn_resource`*:: + -- -VOIP message type +Mobile Access application. type: keyword -- -*`fortinet.firewall.method`*:: +*`checkpoint.cvpn_category`*:: + -- -HTTP method +Mobile Access application type. type: keyword -- -*`fortinet.firewall.mgmtcnt`*:: +*`checkpoint.url`*:: + -- -The number of unauthorized client flooding managemet frames +Translated URL. -type: integer +type: keyword -- -*`fortinet.firewall.mode`*:: +*`checkpoint.reject_id`*:: + -- -IPSEC mode +A reject ID that corresponds to the one presented in the Mobile Access error page. type: keyword -- -*`fortinet.firewall.module`*:: +*`checkpoint.fs-proto`*:: + -- -PCI-DSS module +The file share protocol used in mobile acess file share application. type: keyword -- -*`fortinet.firewall.monitor-name`*:: +*`checkpoint.app_package`*:: + -- -Health Monitor Name +Unique identifier of the application on the protected mobile device. type: keyword -- -*`fortinet.firewall.monitor-type`*:: +*`checkpoint.appi_name`*:: + -- -Health Monitor Type +Name of application downloaded on the protected mobile device. type: keyword -- -*`fortinet.firewall.mpsk`*:: +*`checkpoint.app_repackaged`*:: + -- -Wireless MPSK +Indicates whether the original application was repackage not by the official developer. type: keyword -- -*`fortinet.firewall.msgproto`*:: +*`checkpoint.app_sid_id`*:: + -- -Message Protocol Number +Unique SHA identifier of a mobile application. type: keyword -- -*`fortinet.firewall.mtu`*:: +*`checkpoint.app_version`*:: + -- -Max Transmission Unit Value +Version of the application downloaded on the protected mobile device. -type: integer +type: keyword -- -*`fortinet.firewall.name`*:: +*`checkpoint.developer_certificate_name`*:: + -- -Name +Name of the developer's certificate that was used to sign the mobile application. type: keyword -- -*`fortinet.firewall.nat`*:: +*`checkpoint.email_control`*:: + -- -NAT IP Address +Engine name. type: keyword -- -*`fortinet.firewall.netid`*:: +*`checkpoint.email_message_id`*:: + -- -Connector NetID +Email session id (uniqe ID of the mail). type: keyword -- -*`fortinet.firewall.new_status`*:: +*`checkpoint.email_queue_id`*:: + -- -New status on user change +Postfix email queue id. type: keyword -- -*`fortinet.firewall.new_value`*:: +*`checkpoint.email_queue_name`*:: + -- -New Virtual Domain Name +Postfix email queue name. type: keyword -- -*`fortinet.firewall.newchannel`*:: +*`checkpoint.file_name`*:: + -- -New Channel Number +Malicious file name. -type: integer +type: keyword -- -*`fortinet.firewall.newchassisid`*:: +*`checkpoint.failure_reason`*:: + -- -New Chassis ID +MTA failure description. -type: integer +type: keyword -- -*`fortinet.firewall.newslot`*:: +*`checkpoint.email_headers`*:: + -- -New Slot Number +String containing all the email headers. -type: integer +type: keyword -- -*`fortinet.firewall.nextstat`*:: +*`checkpoint.arrival_time`*:: + -- -Time interval in seconds for the next statistics. +Email arrival timestamp. -type: integer +type: keyword -- -*`fortinet.firewall.nf_type`*:: +*`checkpoint.email_status`*:: + -- -Notification Type +Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended type: keyword -- -*`fortinet.firewall.noise`*:: +*`checkpoint.status_update`*:: + -- -Wifi Noise +Last time log was updated. -type: integer +type: keyword -- -*`fortinet.firewall.old_status`*:: +*`checkpoint.delivery_time`*:: + -- -Original Status +Timestamp of when email was delivered (MTA finished handling the email. type: keyword -- -*`fortinet.firewall.old_value`*:: +*`checkpoint.links_num`*:: + -- -Original Virtual Domain name +Number of links in the mail. -type: keyword +type: integer -- -*`fortinet.firewall.oldchannel`*:: +*`checkpoint.attachments_num`*:: + -- -Original channel +Number of attachments in the mail. type: integer -- -*`fortinet.firewall.oldchassisid`*:: +*`checkpoint.email_content`*:: + -- -Original Chassis Number +Mail contents. Possible options: attachments/links & attachments/links/text only. -type: integer +type: keyword -- -*`fortinet.firewall.oldslot`*:: +*`checkpoint.allocated_ports`*:: + -- -Original Slot Number +Amount of allocated ports. type: integer -- -*`fortinet.firewall.oldsn`*:: +*`checkpoint.capacity`*:: + -- -Old Serial number +Capacity of the ports. -type: keyword +type: integer -- -*`fortinet.firewall.oldwprof`*:: +*`checkpoint.ports_usage`*:: + -- -Old Web Filter Profile +Percentage of allocated ports. -type: keyword - --- - -*`fortinet.firewall.onwire`*:: -+ --- -A flag to indicate if the AP is onwire or not - - -type: keyword +type: integer -- -*`fortinet.firewall.opercountry`*:: +*`checkpoint.nat_exhausted_pool`*:: + -- -Operating Country +4-tuple of an exhausted pool. type: keyword -- -*`fortinet.firewall.opertxpower`*:: +*`checkpoint.nat_rulenum`*:: + -- -Operating TX power +NAT rulebase first matched rule. type: integer -- -*`fortinet.firewall.osname`*:: +*`checkpoint.nat_addtnl_rulenum`*:: + -- -Operating System name +When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. -type: keyword +type: integer -- -*`fortinet.firewall.osversion`*:: +*`checkpoint.message_info`*:: + -- -Operating System version +Used for information messages, for example:NAT connection has ended. type: keyword -- -*`fortinet.firewall.out_spi`*:: +*`checkpoint.nat46`*:: + -- -Out SPI +NAT 46 status, in most cases "enabled". type: keyword -- -*`fortinet.firewall.outintf`*:: +*`checkpoint.end_time`*:: + -- -Out interface +TCP connection end time. type: keyword -- -*`fortinet.firewall.passedcount`*:: -+ --- -Fabric passed count - - -type: integer - --- - -*`fortinet.firewall.passwd`*:: +*`checkpoint.tcp_end_reason`*:: + -- -Changed user password information +Reason for TCP connection closure. type: keyword -- -*`fortinet.firewall.path`*:: +*`checkpoint.cgnet`*:: + -- -Path of looped configuration for security fabric +Describes NAT allocation for specific subscriber. type: keyword -- -*`fortinet.firewall.peer`*:: +*`checkpoint.subscriber`*:: + -- -WAN optimization peer +Source IP before CGNAT. -type: keyword +type: ip -- -*`fortinet.firewall.peer_notif`*:: +*`checkpoint.hide_ip`*:: + -- -VPN peer notification +Source IP which will be used after CGNAT. -type: keyword +type: ip -- -*`fortinet.firewall.phase2_name`*:: +*`checkpoint.int_start`*:: + -- -VPN phase2 name +Subscriber start int which will be used for NAT. -type: keyword +type: integer -- -*`fortinet.firewall.phone`*:: +*`checkpoint.int_end`*:: + -- -VOIP Phone +Subscriber end int which will be used for NAT. -type: keyword +type: integer -- -*`fortinet.firewall.pid`*:: +*`checkpoint.packet_amount`*:: + -- -Process ID +Amount of packets dropped. type: integer -- -*`fortinet.firewall.policytype`*:: +*`checkpoint.monitor_reason`*:: + -- -Policy Type +Aggregated logs of monitored packets. type: keyword -- -*`fortinet.firewall.poolname`*:: +*`checkpoint.drops_amount`*:: + -- -IP Pool name +Amount of multicast packets dropped. -type: keyword +type: integer -- -*`fortinet.firewall.port`*:: +*`checkpoint.securexl_message`*:: + -- -Log upload error port +Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. -type: integer +type: keyword -- -*`fortinet.firewall.portbegin`*:: +*`checkpoint.conns_amount`*:: + -- -IP Pool port number to begin +Connections amount of aggregated log info. type: integer -- -*`fortinet.firewall.portend`*:: +*`checkpoint.scope`*:: + -- -IP Pool port number to end +IP related to the attack. -type: integer +type: keyword -- -*`fortinet.firewall.probeproto`*:: +*`checkpoint.analyzed_on`*:: + -- -Link Monitor Probe Protocol +Check Point ThreatCloud / emulator name. type: keyword -- -*`fortinet.firewall.process`*:: +*`checkpoint.detected_on`*:: + -- -URL Filter process +System and applications version the file was emulated on. type: keyword -- -*`fortinet.firewall.processtime`*:: +*`checkpoint.dropped_file_name`*:: + -- -Process time for reports +List of names dropped from the original file. -type: integer +type: keyword -- -*`fortinet.firewall.profile`*:: +*`checkpoint.dropped_file_type`*:: + -- -Profile Name +List of file types dropped from the original file. type: keyword -- -*`fortinet.firewall.profile_vd`*:: +*`checkpoint.dropped_file_hash`*:: + -- -Virtual Domain Name +List of file hashes dropped from the original file. type: keyword -- -*`fortinet.firewall.profilegroup`*:: +*`checkpoint.dropped_file_verdict`*:: + -- -Profile Group Name +List of file verdics dropped from the original file. type: keyword -- -*`fortinet.firewall.profiletype`*:: +*`checkpoint.emulated_on`*:: + -- -Profile Type +Images the files were emulated on. type: keyword -- -*`fortinet.firewall.qtypeval`*:: +*`checkpoint.extracted_file_type`*:: + -- -DNS question type value +Types of extracted files in case of an archive. -type: integer +type: keyword -- -*`fortinet.firewall.quarskip`*:: +*`checkpoint.extracted_file_names`*:: + -- -Quarantine skip explanation +Names of extracted files in case of an archive. type: keyword -- -*`fortinet.firewall.quotaexceeded`*:: +*`checkpoint.extracted_file_hash`*:: + -- -If quota has been exceeded +Archive hash in case of extracted files. type: keyword -- -*`fortinet.firewall.quotamax`*:: +*`checkpoint.extracted_file_verdict`*:: + -- -Maximum quota allowed - in seconds if time-based - in bytes if traffic-based +Verdict of extracted files in case of an archive. -type: long +type: keyword -- -*`fortinet.firewall.quotatype`*:: +*`checkpoint.extracted_file_uid`*:: + -- -Quota type +UID of extracted files in case of an archive. type: keyword -- -*`fortinet.firewall.quotaused`*:: +*`checkpoint.mitre_initial_access`*:: + -- -Quota used - in seconds if time-based - in bytes if trafficbased) +The adversary is trying to break into your network. -type: long +type: keyword -- -*`fortinet.firewall.radioband`*:: +*`checkpoint.mitre_execution`*:: + -- -Radio band +The adversary is trying to run malicious code. type: keyword -- -*`fortinet.firewall.radioid`*:: +*`checkpoint.mitre_persistence`*:: + -- -Radio ID +The adversary is trying to maintain his foothold. -type: integer +type: keyword -- -*`fortinet.firewall.radioidclosest`*:: +*`checkpoint.mitre_privilege_escalation`*:: + -- -Radio ID on the AP closest the rogue AP +The adversary is trying to gain higher-level permissions. -type: integer +type: keyword -- -*`fortinet.firewall.radioiddetected`*:: +*`checkpoint.mitre_defense_evasion`*:: + -- -Radio ID on the AP which detected the rogue AP +The adversary is trying to avoid being detected. -type: integer +type: keyword -- -*`fortinet.firewall.rate`*:: +*`checkpoint.mitre_credential_access`*:: + -- -Wireless rogue rate value +The adversary is trying to steal account names and passwords. type: keyword -- -*`fortinet.firewall.rawdata`*:: +*`checkpoint.mitre_discovery`*:: + -- -Raw data value +The adversary is trying to expose information about your environment. type: keyword -- -*`fortinet.firewall.rawdataid`*:: +*`checkpoint.mitre_lateral_movement`*:: + -- -Raw data ID +The adversary is trying to explore your environment. type: keyword -- -*`fortinet.firewall.rcvddelta`*:: +*`checkpoint.mitre_collection`*:: + -- -Received bytes delta +The adversary is trying to collect data of interest to achieve his goal. type: keyword -- -*`fortinet.firewall.reason`*:: +*`checkpoint.mitre_command_and_control`*:: + -- -Alert reason +The adversary is trying to communicate with compromised systems in order to control them. type: keyword -- -*`fortinet.firewall.received`*:: +*`checkpoint.mitre_exfiltration`*:: + -- -Server key exchange received +The adversary is trying to steal data. -type: integer +type: keyword -- -*`fortinet.firewall.receivedsignature`*:: +*`checkpoint.mitre_impact`*:: + -- -Server key exchange received signature +The adversary is trying to manipulate, interrupt, or destroy your systems and data. type: keyword -- -*`fortinet.firewall.red`*:: +*`checkpoint.parent_file_hash`*:: + -- -Memory information in red +Archive's hash in case of extracted files. type: keyword -- -*`fortinet.firewall.referralurl`*:: +*`checkpoint.parent_file_name`*:: + -- -Web filter referralurl +Archive's name in case of extracted files. type: keyword -- -*`fortinet.firewall.remote`*:: +*`checkpoint.parent_file_uid`*:: + -- -Remote PPP IP address +Archive's UID in case of extracted files. -type: ip +type: keyword -- -*`fortinet.firewall.remotewtptime`*:: +*`checkpoint.similiar_iocs`*:: + -- -Remote Wifi Radius authentication time +Other IoCs similar to the ones found, related to the malicious file. type: keyword -- -*`fortinet.firewall.reporttype`*:: +*`checkpoint.similar_hashes`*:: + -- -Report type +Hashes found similar to the malicious file. type: keyword -- -*`fortinet.firewall.reqtype`*:: +*`checkpoint.similar_strings`*:: + -- -Request type +Strings found similar to the malicious file. type: keyword -- -*`fortinet.firewall.request_name`*:: +*`checkpoint.similar_communication`*:: + -- -VOIP request name +Network action found similar to the malicious file. type: keyword -- -*`fortinet.firewall.result`*:: +*`checkpoint.te_verdict_determined_by`*:: + -- -VPN phase result +Emulators determined file verdict. type: keyword -- -*`fortinet.firewall.role`*:: +*`checkpoint.packet_capture_unique_id`*:: + -- -VPN Phase 2 role +Identifier of the packet capture files. type: keyword -- -*`fortinet.firewall.rssi`*:: +*`checkpoint.total_attachments`*:: + -- -Received signal strength indicator +The number of attachments in an email. type: integer -- -*`fortinet.firewall.rsso_key`*:: +*`checkpoint.additional_info`*:: + -- -RADIUS SSO attribute value +ID of original file/mail which are sent by admin. type: keyword -- -*`fortinet.firewall.ruledata`*:: +*`checkpoint.content_risk`*:: + -- -Rule data +File risk. -type: keyword +type: integer -- -*`fortinet.firewall.ruletype`*:: +*`checkpoint.operation`*:: + -- -Rule type +Operation made by Threat Extraction. type: keyword -- -*`fortinet.firewall.scanned`*:: -+ --- -Number of Scanned MMSs - - -type: integer - --- - -*`fortinet.firewall.scantime`*:: +*`checkpoint.scrubbed_content`*:: + -- -Scanned time +Active content that was found. -type: long +type: keyword -- -*`fortinet.firewall.scope`*:: +*`checkpoint.scrub_time`*:: + -- -FortiGuard Override Scope +Extraction process duration. type: keyword -- -*`fortinet.firewall.security`*:: +*`checkpoint.scrub_download_time`*:: + -- -Wireless rogue security +File download time from resource. type: keyword -- -*`fortinet.firewall.sensitivity`*:: +*`checkpoint.scrub_total_time`*:: + -- -Sensitivity for document fingerprint +Threat extraction total file handling time. type: keyword -- -*`fortinet.firewall.sensor`*:: +*`checkpoint.scrub_activity`*:: + -- -NAC Sensor Name +The result of the extraction type: keyword -- -*`fortinet.firewall.sentdelta`*:: +*`checkpoint.watermark`*:: + -- -Sent bytes delta +Reports whether watermark is added to the cleaned file. type: keyword -- -*`fortinet.firewall.seq`*:: +*`checkpoint.source_object`*:: + -- -Sequence number +Matched object name on source column. -type: keyword +type: integer -- -*`fortinet.firewall.serial`*:: +*`checkpoint.destination_object`*:: + -- -WAN optimisation serial +Matched object name on destination column. type: keyword -- -*`fortinet.firewall.serialno`*:: +*`checkpoint.drop_reason`*:: + -- -Serial number +Drop reason description. type: keyword -- -*`fortinet.firewall.server`*:: +*`checkpoint.hit`*:: + -- -AD server FQDN or IP +Number of hits on a rule. -type: keyword +type: integer -- -*`fortinet.firewall.session_id`*:: +*`checkpoint.rulebase_id`*:: + -- -Session ID +Layer number. -type: keyword +type: integer -- -*`fortinet.firewall.sessionid`*:: +*`checkpoint.first_hit_time`*:: + -- -WAD Session ID +First hit time in current interval. type: integer -- -*`fortinet.firewall.setuprate`*:: +*`checkpoint.last_hit_time`*:: + -- -Session Setup Rate +Last hit time in current interval. -type: long +type: integer -- -*`fortinet.firewall.severity`*:: +*`checkpoint.rematch_info`*:: + -- -Severity +Information sent when old connections cannot be matched during policy installation. type: keyword -- -*`fortinet.firewall.shaperdroprcvdbyte`*:: +*`checkpoint.last_rematch_time`*:: + -- -Received bytes dropped by shaper +Connection rematched time. -type: integer +type: keyword -- -*`fortinet.firewall.shaperdropsentbyte`*:: +*`checkpoint.action_reason`*:: + -- -Sent bytes dropped by shaper +Connection drop reason. type: integer -- -*`fortinet.firewall.shaperperipdropbyte`*:: +*`checkpoint.c_bytes`*:: + -- -Dropped bytes per IP by shaper +Boolean value indicates whether bytes sent from the client side are used. type: integer -- -*`fortinet.firewall.shaperperipname`*:: +*`checkpoint.context_num`*:: + -- -Traffic shaper name (per IP) +Serial number of the log for a specific connection. -type: keyword +type: integer -- -*`fortinet.firewall.shaperrcvdname`*:: +*`checkpoint.match_id`*:: + -- -Traffic shaper name for received traffic +Private key of the rule -type: keyword +type: integer -- -*`fortinet.firewall.shapersentname`*:: +*`checkpoint.alert`*:: + -- -Traffic shaper name for sent traffic +Alert level of matched rule (for connection logs). type: keyword -- -*`fortinet.firewall.shapingpolicyid`*:: +*`checkpoint.parent_rule`*:: + -- -Traffic shaper policy ID +Parent rule number, in case of inline layer. type: integer -- -*`fortinet.firewall.signal`*:: +*`checkpoint.match_fk`*:: + -- -Wireless rogue API signal +Rule number. type: integer -- -*`fortinet.firewall.size`*:: +*`checkpoint.dropped_outgoing`*:: + -- -Email size in bytes +Number of outgoing bytes dropped when using UP-limit feature. -type: long +type: integer -- -*`fortinet.firewall.slot`*:: +*`checkpoint.dropped_incoming`*:: + -- -Slot number +Number of incoming bytes dropped when using UP-limit feature. type: integer -- -*`fortinet.firewall.sn`*:: +*`checkpoint.media_type`*:: + -- -Security fabric serial number +Media used (audio, video, etc.) type: keyword -- -*`fortinet.firewall.snclosest`*:: +*`checkpoint.sip_reason`*:: + -- -SN of the AP closest to the rogue AP +Explains why 'source_ip' isn't allowed to redirect (handover). type: keyword -- -*`fortinet.firewall.sndetected`*:: +*`checkpoint.voip_method`*:: + -- -SN of the AP which detected the rogue AP +Registration request. type: keyword -- -*`fortinet.firewall.snmeshparent`*:: +*`checkpoint.registered_ip-phones`*:: + -- -SN of the mesh parent +Registered IP-Phones. type: keyword -- -*`fortinet.firewall.spi`*:: +*`checkpoint.voip_reg_user_type`*:: + -- -IPSEC SPI +Registered IP-Phone type. type: keyword -- -*`fortinet.firewall.src_int`*:: +*`checkpoint.voip_call_id`*:: + -- -Source interface +Call-ID. type: keyword -- -*`fortinet.firewall.srcintfrole`*:: +*`checkpoint.voip_reg_int`*:: + -- -Source interface role +Registration port. -type: keyword +type: integer -- -*`fortinet.firewall.srccountry`*:: +*`checkpoint.voip_reg_ipp`*:: + -- -Source country +Registration IP protocol. -type: keyword +type: integer -- -*`fortinet.firewall.srcfamily`*:: +*`checkpoint.voip_reg_period`*:: + -- -Source family +Registration period. -type: keyword +type: integer -- -*`fortinet.firewall.srchwvendor`*:: +*`checkpoint.voip_log_type`*:: + -- -Source hardware vendor +VoIP log types. Possible values: reject, call, registration. type: keyword -- -*`fortinet.firewall.srchwversion`*:: +*`checkpoint.src_phone_number`*:: + -- -Source hardware version +Source IP-Phone. type: keyword -- -*`fortinet.firewall.srcinetsvc`*:: +*`checkpoint.voip_from_user_type`*:: + -- -Source interface service +Source IP-Phone type. type: keyword -- -*`fortinet.firewall.srcname`*:: +*`checkpoint.dst_phone_number`*:: + -- -Source name +Destination IP-Phone. type: keyword -- -*`fortinet.firewall.srcserver`*:: +*`checkpoint.voip_to_user_type`*:: + -- -Source server +Destination IP-Phone type. -type: integer +type: keyword -- -*`fortinet.firewall.srcssid`*:: +*`checkpoint.voip_call_dir`*:: + -- -Source SSID +Call direction: in/out. type: keyword -- -*`fortinet.firewall.srcswversion`*:: +*`checkpoint.voip_call_state`*:: + -- -Source software version +Call state. Possible values: in/out. type: keyword -- -*`fortinet.firewall.srcuuid`*:: +*`checkpoint.voip_call_term_time`*:: + -- -Source UUID +Call termination time stamp. type: keyword -- -*`fortinet.firewall.sscname`*:: +*`checkpoint.voip_duration`*:: + -- -SSC name +Call duration (seconds). type: keyword -- -*`fortinet.firewall.ssid`*:: +*`checkpoint.voip_media_port`*:: + -- -Base Service Set ID +Media int. type: keyword -- -*`fortinet.firewall.sslaction`*:: +*`checkpoint.voip_media_ipp`*:: + -- -SSL Action +Media IP protocol. type: keyword -- -*`fortinet.firewall.ssllocal`*:: +*`checkpoint.voip_est_codec`*:: + -- -WAD SSL local +Estimated codec. type: keyword -- -*`fortinet.firewall.sslremote`*:: +*`checkpoint.voip_exp`*:: + -- -WAD SSL remote +Expiration. -type: keyword +type: integer -- -*`fortinet.firewall.stacount`*:: +*`checkpoint.voip_attach_sz`*:: + -- -Number of stations/clients +Attachment size. type: integer -- -*`fortinet.firewall.stage`*:: +*`checkpoint.voip_attach_action_info`*:: + -- -IPSEC stage +Attachment action Info. type: keyword -- -*`fortinet.firewall.stamac`*:: +*`checkpoint.voip_media_codec`*:: + -- -802.1x station mac +Estimated codec. type: keyword -- -*`fortinet.firewall.state`*:: +*`checkpoint.voip_reject_reason`*:: + -- -Admin login state +Reject reason. type: keyword -- -*`fortinet.firewall.status`*:: +*`checkpoint.voip_reason_info`*:: + -- -Status +Information. type: keyword -- -*`fortinet.firewall.stitch`*:: +*`checkpoint.voip_config`*:: + -- -Automation stitch triggered +Configuration. type: keyword -- -*`fortinet.firewall.subject`*:: +*`checkpoint.voip_reg_server`*:: + -- -Email subject +Registrar server IP address. -type: keyword +type: ip -- -*`fortinet.firewall.submodule`*:: +*`checkpoint.scv_user`*:: + -- -Configuration Sub-Module Name +Username whose packets are dropped on SCV. type: keyword -- -*`fortinet.firewall.subservice`*:: +*`checkpoint.scv_message_info`*:: + -- -AV subservice +Drop reason. type: keyword -- -*`fortinet.firewall.subtype`*:: +*`checkpoint.ppp`*:: + -- -Log subtype +Authentication status. type: keyword -- -*`fortinet.firewall.suspicious`*:: +*`checkpoint.scheme`*:: + -- -Number of Suspicious MMSs +Describes the scheme used for the log. -type: integer +type: keyword -- -*`fortinet.firewall.switchproto`*:: +*`checkpoint.auth_method`*:: + -- -Protocol change information +Password authentication protocol used (PAP or EAP). type: keyword -- -*`fortinet.firewall.sync_status`*:: +*`checkpoint.machine`*:: + -- -The sync status with the master +L2TP machine which triggered the log and the log refers to it. type: keyword -- -*`fortinet.firewall.sync_type`*:: +*`checkpoint.vpn_feature_name`*:: + -- -The sync type with the master +L2TP /IKE / Link Selection. type: keyword -- -*`fortinet.firewall.sysuptime`*:: +*`checkpoint.reject_category`*:: + -- -System uptime +Authentication failure reason. type: keyword -- -*`fortinet.firewall.tamac`*:: +*`checkpoint.peer_ip_probing_status_update`*:: + -- -the MAC address of Transmitter, if none, then Receiver +IP address response status. type: keyword -- -*`fortinet.firewall.threattype`*:: +*`checkpoint.peer_ip`*:: + -- -WIDS threat type +IP address which the client connects to. type: keyword -- -*`fortinet.firewall.time`*:: +*`checkpoint.peer_gateway`*:: + -- -Time of the event +Main IP of the peer Security Gateway. -type: keyword +type: ip -- -*`fortinet.firewall.to`*:: +*`checkpoint.link_probing_status_update`*:: + -- -Email to field +IP address response status. type: keyword -- -*`fortinet.firewall.to_vcluster`*:: +*`checkpoint.source_interface`*:: + -- -destination virtual cluster number +External Interface name for source interface or Null if not found. -type: integer +type: keyword -- -*`fortinet.firewall.total`*:: +*`checkpoint.next_hop_ip`*:: + -- -Total memory +Next hop IP address. -type: integer +type: keyword -- -*`fortinet.firewall.totalsession`*:: +*`checkpoint.srckeyid`*:: + -- -Total Number of Sessions +Initiator Spi ID. -type: integer +type: keyword -- -*`fortinet.firewall.trace_id`*:: +*`checkpoint.dstkeyid`*:: + -- -Session clash trace ID +Responder Spi ID. type: keyword -- -*`fortinet.firewall.trandisp`*:: +*`checkpoint.encryption_failure`*:: + -- -NAT translation type +Message indicating why the encryption failed. type: keyword -- -*`fortinet.firewall.transid`*:: +*`checkpoint.ike_ids`*:: + -- -HTTP transaction ID +All QM ids. -type: integer +type: keyword -- -*`fortinet.firewall.translationid`*:: +*`checkpoint.community`*:: + -- -DNS filter transaltion ID +Community name for the IPSec key and the use of the IKEv. type: keyword -- -*`fortinet.firewall.trigger`*:: +*`checkpoint.ike`*:: + -- -Automation stitch trigger +IKEMode (PHASE1, PHASE2, etc..). type: keyword -- -*`fortinet.firewall.trueclntip`*:: +*`checkpoint.cookieI`*:: + -- -File filter true client IP +Initiator cookie. -type: ip +type: keyword -- -*`fortinet.firewall.tunnelid`*:: +*`checkpoint.cookieR`*:: + -- -IPSEC tunnel ID +Responder cookie. -type: integer +type: keyword -- -*`fortinet.firewall.tunnelip`*:: +*`checkpoint.msgid`*:: + -- -IPSEC tunnel IP +Message ID. -type: ip +type: keyword -- -*`fortinet.firewall.tunneltype`*:: +*`checkpoint.methods`*:: + -- -IPSEC tunnel type +IPSEc methods. type: keyword -- -*`fortinet.firewall.type`*:: +*`checkpoint.connection_uid`*:: + -- -Module type +Calculation of md5 of the IP and user name as UID. type: keyword -- -*`fortinet.firewall.ui`*:: +*`checkpoint.site_name`*:: + -- -Admin authentication UI type +Site name. type: keyword -- -*`fortinet.firewall.unauthusersource`*:: +*`checkpoint.esod_rule_name`*:: + -- -Unauthenticated user source +Unknown rule name. type: keyword -- -*`fortinet.firewall.unit`*:: +*`checkpoint.esod_rule_action`*:: + -- -Power supply unit +Unknown rule action. -type: integer +type: keyword -- -*`fortinet.firewall.urlfilteridx`*:: +*`checkpoint.esod_rule_type`*:: + -- -URL filter ID +Unknown rule type. -type: integer +type: keyword -- -*`fortinet.firewall.urlfilterlist`*:: +*`checkpoint.esod_noncompliance_reason`*:: + -- -URL filter list +Non-compliance reason. type: keyword -- -*`fortinet.firewall.urlsource`*:: +*`checkpoint.esod_associated_policies`*:: + -- -URL filter source +Associated policies. type: keyword -- -*`fortinet.firewall.urltype`*:: +*`checkpoint.spyware_name`*:: + -- -URL filter type +Spyware name. type: keyword -- -*`fortinet.firewall.used`*:: +*`checkpoint.spyware_type`*:: + -- -Number of Used IPs +Spyware type. -type: integer +type: keyword -- -*`fortinet.firewall.used_for_type`*:: +*`checkpoint.anti_virus_type`*:: + -- -Connection for the type +Anti virus type. -type: integer +type: keyword -- -*`fortinet.firewall.utmaction`*:: +*`checkpoint.end_user_firewall_type`*:: + -- -Security action performed by UTM +End user firewall type. type: keyword -- -*`fortinet.firewall.vap`*:: +*`checkpoint.esod_scan_status`*:: + -- -Virtual AP +Scan failed. type: keyword -- -*`fortinet.firewall.vapmode`*:: +*`checkpoint.esod_access_status`*:: + -- -Virtual AP mode +Access denied. type: keyword -- -*`fortinet.firewall.vcluster`*:: +*`checkpoint.client_type`*:: + -- -virtual cluster id +Endpoint Connect. -type: integer +type: keyword -- -*`fortinet.firewall.vcluster_member`*:: +*`checkpoint.precise_error`*:: + -- -Virtual cluster member +HTTP parser error. -type: integer +type: keyword -- -*`fortinet.firewall.vcluster_state`*:: +*`checkpoint.method`*:: + -- -Virtual cluster state +HTTP method. type: keyword -- -*`fortinet.firewall.vd`*:: +*`checkpoint.trusted_domain`*:: + -- -Virtual Domain Name +In case of phishing event, the domain, which the attacker was impersonating. type: keyword -- -*`fortinet.firewall.vdname`*:: +[[exported-fields-cisco]] +== Cisco fields + +Module for handling Cisco network device logs. + + + +[float] +=== cisco + +Fields from Cisco logs. + + + +[float] +=== asa + +Fields for Cisco ASA Firewall. + + + +*`cisco.asa.message_id`*:: + -- -Virtual Domain Name +The Cisco ASA message identifier. type: keyword -- -*`fortinet.firewall.vendorurl`*:: +*`cisco.asa.suffix`*:: + -- -Vulnerability scan vendor name +Optional suffix after %ASA identifier. type: keyword +example: session + -- -*`fortinet.firewall.version`*:: +*`cisco.asa.source_interface`*:: + -- -Version +Source interface for the flow or event. type: keyword -- -*`fortinet.firewall.vip`*:: +*`cisco.asa.destination_interface`*:: + -- -Virtual IP +Destination interface for the flow or event. type: keyword -- -*`fortinet.firewall.virus`*:: +*`cisco.asa.rule_name`*:: + -- -Virus name +Name of the Access Control List rule that matched this event. type: keyword -- -*`fortinet.firewall.virusid`*:: +*`cisco.asa.source_username`*:: + -- -Virus ID (unique virus identifier) +Name of the user that is the source for this event. -type: integer +type: keyword -- -*`fortinet.firewall.voip_proto`*:: +*`cisco.asa.destination_username`*:: + -- -VOIP protocol +Name of the user that is the destination for this event. type: keyword -- -*`fortinet.firewall.vpn`*:: +*`cisco.asa.mapped_source_ip`*:: + -- -VPN description +The translated source IP address. -type: keyword +type: ip -- -*`fortinet.firewall.vpntunnel`*:: +*`cisco.asa.mapped_source_host`*:: + -- -IPsec Vpn Tunnel Name +The translated source host. type: keyword -- -*`fortinet.firewall.vpntype`*:: +*`cisco.asa.mapped_source_port`*:: + -- -The type of the VPN tunnel +The translated source port. -type: keyword +type: long -- -*`fortinet.firewall.vrf`*:: +*`cisco.asa.mapped_destination_ip`*:: + -- -VRF number +The translated destination IP address. -type: integer +type: ip -- -*`fortinet.firewall.vulncat`*:: +*`cisco.asa.mapped_destination_host`*:: + -- -Vulnerability Category +The translated destination host. type: keyword -- -*`fortinet.firewall.vulnid`*:: +*`cisco.asa.mapped_destination_port`*:: + -- -Vulnerability ID +The translated destination port. -type: integer +type: long -- -*`fortinet.firewall.vulnname`*:: +*`cisco.asa.threat_level`*:: + -- -Vulnerability name +Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. type: keyword -- -*`fortinet.firewall.vwlid`*:: +*`cisco.asa.threat_category`*:: + -- -VWL ID +Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. -type: integer +type: keyword -- -*`fortinet.firewall.vwlquality`*:: +*`cisco.asa.connection_id`*:: + -- -VWL quality +Unique identifier for a flow. type: keyword -- -*`fortinet.firewall.vwlservice`*:: +*`cisco.asa.icmp_type`*:: + -- -VWL service +ICMP type. -type: keyword +type: short -- -*`fortinet.firewall.vwpvlanid`*:: +*`cisco.asa.icmp_code`*:: + -- -VWP VLAN ID +ICMP code. -type: integer +type: short -- -*`fortinet.firewall.wanin`*:: +*`cisco.asa.connection_type`*:: + -- -WAN incoming traffic in bytes +The VPN connection type -type: long +type: keyword -- -*`fortinet.firewall.wanoptapptype`*:: +*`cisco.asa.dap_records`*:: + -- -WAN Optimization Application type +The assigned DAP records type: keyword -- -*`fortinet.firewall.wanout`*:: -+ --- -WAN outgoing traffic in bytes +[float] +=== ftd +Fields for Cisco Firepower Threat Defense Firewall. -type: long --- -*`fortinet.firewall.weakwepiv`*:: +*`cisco.ftd.message_id`*:: + -- -Weak Wep Initiation Vector +The Cisco FTD message identifier. type: keyword -- -*`fortinet.firewall.xauthgroup`*:: +*`cisco.ftd.suffix`*:: + -- -XAuth Group Name +Optional suffix after %FTD identifier. type: keyword +example: session + -- -*`fortinet.firewall.xauthuser`*:: +*`cisco.ftd.source_interface`*:: + -- -XAuth User Name +Source interface for the flow or event. type: keyword -- -*`fortinet.firewall.xid`*:: +*`cisco.ftd.destination_interface`*:: + -- -Wireless X ID +Destination interface for the flow or event. -type: integer +type: keyword -- -[[exported-fields-googlecloud]] -== Google Cloud fields - -Module for handling logs from Google Cloud. - - - -[float] -=== googlecloud +*`cisco.ftd.rule_name`*:: ++ +-- +Name of the Access Control List rule that matched this event. -Fields from Google Cloud logs. +type: keyword +-- -[float] -=== destination.instance +*`cisco.ftd.source_username`*:: ++ +-- +Name of the user that is the source for this event. -If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +type: keyword +-- -*`googlecloud.destination.instance.project_id`*:: +*`cisco.ftd.destination_username`*:: + -- -ID of the project containing the VM. +Name of the user that is the destination for this event. type: keyword -- -*`googlecloud.destination.instance.region`*:: +*`cisco.ftd.mapped_source_ip`*:: + -- -Region of the VM. +The translated source IP address. Use ECS source.nat.ip. -type: keyword +type: ip -- -*`googlecloud.destination.instance.zone`*:: +*`cisco.ftd.mapped_source_host`*:: + -- -Zone of the VM. +The translated source host. type: keyword -- -[float] -=== destination.vpc +*`cisco.ftd.mapped_source_port`*:: ++ +-- +The translated source port. Use ECS source.nat.port. -If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: long +-- -*`googlecloud.destination.vpc.project_id`*:: +*`cisco.ftd.mapped_destination_ip`*:: + -- -ID of the project containing the VM. +The translated destination IP address. Use ECS destination.nat.ip. -type: keyword +type: ip -- -*`googlecloud.destination.vpc.vpc_name`*:: +*`cisco.ftd.mapped_destination_host`*:: + -- -VPC on which the VM is operating. +The translated destination host. type: keyword -- -*`googlecloud.destination.vpc.subnetwork_name`*:: +*`cisco.ftd.mapped_destination_port`*:: + -- -Subnetwork on which the VM is operating. +The translated destination port. Use ECS destination.nat.port. -type: keyword +type: long -- -[float] -=== source.instance +*`cisco.ftd.threat_level`*:: ++ +-- +Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. -If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +type: keyword +-- -*`googlecloud.source.instance.project_id`*:: +*`cisco.ftd.threat_category`*:: + -- -ID of the project containing the VM. +Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. type: keyword -- -*`googlecloud.source.instance.region`*:: +*`cisco.ftd.connection_id`*:: + -- -Region of the VM. +Unique identifier for a flow. type: keyword -- -*`googlecloud.source.instance.zone`*:: +*`cisco.ftd.icmp_type`*:: + -- -Zone of the VM. +ICMP type. -type: keyword +type: short -- -[float] -=== source.vpc +*`cisco.ftd.icmp_code`*:: ++ +-- +ICMP code. -If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: short +-- -*`googlecloud.source.vpc.project_id`*:: +*`cisco.ftd.security`*:: + -- -ID of the project containing the VM. - +Raw fields for Security Events. -type: keyword +type: object -- -*`googlecloud.source.vpc.vpc_name`*:: +*`cisco.ftd.connection_type`*:: + -- -VPC on which the VM is operating. +The VPN connection type type: keyword -- -*`googlecloud.source.vpc.subnetwork_name`*:: +*`cisco.ftd.dap_records`*:: + -- -Subnetwork on which the VM is operating. +The assigned DAP records type: keyword @@ -22918,18057 +20910,128749 @@ type: keyword -- [float] -=== audit +=== ios -Fields for Google Cloud audit logs. +Fields for Cisco IOS logs. -*`googlecloud.audit.type`*:: +*`cisco.ios.access_list`*:: + -- -Type property. +Name of the IP access list. type: keyword -- -[float] -=== authentication_info +*`cisco.ios.facility`*:: ++ +-- +The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. -Authentication information. +type: keyword + +example: SEC +-- -*`googlecloud.audit.authentication_info.principal_email`*:: +*`cisco.network.interface.name`*:: + -- -The email address of the authenticated user making the request. +Name of the network interface where the traffic has been observed. type: keyword -- -*`googlecloud.audit.authentication_info.authority_selector`*:: + + +*`cisco.rsa.internal.msg`*:: + -- -The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. - +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`googlecloud.audit.authorization_info`*:: +*`cisco.rsa.internal.messageid`*:: + -- -Authorization information for the operation. +type: keyword +-- -type: array +*`cisco.rsa.internal.event_desc`*:: ++ +-- +type: keyword -- -*`googlecloud.audit.method_name`*:: +*`cisco.rsa.internal.message`*:: + -- -The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - +This key captures the contents of instant messages type: keyword -- -*`googlecloud.audit.num_response_items`*:: +*`cisco.rsa.internal.time`*:: + -- -The number of items returned from a List or Query API method, if applicable. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: long +type: date -- -[float] -=== request - -The operation request. +*`cisco.rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. +type: long +-- -*`googlecloud.audit.request.proto_name`*:: +*`cisco.rsa.internal.msg_id`*:: + -- -Type property of the request. - +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.audit.request.filter`*:: +*`cisco.rsa.internal.msg_vid`*:: + -- -Filter of the request. - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.audit.request.name`*:: +*`cisco.rsa.internal.data`*:: + -- -Name of the request. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.request.resource_name`*:: +*`cisco.rsa.internal.obj_server`*:: + -- -Name of the request resource. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== request_metadata - -Metadata about the request. - - - -*`googlecloud.audit.request_metadata.caller_ip`*:: +*`cisco.rsa.internal.obj_val`*:: + -- -The IP address of the caller. - +Deprecated key defined only in table map. -type: ip +type: keyword -- -*`googlecloud.audit.request_metadata.caller_supplied_user_agent`*:: +*`cisco.rsa.internal.resource`*:: + -- -The user agent of the caller. This information is not authenticated and should be treated accordingly. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== response - -The operation response. - - - -*`googlecloud.audit.response.proto_name`*:: +*`cisco.rsa.internal.obj_id`*:: + -- -Type property of the response. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== details - -The details of the response. - - - -*`googlecloud.audit.response.details.group`*:: +*`cisco.rsa.internal.statement`*:: + -- -The name of the group. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.response.details.kind`*:: +*`cisco.rsa.internal.audit_class`*:: + -- -The kind of the response details. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.response.details.name`*:: +*`cisco.rsa.internal.entry`*:: + -- -The name of the response details. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.response.details.uid`*:: +*`cisco.rsa.internal.hcode`*:: + -- -The uid of the response details. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.audit.response.status`*:: +*`cisco.rsa.internal.inode`*:: + -- -Status of the response. +Deprecated key defined only in table map. - -type: keyword +type: long -- -*`googlecloud.audit.resource_name`*:: +*`cisco.rsa.internal.resource_class`*:: + -- -The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== resource_location - -The location of the resource. +*`cisco.rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. +type: long +-- -*`googlecloud.audit.resource_location.current_locations`*:: +*`cisco.rsa.internal.feed_desc`*:: + -- -Current locations of the resource. - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.audit.service_name`*:: +*`cisco.rsa.internal.feed_name`*:: + -- -The name of the API service performing the operation. For example, datastore.googleapis.com. - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== status - -The status of the overall operation. +*`cisco.rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`googlecloud.audit.status.code`*:: +*`cisco.rsa.internal.device_class`*:: + -- -The status code, which should be an enum value of google.rpc.Code. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: keyword -- -*`googlecloud.audit.status.message`*:: +*`cisco.rsa.internal.device_group`*:: + -- -A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== firewall - -Fields for Google Cloud Firewall logs. - +*`cisco.rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword -[float] -=== rule_details +-- -Description of the firewall rule that matched this connection. +*`cisco.rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: ip +-- -*`googlecloud.firewall.rule_details.priority`*:: +*`cisco.rsa.internal.device_ipv6`*:: + -- -The priority for the firewall rule. +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`googlecloud.firewall.rule_details.action`*:: +*`cisco.rsa.internal.device_type`*:: + -- -Action that the rule performs on match. +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.firewall.rule_details.direction`*:: +*`cisco.rsa.internal.device_type_id`*:: + -- -Direction of traffic that matches this rule. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`googlecloud.firewall.rule_details.reference`*:: +*`cisco.rsa.internal.did`*:: + -- -Reference to the firewall rule. +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.firewall.rule_details.source_range`*:: +*`cisco.rsa.internal.entropy_req`*:: + -- -List of source ranges that the firewall rule applies to. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`googlecloud.firewall.rule_details.destination_range`*:: +*`cisco.rsa.internal.entropy_res`*:: + -- -List of destination ranges that the firewall applies to. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`googlecloud.firewall.rule_details.source_tag`*:: +*`cisco.rsa.internal.event_name`*:: + -- -List of all the source tags that the firewall rule applies to. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.firewall.rule_details.target_tag`*:: +*`cisco.rsa.internal.feed_category`*:: + -- -List of all the target tags that the firewall rule applies to. - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.firewall.rule_details.ip_port_info`*:: +*`cisco.rsa.internal.forward_ip`*:: + -- -List of ip protocols and applicable port ranges for rules. +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: array +type: ip -- -*`googlecloud.firewall.rule_details.source_service_account`*:: +*`cisco.rsa.internal.forward_ipv6`*:: + -- -List of all the source service accounts that the firewall rule applies to. - +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`googlecloud.firewall.rule_details.target_service_account`*:: +*`cisco.rsa.internal.header_id`*:: + -- -List of all the target service accounts that the firewall rule applies to. - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== vpcflow - -Fields for Google Cloud VPC flow logs. - - - -*`googlecloud.vpcflow.reporter`*:: +*`cisco.rsa.internal.lc_cid`*:: + -- -The side which reported the flow. Can be either 'SRC' or 'DEST'. - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.vpcflow.rtt.ms`*:: +*`cisco.rsa.internal.lc_ctime`*:: + -- -Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: date -type: long +-- +*`cisco.rsa.internal.mcb_req`*:: ++ -- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -[[exported-fields-gsuite]] -== gsuite fields +type: long -gsuite Module +-- +*`cisco.rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +type: long -[float] -=== gsuite +-- -Gsuite specific fields. -More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +*`cisco.rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +type: long +-- -*`gsuite.actor.type`*:: +*`cisco.rsa.internal.mcbc_res`*:: + -- -The type of actor. -Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: keyword +type: long -- -*`gsuite.actor.key`*:: +*`cisco.rsa.internal.medium`*:: + -- -Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`gsuite.event.type`*:: +*`cisco.rsa.internal.node_name`*:: + -- -The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - +Deprecated key defined only in table map. type: keyword -example: audit#activity - -- -*`gsuite.kind`*:: +*`cisco.rsa.internal.nwe_callback_id`*:: + -- -The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - +This key denotes that event is endpoint related type: keyword -example: audit#activity - -- -*`gsuite.organization.domain`*:: +*`cisco.rsa.internal.parse_error`*:: + -- -The domain that is affected by the report's event. - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`gsuite.saml.application_name`*:: +*`cisco.rsa.internal.payload_req`*:: + -- -Saml SP application name. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: keyword +type: long -- -*`gsuite.saml.failure_type`*:: +*`cisco.rsa.internal.payload_res`*:: + -- -Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`gsuite.saml.initiated_by`*:: +*`cisco.rsa.internal.process_vid_dst`*:: + -- -Requester of SAML authentication. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`gsuite.saml.orgunit_path`*:: +*`cisco.rsa.internal.process_vid_src`*:: + -- -User orgunit. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`gsuite.saml.status_code`*:: +*`cisco.rsa.internal.rid`*:: + -- -SAML status code. - +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: long -- -*`gsuite.saml.second_level_status_code`*:: +*`cisco.rsa.internal.session_split`*:: + -- -SAML second level status code. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -[[exported-fields-haproxy]] -== HAProxy fields - -haproxy Module - - - -[float] -=== haproxy - +*`cisco.rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`haproxy.frontend_name`*:: +*`cisco.rsa.internal.size`*:: + -- -Name of the frontend (or listener) which received and processed the connection. +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`haproxy.backend_name`*:: +*`cisco.rsa.internal.sourcefile`*:: + -- -Name of the backend (or listener) which was selected to manage the connection to the server. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`haproxy.server_name`*:: +*`cisco.rsa.internal.ubc_req`*:: + -- -Name of the last server to which the connection was sent. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`haproxy.total_waiting_time_ms`*:: +*`cisco.rsa.internal.ubc_res`*:: + -- -Total time in milliseconds spent waiting in the various queues +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`haproxy.connection_wait_time_ms`*:: +*`cisco.rsa.internal.word`*:: + -- -Total time in milliseconds spent waiting for the connection to establish to the final server +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log -type: long +type: keyword -- -*`haproxy.bytes_read`*:: + +*`cisco.rsa.time.event_time`*:: + -- -Total number of bytes transmitted to the client when the log is emitted. +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: long +type: date -- -*`haproxy.time_queue`*:: +*`cisco.rsa.time.duration_time`*:: + -- -Total time in milliseconds spent waiting in the various queues. +This key is used to capture the normalized duration/lifetime in seconds. -type: long +type: double -- -*`haproxy.time_backend_connect`*:: +*`cisco.rsa.time.event_time_str`*:: + -- -Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. +This key is used to capture the incomplete time mentioned in a session as a string -type: long +type: keyword -- -*`haproxy.server_queue`*:: +*`cisco.rsa.time.starttime`*:: + -- -Total number of requests which were processed before this one in the server queue. +This key is used to capture the Start time mentioned in a session in a standard form -type: long +type: date -- -*`haproxy.backend_queue`*:: +*`cisco.rsa.time.month`*:: + -- -Total number of requests which were processed before this one in the backend's global queue. - -type: long +type: keyword -- -*`haproxy.bind_name`*:: +*`cisco.rsa.time.day`*:: + -- -Name of the listening address which received the connection. +type: keyword -- -*`haproxy.error_message`*:: +*`cisco.rsa.time.endtime`*:: + -- -Error message logged by HAProxy in case of error. +This key is used to capture the End time mentioned in a session in a standard form -type: text +type: date -- -*`haproxy.source`*:: +*`cisco.rsa.time.timezone`*:: + -- -The HAProxy source of the log +This key is used to capture the timezone of the Event Time type: keyword -- -*`haproxy.termination_state`*:: +*`cisco.rsa.time.duration_str`*:: + -- -Condition the session was in when the session ended. +A text string version of the duration + +type: keyword -- -*`haproxy.mode`*:: +*`cisco.rsa.time.date`*:: + -- -mode that the frontend is operating (TCP or HTTP) - type: keyword -- -[float] -=== connections - -Contains various counts of connections active in the process. +*`cisco.rsa.time.year`*:: ++ +-- +type: keyword +-- -*`haproxy.connections.active`*:: +*`cisco.rsa.time.recorded_time`*:: + -- -Total number of concurrent connections on the process when the session was logged. +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: long +type: date -- -*`haproxy.connections.frontend`*:: +*`cisco.rsa.time.datetime`*:: + -- -Total number of concurrent connections on the frontend when the session was logged. - -type: long +type: keyword -- -*`haproxy.connections.backend`*:: +*`cisco.rsa.time.effective_time`*:: + -- -Total number of concurrent connections handled by the backend when the session was logged. +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: long +type: date -- -*`haproxy.connections.server`*:: +*`cisco.rsa.time.expire_time`*:: + -- -Total number of concurrent connections still active on the server when the session was logged. +This key is the timestamp that explicitly refers to an expiration. -type: long +type: date -- -*`haproxy.connections.retries`*:: +*`cisco.rsa.time.process_time`*:: + -- -Number of connection retries experienced by this session when trying to connect to the server. +Deprecated, use duration.time -type: long +type: keyword -- -[float] -=== client - -Information about the client doing the request +*`cisco.rsa.time.hour`*:: ++ +-- +type: keyword +-- -*`haproxy.client.ip`*:: +*`cisco.rsa.time.min`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`haproxy.client.port`*:: +*`cisco.rsa.time.timestamp`*:: + -- -type: alias - -alias to: source.port +type: keyword -- -*`haproxy.process_name`*:: +*`cisco.rsa.time.event_queue_time`*:: + -- -type: alias +This key is the Time that the event was queued. -alias to: process.name +type: date -- -*`haproxy.pid`*:: +*`cisco.rsa.time.p_time1`*:: + -- -type: alias - -alias to: process.pid +type: keyword -- -[float] -=== destination - -Destination information +*`cisco.rsa.time.tzone`*:: ++ +-- +type: keyword +-- -*`haproxy.destination.port`*:: +*`cisco.rsa.time.eventtime`*:: + -- -type: alias - -alias to: destination.port +type: keyword -- -*`haproxy.destination.ip`*:: +*`cisco.rsa.time.gmtdate`*:: + -- -type: alias - -alias to: destination.ip +type: keyword -- -[float] -=== geoip +*`cisco.rsa.time.gmttime`*:: ++ +-- +type: keyword -Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. +-- +*`cisco.rsa.time.p_date`*:: ++ +-- +type: keyword +-- -*`haproxy.geoip.continent_name`*:: +*`cisco.rsa.time.p_month`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: keyword -- -*`haproxy.geoip.country_iso_code`*:: +*`cisco.rsa.time.p_time`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`haproxy.geoip.location`*:: +*`cisco.rsa.time.p_time2`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`haproxy.geoip.region_name`*:: +*`cisco.rsa.time.p_year`*:: + -- -type: alias - -alias to: source.geo.region_name +type: keyword -- -*`haproxy.geoip.city_name`*:: +*`cisco.rsa.time.expire_time_str`*:: + -- -type: alias +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -alias to: source.geo.city_name +type: keyword -- -*`haproxy.geoip.region_iso_code`*:: +*`cisco.rsa.time.stamp`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.region_iso_code +type: date -- -[float] -=== http -Please add description +*`cisco.rsa.misc.action`*:: ++ +-- +type: keyword +-- -[float] -=== response +*`cisco.rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. -Fields related to the HTTP response +type: keyword +-- -*`haproxy.http.response.captured_cookie`*:: +*`cisco.rsa.misc.severity`*:: + -- -Optional "name=value" entry indicating that the client had this cookie in the response. +This key is used to capture the severity given the session +type: keyword -- -*`haproxy.http.response.captured_headers`*:: +*`cisco.rsa.misc.event_type`*:: + -- -List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. - +This key captures the event category type as specified by the event source. type: keyword -- -*`haproxy.http.response.status_code`*:: +*`cisco.rsa.misc.reference_id`*:: + -- -type: alias +This key is used to capture an event id from the session directly -alias to: http.response.status_code +type: keyword -- -[float] -=== request +*`cisco.rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. -Fields related to the HTTP request +type: keyword +-- -*`haproxy.http.request.captured_cookie`*:: +*`cisco.rsa.misc.disposition`*:: + -- -Optional "name=value" entry indicating that the server has returned a cookie with its request. +This key captures the The end state of an action. +type: keyword -- -*`haproxy.http.request.captured_headers`*:: +*`cisco.rsa.misc.result_code`*:: + -- -List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`haproxy.http.request.raw_request_line`*:: +*`cisco.rsa.misc.category`*:: + -- -Complete HTTP request line, including the method, request and HTTP version string. +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`haproxy.http.request.time_wait_without_data_ms`*:: +*`cisco.rsa.misc.obj_name`*:: + -- -Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. +This is used to capture name of object -type: long +type: keyword -- -*`haproxy.http.request.time_wait_ms`*:: +*`cisco.rsa.misc.obj_type`*:: + -- -Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. +This is used to capture type of object -type: long +type: keyword -- -[float] -=== tcp +*`cisco.rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname -TCP log format +type: keyword +-- -*`haproxy.tcp.connection_waiting_time_ms`*:: +*`cisco.rsa.misc.log_session_id`*:: + -- -Total time in milliseconds elapsed between the accept and the last close +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -[[exported-fields-host-processor]] -== Host fields +*`cisco.rsa.misc.group`*:: ++ +-- +This key captures the Group Name value -Info collected for the host machine. +type: keyword +-- +*`cisco.rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. +type: keyword -*`host.containerized`*:: -+ -- -If the host is a container. +*`cisco.rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name -type: boolean +type: keyword -- -*`host.os.build`*:: +*`cisco.rsa.misc.context`*:: + -- -OS build information. - +This key captures Information which adds additional context to the event. type: keyword -example: 18D109 - -- -*`host.os.codename`*:: +*`cisco.rsa.misc.change_new`*:: + -- -OS codename, if any. - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -example: stretch - -- -[[exported-fields-ibmmq]] -== ibmmq fields - -ibmmq Module - - - -[float] -=== ibmmq - - +*`cisco.rsa.misc.space`*:: ++ +-- +type: keyword +-- -[float] -=== errorlog +*`cisco.rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. -IBM MQ error logs +type: keyword +-- -*`ibmmq.errorlog.installation`*:: +*`cisco.rsa.misc.msgIdPart1`*:: + -- -This is the installation name which can be given at installation time. -Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation. +type: keyword +-- +*`cisco.rsa.misc.msgIdPart2`*:: ++ +-- type: keyword -- -*`ibmmq.errorlog.qmgr`*:: +*`cisco.rsa.misc.change_old`*:: + -- -Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them. - +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`ibmmq.errorlog.arithinsert`*:: +*`cisco.rsa.misc.operation_id`*:: + -- -Changing content based on error.id +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`ibmmq.errorlog.commentinsert`*:: +*`cisco.rsa.misc.event_state`*:: + -- -Changing content based on error.id +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -- -*`ibmmq.errorlog.errordescription`*:: +*`cisco.rsa.misc.group_object`*:: + -- -Please add description - -type: text +This key captures a collection/grouping of entities. Specific usage -example: Please add example +type: keyword -- -*`ibmmq.errorlog.explanation`*:: +*`cisco.rsa.misc.node`*:: + -- -Explaines the error in more detail +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`ibmmq.errorlog.action`*:: +*`cisco.rsa.misc.rule`*:: + -- -Defines what to do when the error occurs +This key captures the Rule number type: keyword -- -*`ibmmq.errorlog.code`*:: +*`cisco.rsa.misc.device_name`*:: + -- -Error code. +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -[[exported-fields-icinga]] -== Icinga fields +*`cisco.rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. -Icinga Module +type: keyword +-- +*`cisco.rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session -[float] -=== icinga +type: keyword +-- +*`cisco.rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +type: keyword -[float] -=== debug +-- -Contains fields for the Icinga debug logs. +*`cisco.rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" +type: keyword +-- -*`icinga.debug.facility`*:: +*`cisco.rsa.misc.event_log`*:: + -- -Specifies what component of Icinga logged the message. - +This key captures the Name of the event log type: keyword -- -*`icinga.debug.severity`*:: +*`cisco.rsa.misc.OS`*:: + -- -type: alias +This key captures the Name of the Operating System -alias to: log.level +type: keyword -- -*`icinga.debug.message`*:: +*`cisco.rsa.misc.terminal`*:: + -- -type: alias +This key captures the Terminal Names only -alias to: message +type: keyword -- -[float] -=== main - -Contains fields for the Icinga main logs. - +*`cisco.rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword +-- -*`icinga.main.facility`*:: +*`cisco.rsa.misc.filter`*:: + -- -Specifies what component of Icinga logged the message. - +This key captures Filter used to reduce result set type: keyword -- -*`icinga.main.severity`*:: +*`cisco.rsa.misc.serial_number`*:: + -- -type: alias +This key is the Serial number associated with a physical asset. -alias to: log.level +type: keyword -- -*`icinga.main.message`*:: +*`cisco.rsa.misc.checksum`*:: + -- -type: alias +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. -alias to: message +type: keyword -- -[float] -=== startup - -Contains fields for the Icinga startup logs. +*`cisco.rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +type: keyword +-- -*`icinga.startup.facility`*:: +*`cisco.rsa.misc.virusname`*:: + -- -Specifies what component of Icinga logged the message. - +This key captures the name of the virus type: keyword -- -*`icinga.startup.severity`*:: +*`cisco.rsa.misc.content_type`*:: + -- -type: alias +This key is used to capture Content Type only. -alias to: log.level +type: keyword -- -*`icinga.startup.message`*:: +*`cisco.rsa.misc.group_id`*:: + -- -type: alias +This key captures Group ID Number (related to the group name) -alias to: message +type: keyword -- -[[exported-fields-iis]] -== IIS fields +*`cisco.rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise -Module for parsing IIS log files. +type: keyword +-- +*`cisco.rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name -[float] -=== iis +type: keyword -Fields from IIS log files. +-- +*`cisco.rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID +type: keyword -[float] -=== access +-- -Contains fields for IIS access logs. +*`cisco.rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +type: keyword +-- -*`iis.access.sub_status`*:: +*`cisco.rsa.misc.sensor`*:: + -- -The HTTP substatus code. - +This key captures Name of the sensor. Typically used in IDS/IPS based devices -type: long +type: keyword -- -*`iis.access.win32_status`*:: +*`cisco.rsa.misc.sig_id`*:: + -- -The Windows status code. - +This key captures IDS/IPS Int Signature ID type: long -- -*`iis.access.site_name`*:: +*`cisco.rsa.misc.port_name`*:: + -- -The site name and instance number. - +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`iis.access.server_name`*:: +*`cisco.rsa.misc.rule_group`*:: + -- -The name of the server on which the log file entry was generated. - +This key captures the Rule group name type: keyword -- -*`iis.access.cookie`*:: +*`cisco.rsa.misc.risk_num`*:: + -- -The content of the cookie sent or received, if any. - +This key captures a Numeric Risk value -type: keyword +type: double -- -*`iis.access.body_received.bytes`*:: +*`cisco.rsa.misc.trigger_val`*:: + -- -type: alias +This key captures the Value of the trigger or threshold condition. -alias to: http.request.body.bytes +type: keyword -- -*`iis.access.body_sent.bytes`*:: +*`cisco.rsa.misc.log_session_id1`*:: + -- -type: alias +This key is used to capture a Linked (Related) Session ID from the session directly -alias to: http.response.body.bytes +type: keyword -- -*`iis.access.server_ip`*:: +*`cisco.rsa.misc.comp_version`*:: + -- -type: alias +This key captures the Version level of a sub-component of a product. -alias to: destination.address +type: keyword -- -*`iis.access.method`*:: +*`cisco.rsa.misc.content_version`*:: + -- -type: alias +This key captures Version level of a signature or database content. -alias to: http.request.method +type: keyword -- -*`iis.access.url`*:: +*`cisco.rsa.misc.hardware_id`*:: + -- -type: alias +This key is used to capture unique identifier for a device or system (NOT a Mac address) -alias to: url.path +type: keyword -- -*`iis.access.query_string`*:: +*`cisco.rsa.misc.risk`*:: + -- -type: alias +This key captures the non-numeric risk value -alias to: url.query +type: keyword -- -*`iis.access.port`*:: +*`cisco.rsa.misc.event_id`*:: + -- -type: alias - -alias to: destination.port +type: keyword -- -*`iis.access.user_name`*:: +*`cisco.rsa.misc.reason`*:: + -- -type: alias - -alias to: user.name +type: keyword -- -*`iis.access.remote_ip`*:: +*`cisco.rsa.misc.status`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`iis.access.referrer`*:: +*`cisco.rsa.misc.mail_id`*:: + -- -type: alias +This key is used to capture the mailbox id/name -alias to: http.request.referrer +type: keyword -- -*`iis.access.response_code`*:: +*`cisco.rsa.misc.rule_uid`*:: + -- -type: alias +This key is the Unique Identifier for a rule. -alias to: http.response.status_code +type: keyword -- -*`iis.access.http_version`*:: +*`cisco.rsa.misc.trigger_desc`*:: + -- -type: alias +This key captures the Description of the trigger or threshold condition. -alias to: http.version +type: keyword -- -*`iis.access.hostname`*:: +*`cisco.rsa.misc.inout`*:: + -- -type: alias - -alias to: host.hostname +type: keyword -- - -*`iis.access.user_agent.device`*:: +*`cisco.rsa.misc.p_msgid`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`iis.access.user_agent.name`*:: +*`cisco.rsa.misc.data_type`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`iis.access.user_agent.os`*:: +*`cisco.rsa.misc.msgIdPart4`*:: + -- -type: alias - -alias to: user_agent.os.full_name +type: keyword -- -*`iis.access.user_agent.os_name`*:: +*`cisco.rsa.misc.error`*:: + -- -type: alias +This key captures All non successful Error codes or responses -alias to: user_agent.os.name +type: keyword -- -*`iis.access.user_agent.original`*:: +*`cisco.rsa.misc.index`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- - -*`iis.access.geoip.continent_name`*:: +*`cisco.rsa.misc.listnum`*:: + -- -type: alias +This key is used to capture listname or listnumber, primarily for collecting access-list -alias to: source.geo.continent_name +type: keyword -- -*`iis.access.geoip.country_iso_code`*:: +*`cisco.rsa.misc.ntype`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`iis.access.geoip.location`*:: +*`cisco.rsa.misc.observed_val`*:: + -- -type: alias +This key captures the Value observed (from the perspective of the device generating the log). -alias to: source.geo.location +type: keyword -- -*`iis.access.geoip.region_name`*:: +*`cisco.rsa.misc.policy_value`*:: + -- -type: alias +This key captures the contents of the policy. This contains details about the policy -alias to: source.geo.region_name +type: keyword -- -*`iis.access.geoip.city_name`*:: +*`cisco.rsa.misc.pool_name`*:: + -- -type: alias +This key captures the name of a resource pool -alias to: source.geo.city_name +type: keyword -- -*`iis.access.geoip.region_iso_code`*:: +*`cisco.rsa.misc.rule_template`*:: + -- -type: alias +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== error - -Contains fields for IIS error logs. - - - -*`iis.error.reason_phrase`*:: +*`cisco.rsa.misc.count`*:: + -- -The HTTP reason phrase. - - type: keyword -- -*`iis.error.queue_name`*:: +*`cisco.rsa.misc.number`*:: + -- -The IIS application pool name. +type: keyword +-- +*`cisco.rsa.misc.sigcat`*:: ++ +-- type: keyword -- -*`iis.error.remote_ip`*:: +*`cisco.rsa.misc.type`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`iis.error.remote_port`*:: +*`cisco.rsa.misc.comments`*:: + -- -type: alias +Comment information provided in the log message -alias to: source.port +type: keyword -- -*`iis.error.server_ip`*:: +*`cisco.rsa.misc.doc_number`*:: + -- -type: alias +This key captures File Identification number -alias to: destination.address +type: long -- -*`iis.error.server_port`*:: +*`cisco.rsa.misc.expected_val`*:: + -- -type: alias +This key captures the Value expected (from the perspective of the device generating the log). -alias to: destination.port +type: keyword -- -*`iis.error.http_version`*:: +*`cisco.rsa.misc.job_num`*:: + -- -type: alias +This key captures the Job Number -alias to: http.version +type: keyword -- -*`iis.error.method`*:: +*`cisco.rsa.misc.spi_dst`*:: + -- -type: alias +Destination SPI Index -alias to: http.request.method +type: keyword -- -*`iis.error.url`*:: +*`cisco.rsa.misc.spi_src`*:: + -- -type: alias +Source SPI Index -alias to: url.original +type: keyword -- -*`iis.error.response_code`*:: +*`cisco.rsa.misc.code`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- - -*`iis.error.geoip.continent_name`*:: +*`cisco.rsa.misc.agent_id`*:: + -- -type: alias +This key is used to capture agent id -alias to: source.geo.continent_name +type: keyword -- -*`iis.error.geoip.country_iso_code`*:: +*`cisco.rsa.misc.message_body`*:: + -- -type: alias +This key captures the The contents of the message body. -alias to: source.geo.country_iso_code +type: keyword -- -*`iis.error.geoip.location`*:: +*`cisco.rsa.misc.phone`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`iis.error.geoip.region_name`*:: +*`cisco.rsa.misc.sig_id_str`*:: + -- -type: alias +This key captures a string object of the sigid variable. -alias to: source.geo.region_name +type: keyword -- -*`iis.error.geoip.city_name`*:: +*`cisco.rsa.misc.cmd`*:: + -- -type: alias - -alias to: source.geo.city_name +type: keyword -- -*`iis.error.geoip.region_iso_code`*:: +*`cisco.rsa.misc.misc`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-iptables]] -== iptables fields +*`cisco.rsa.misc.name`*:: ++ +-- +type: keyword -Module for handling the iptables logs. +-- +*`cisco.rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. +type: long -[float] -=== iptables +-- -Fields from the iptables logs. +*`cisco.rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred +type: keyword +-- -*`iptables.ether_type`*:: +*`cisco.rsa.misc.sig_id1`*:: + -- -Value of the ethernet type field identifying the network layer protocol. - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -- -*`iptables.flow_label`*:: +*`cisco.rsa.misc.im_buddyid`*:: + -- -IPv6 flow label. +type: keyword +-- -type: integer +*`cisco.rsa.misc.im_client`*:: ++ +-- +type: keyword -- -*`iptables.fragment_flags`*:: +*`cisco.rsa.misc.im_userid`*:: + -- -IP fragment flags. A combination of CE, DF and MF. +type: keyword +-- +*`cisco.rsa.misc.pid`*:: ++ +-- type: keyword -- -*`iptables.fragment_offset`*:: +*`cisco.rsa.misc.priority`*:: + -- -Offset of the current IP fragment. - +type: keyword -type: long +-- +*`cisco.rsa.misc.context_subject`*:: ++ -- +This key is to be used in an audit context where the subject is the object being identified -[float] -=== icmp +type: keyword -ICMP fields. +-- +*`cisco.rsa.misc.context_target`*:: ++ +-- +type: keyword +-- -*`iptables.icmp.code`*:: +*`cisco.rsa.misc.cve`*:: + -- -ICMP code. - +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -type: long +type: keyword -- -*`iptables.icmp.id`*:: +*`cisco.rsa.misc.fcatnum`*:: + -- -ICMP ID. +This key captures Filter Category Number. Legacy Usage - -type: long +type: keyword -- -*`iptables.icmp.parameter`*:: +*`cisco.rsa.misc.library`*:: + -- -ICMP parameter. - +This key is used to capture library information in mainframe devices -type: long +type: keyword -- -*`iptables.icmp.redirect`*:: +*`cisco.rsa.misc.parent_node`*:: + -- -ICMP redirect address. +This key captures the Parent Node Name. Must be related to node variable. - -type: ip +type: keyword -- -*`iptables.icmp.seq`*:: +*`cisco.rsa.misc.risk_info`*:: + -- -ICMP sequence number. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: long +type: keyword -- -*`iptables.icmp.type`*:: +*`cisco.rsa.misc.tcp_flags`*:: + -- -ICMP type. - +This key is captures the TCP flags set in any packet of session type: long -- -*`iptables.id`*:: +*`cisco.rsa.misc.tos`*:: + -- -Packet identifier. - +This key describes the type of service type: long -- -*`iptables.incomplete_bytes`*:: +*`cisco.rsa.misc.vm_target`*:: + -- -Number of incomplete bytes. +VMWare Target **VMWARE** only varaible. - -type: long +type: keyword -- -*`iptables.input_device`*:: +*`cisco.rsa.misc.workspace`*:: + -- -Device that received the packet. - +This key captures Workspace Description type: keyword -- -*`iptables.precedence_bits`*:: +*`cisco.rsa.misc.command`*:: + -- -IP precedence bits. +type: keyword +-- -type: short +*`cisco.rsa.misc.event_category`*:: ++ +-- +type: keyword -- -*`iptables.tos`*:: +*`cisco.rsa.misc.facilityname`*:: + -- -IP Type of Service field. +type: keyword +-- -type: long +*`cisco.rsa.misc.forensic_info`*:: ++ +-- +type: keyword -- -*`iptables.length`*:: +*`cisco.rsa.misc.jobname`*:: + -- -Packet length. +type: keyword +-- -type: long +*`cisco.rsa.misc.mode`*:: ++ +-- +type: keyword -- -*`iptables.output_device`*:: +*`cisco.rsa.misc.policy`*:: + -- -Device that output the packet. +type: keyword +-- +*`cisco.rsa.misc.policy_waiver`*:: ++ +-- type: keyword -- -[float] -=== tcp +*`cisco.rsa.misc.second`*:: ++ +-- +type: keyword -TCP fields. +-- +*`cisco.rsa.misc.space1`*:: ++ +-- +type: keyword +-- -*`iptables.tcp.flags`*:: +*`cisco.rsa.misc.subcategory`*:: + -- -TCP flags. +type: keyword +-- +*`cisco.rsa.misc.tbdstr2`*:: ++ +-- type: keyword -- -*`iptables.tcp.reserved_bits`*:: +*`cisco.rsa.misc.alert_id`*:: + -- -TCP reserved bits. - +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: short +type: keyword -- -*`iptables.tcp.seq`*:: +*`cisco.rsa.misc.checksum_dst`*:: + -- -TCP sequence number. +This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: long +type: keyword -- -*`iptables.tcp.ack`*:: +*`cisco.rsa.misc.checksum_src`*:: + -- -TCP Acknowledgment number. - +This key is used to capture the checksum or hash of the source entity such as a file or process. -type: long +type: keyword -- -*`iptables.tcp.window`*:: +*`cisco.rsa.misc.fresult`*:: + -- -Advertised TCP window size. - +This key captures the Filter Result type: long -- -*`iptables.ttl`*:: +*`cisco.rsa.misc.payload_dst`*:: + -- -Time To Live field. - +This key is used to capture destination payload -type: integer +type: keyword -- -[float] -=== udp - -UDP fields. - - - -*`iptables.udp.length`*:: +*`cisco.rsa.misc.payload_src`*:: + -- -Length of the UDP header and payload. - +This key is used to capture source payload -type: long +type: keyword -- -[float] -=== ubiquiti - -Fields for Ubiquiti network devices. - - - -*`iptables.ubiquiti.input_zone`*:: +*`cisco.rsa.misc.pool_id`*:: + -- -Input zone. - +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`iptables.ubiquiti.output_zone`*:: +*`cisco.rsa.misc.process_id_val`*:: + -- -Output zone. - +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`iptables.ubiquiti.rule_number`*:: +*`cisco.rsa.misc.risk_num_comm`*:: + -- -The rule number within the rule set. +This key captures Risk Number Community -type: keyword +type: double -- -*`iptables.ubiquiti.rule_set`*:: +*`cisco.rsa.misc.risk_num_next`*:: + -- -The rule set name. +This key captures Risk Number NextGen -type: keyword +type: double -- -[[exported-fields-jolokia-autodiscover]] -== Jolokia Discovery autodiscover provider fields - -Metadata from Jolokia Discovery added by the jolokia provider. +*`cisco.rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox +type: double +-- -*`jolokia.agent.version`*:: +*`cisco.rsa.misc.risk_num_static`*:: + -- -Version number of jolokia agent. - +This key captures Risk Number Static -type: keyword +type: double -- -*`jolokia.agent.id`*:: +*`cisco.rsa.misc.risk_suspicious`*:: + -- -Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`jolokia.server.product`*:: +*`cisco.rsa.misc.risk_warning`*:: + -- -The container product if detected. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`jolokia.server.version`*:: +*`cisco.rsa.misc.snmp_oid`*:: + -- -The container's version (if detected). - +SNMP Object Identifier type: keyword -- -*`jolokia.server.vendor`*:: +*`cisco.rsa.misc.sql`*:: + -- -The vendor of the container the agent is running in. - +This key captures the SQL query type: keyword -- -*`jolokia.url`*:: +*`cisco.rsa.misc.vuln_ref`*:: + -- -The URL how this agent can be contacted. - +This key captures the Vulnerability Reference details type: keyword -- -*`jolokia.secured`*:: +*`cisco.rsa.misc.acl_id`*:: + -- -Whether the agent was configured for authentication or not. - - -type: boolean +type: keyword -- -[[exported-fields-kafka]] -== Kafka fields - -Kafka module - - - -[float] -=== kafka - - - - -[float] -=== log - -Kafka log lines. - - - -*`kafka.log.level`*:: +*`cisco.rsa.misc.acl_op`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`kafka.log.message`*:: +*`cisco.rsa.misc.acl_pos`*:: + -- -type: alias - -alias to: message +type: keyword -- -*`kafka.log.component`*:: +*`cisco.rsa.misc.acl_table`*:: + -- -Component the log is coming from. - - type: keyword -- -*`kafka.log.class`*:: +*`cisco.rsa.misc.admin`*:: + -- -Java class the log is coming from. - - type: keyword -- -*`kafka.log.thread`*:: +*`cisco.rsa.misc.alarm_id`*:: + -- -Thread name the log is coming from. - - type: keyword -- -[float] -=== trace - -Trace in the log line. - - - -*`kafka.log.trace.class`*:: +*`cisco.rsa.misc.alarmname`*:: + -- -Java class the trace is coming from. - - type: keyword -- -*`kafka.log.trace.message`*:: +*`cisco.rsa.misc.app_id`*:: + -- -Message part of the trace. - - -type: text +type: keyword -- -[[exported-fields-kibana]] -== kibana fields - -kibana Module - - - -[float] -=== kibana - - - - -[float] -=== log +*`cisco.rsa.misc.audit`*:: ++ +-- +type: keyword -Kafka log lines. +-- +*`cisco.rsa.misc.audit_object`*:: ++ +-- +type: keyword +-- -*`kibana.log.tags`*:: +*`cisco.rsa.misc.auditdata`*:: + -- -Kibana logging tags. +type: keyword +-- +*`cisco.rsa.misc.benchmark`*:: ++ +-- type: keyword -- -*`kibana.log.state`*:: +*`cisco.rsa.misc.bypass`*:: + -- -Current state of Kibana. +type: keyword +-- +*`cisco.rsa.misc.cache`*:: ++ +-- type: keyword -- -*`kibana.log.meta`*:: +*`cisco.rsa.misc.cache_hit`*:: + -- -type: object +type: keyword -- -*`kibana.log.kibana.log.meta.req.headers.referer`*:: +*`cisco.rsa.misc.cefversion`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`kibana.log.kibana.log.meta.req.referer`*:: +*`cisco.rsa.misc.cfg_attr`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`kibana.log.kibana.log.meta.req.headers.user-agent`*:: +*`cisco.rsa.misc.cfg_obj`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- -*`kibana.log.kibana.log.meta.req.remoteAddress`*:: +*`cisco.rsa.misc.cfg_path`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`kibana.log.kibana.log.meta.req.url`*:: +*`cisco.rsa.misc.changes`*:: + -- -type: alias - -alias to: url.original +type: keyword -- -*`kibana.log.kibana.log.meta.statusCode`*:: +*`cisco.rsa.misc.client_ip`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -*`kibana.log.kibana.log.meta.method`*:: +*`cisco.rsa.misc.clustermembers`*:: + -- -type: alias +type: keyword -alias to: http.request.method +-- +*`cisco.rsa.misc.cn_acttimeout`*:: ++ -- +type: keyword -[[exported-fields-kubernetes-processor]] -== Kubernetes fields +-- -Kubernetes metadata added by the kubernetes processor +*`cisco.rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword +-- +*`cisco.rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword +-- -*`kubernetes.pod.name`*:: +*`cisco.rsa.misc.cn_ctr_dst_code`*:: + -- -Kubernetes pod name +type: keyword +-- +*`cisco.rsa.misc.cn_dst_tos`*:: ++ +-- type: keyword -- -*`kubernetes.pod.uid`*:: +*`cisco.rsa.misc.cn_dst_vlan`*:: + -- -Kubernetes Pod UID +type: keyword +-- +*`cisco.rsa.misc.cn_engine_id`*:: ++ +-- type: keyword -- -*`kubernetes.namespace`*:: +*`cisco.rsa.misc.cn_engine_type`*:: + -- -Kubernetes namespace +type: keyword +-- +*`cisco.rsa.misc.cn_f_switch`*:: ++ +-- type: keyword -- -*`kubernetes.node.name`*:: +*`cisco.rsa.misc.cn_flowsampid`*:: + -- -Kubernetes node name +type: keyword +-- +*`cisco.rsa.misc.cn_flowsampintv`*:: ++ +-- type: keyword -- -*`kubernetes.labels.*`*:: +*`cisco.rsa.misc.cn_flowsampmode`*:: + -- -Kubernetes labels map +type: keyword +-- -type: object +*`cisco.rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword -- -*`kubernetes.annotations.*`*:: +*`cisco.rsa.misc.cn_inpermbyts`*:: + -- -Kubernetes annotations map +type: keyword +-- -type: object +*`cisco.rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword -- -*`kubernetes.replicaset.name`*:: +*`cisco.rsa.misc.cn_invalid`*:: + -- -Kubernetes replicaset name +type: keyword +-- +*`cisco.rsa.misc.cn_ip_proto_ver`*:: ++ +-- type: keyword -- -*`kubernetes.deployment.name`*:: +*`cisco.rsa.misc.cn_ipv4_ident`*:: + -- -Kubernetes deployment name +type: keyword +-- +*`cisco.rsa.misc.cn_l_switch`*:: ++ +-- type: keyword -- -*`kubernetes.statefulset.name`*:: +*`cisco.rsa.misc.cn_log_did`*:: + -- -Kubernetes statefulset name +type: keyword +-- +*`cisco.rsa.misc.cn_log_rid`*:: ++ +-- type: keyword -- -*`kubernetes.container.name`*:: +*`cisco.rsa.misc.cn_max_ttl`*:: + -- -Kubernetes container name +type: keyword +-- +*`cisco.rsa.misc.cn_maxpcktlen`*:: ++ +-- type: keyword -- -*`kubernetes.container.image`*:: +*`cisco.rsa.misc.cn_min_ttl`*:: + -- -Kubernetes container image +type: keyword +-- +*`cisco.rsa.misc.cn_minpcktlen`*:: ++ +-- type: keyword -- -[[exported-fields-log]] -== Log file content fields +*`cisco.rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword -Contains log file lines. +-- +*`cisco.rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword +-- -*`log.file.path`*:: +*`cisco.rsa.misc.cn_mpls_lbl_2`*:: + -- -The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. +type: keyword +-- +*`cisco.rsa.misc.cn_mpls_lbl_3`*:: ++ +-- type: keyword -required: False - -- -*`log.source.address`*:: +*`cisco.rsa.misc.cn_mpls_lbl_4`*:: + -- -Source address from which the log event was read / sent from. +type: keyword +-- +*`cisco.rsa.misc.cn_mpls_lbl_5`*:: ++ +-- type: keyword -required: False - -- -*`log.offset`*:: +*`cisco.rsa.misc.cn_mpls_lbl_6`*:: + -- -The file offset the reported line starts at. - +type: keyword -type: long +-- -required: False +*`cisco.rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword -- -*`stream`*:: +*`cisco.rsa.misc.cn_mpls_lbl_8`*:: + -- -Log stream when reading container logs, can be 'stdout' or 'stderr' +type: keyword +-- +*`cisco.rsa.misc.cn_mpls_lbl_9`*:: ++ +-- type: keyword -required: False - -- -*`input.type`*:: +*`cisco.rsa.misc.cn_mplstoplabel`*:: + -- -The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file. +type: keyword +-- -required: True +*`cisco.rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword -- -*`syslog.facility`*:: +*`cisco.rsa.misc.cn_mul_dst_byt`*:: + -- -The facility extracted from the priority. - +type: keyword -type: long +-- -required: False +*`cisco.rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword -- -*`syslog.priority`*:: +*`cisco.rsa.misc.cn_muligmptype`*:: + -- -The priority of the syslog event. - +type: keyword -type: long +-- -required: False +*`cisco.rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword -- -*`syslog.severity_label`*:: +*`cisco.rsa.misc.cn_sampint`*:: + -- -The human readable severity. +type: keyword +-- +*`cisco.rsa.misc.cn_seqctr`*:: ++ +-- type: keyword -required: False - -- -*`syslog.facility_label`*:: +*`cisco.rsa.misc.cn_spackets`*:: + -- -The human readable facility. +type: keyword +-- +*`cisco.rsa.misc.cn_src_tos`*:: ++ +-- type: keyword -required: False - -- -*`process.program`*:: +*`cisco.rsa.misc.cn_src_vlan`*:: + -- -The name of the program. +type: keyword +-- +*`cisco.rsa.misc.cn_sysuptime`*:: ++ +-- type: keyword -required: False - -- -*`log.flags`*:: +*`cisco.rsa.misc.cn_template_id`*:: + -- -This field contains the flags of the event. - +type: keyword -- -*`http.response.content_length`*:: +*`cisco.rsa.misc.cn_totbytsexp`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: keyword -- +*`cisco.rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword +-- -*`user_agent.os.full_name`*:: +*`cisco.rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`fileset.name`*:: +*`cisco.rsa.misc.cn_unixnanosecs`*:: + -- -The Filebeat fileset that generated this event. +type: keyword +-- +*`cisco.rsa.misc.cn_v6flowlabel`*:: ++ +-- type: keyword -- -*`fileset.module`*:: +*`cisco.rsa.misc.cn_v6optheaders`*:: + -- -type: alias - -alias to: event.module +type: keyword -- -*`read_timestamp`*:: +*`cisco.rsa.misc.comp_class`*:: + -- -type: alias - -alias to: event.created +type: keyword -- -*`docker.attrs`*:: +*`cisco.rsa.misc.comp_name`*:: + -- -docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options. +type: keyword +-- -type: object +*`cisco.rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword -- -*`icmp.code`*:: +*`cisco.rsa.misc.comp_sbytes`*:: + -- -ICMP code. +type: keyword +-- +*`cisco.rsa.misc.cpu_data`*:: ++ +-- type: keyword -- -*`icmp.type`*:: +*`cisco.rsa.misc.criticality`*:: + -- -ICMP type. +type: keyword +-- +*`cisco.rsa.misc.cs_agency_dst`*:: ++ +-- type: keyword -- -*`igmp.type`*:: +*`cisco.rsa.misc.cs_analyzedby`*:: + -- -IGMP type. +type: keyword +-- +*`cisco.rsa.misc.cs_av_other`*:: ++ +-- type: keyword -- - -*`azure.eventhub`*:: +*`cisco.rsa.misc.cs_av_primary`*:: + -- -Name of the eventhub. +type: keyword +-- +*`cisco.rsa.misc.cs_av_secondary`*:: ++ +-- type: keyword -- -*`azure.offset`*:: +*`cisco.rsa.misc.cs_bgpv6nxthop`*:: + -- -The offset. +type: keyword +-- -type: long +*`cisco.rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword -- -*`azure.enqueued_time`*:: +*`cisco.rsa.misc.cs_context`*:: + -- -The enqueued time. +type: keyword +-- -type: date +*`cisco.rsa.misc.cs_control`*:: ++ +-- +type: keyword -- -*`azure.partition_id`*:: +*`cisco.rsa.misc.cs_data`*:: + -- -The partition id. +type: keyword +-- -type: long +*`cisco.rsa.misc.cs_datecret`*:: ++ +-- +type: keyword -- -*`azure.consumer_group`*:: +*`cisco.rsa.misc.cs_dst_tld`*:: + -- -The consumer group. +type: keyword +-- +*`cisco.rsa.misc.cs_eth_dst_ven`*:: ++ +-- type: keyword -- -*`azure.sequence_number`*:: +*`cisco.rsa.misc.cs_eth_src_ven`*:: + -- -The sequence number. - +type: keyword -type: long +-- +*`cisco.rsa.misc.cs_event_uuid`*:: ++ -- +type: keyword +-- -*`kafka.topic`*:: +*`cisco.rsa.misc.cs_filetype`*:: + -- -Kafka topic +type: keyword +-- +*`cisco.rsa.misc.cs_fld`*:: ++ +-- type: keyword -- -*`kafka.partition`*:: +*`cisco.rsa.misc.cs_if_desc`*:: + -- -Kafka partition number +type: keyword +-- -type: long +*`cisco.rsa.misc.cs_if_name`*:: ++ +-- +type: keyword -- -*`kafka.offset`*:: +*`cisco.rsa.misc.cs_ip_next_hop`*:: + -- -Kafka offset of this message +type: keyword +-- -type: long +*`cisco.rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword -- -*`kafka.key`*:: +*`cisco.rsa.misc.cs_ipv4srcpre`*:: + -- -Kafka key, corresponding to the Kafka value stored in the message +type: keyword +-- +*`cisco.rsa.misc.cs_lifetime`*:: ++ +-- type: keyword -- -*`kafka.block_timestamp`*:: +*`cisco.rsa.misc.cs_log_medium`*:: + -- -Kafka outer (compressed) block timestamp +type: keyword +-- -type: date +*`cisco.rsa.misc.cs_loginname`*:: ++ +-- +type: keyword -- -*`kafka.headers`*:: +*`cisco.rsa.misc.cs_modulescore`*:: + -- -An array of Kafka header strings for this message, in the form ": ". +type: keyword +-- -type: array +*`cisco.rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword -- -[[exported-fields-logstash]] -== logstash fields +*`cisco.rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword -logstash Module +-- +*`cisco.rsa.misc.cs_payload`*:: ++ +-- +type: keyword +-- -[float] -=== logstash +*`cisco.rsa.misc.cs_registrant`*:: ++ +-- +type: keyword +-- +*`cisco.rsa.misc.cs_registrar`*:: ++ +-- +type: keyword +-- -[float] -=== log +*`cisco.rsa.misc.cs_represult`*:: ++ +-- +type: keyword -Fields from the Logstash logs. +-- +*`cisco.rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword +-- -*`logstash.log.module`*:: +*`cisco.rsa.misc.cs_sampler_name`*:: + -- -The module or class where the event originate. +type: keyword +-- +*`cisco.rsa.misc.cs_sourcemodule`*:: ++ +-- type: keyword -- -*`logstash.log.thread`*:: +*`cisco.rsa.misc.cs_streams`*:: + -- -Information about the running thread where the log originate. +type: keyword +-- +*`cisco.rsa.misc.cs_targetmodule`*:: ++ +-- type: keyword -- -*`logstash.log.thread.text`*:: +*`cisco.rsa.misc.cs_v6nxthop`*:: + -- -type: text +type: keyword -- -*`logstash.log.log_event`*:: +*`cisco.rsa.misc.cs_whois_server`*:: + -- -key and value debugging information. +type: keyword +-- -type: object +*`cisco.rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword -- -*`logstash.log.pipeline_id`*:: +*`cisco.rsa.misc.description`*:: + -- -The ID of the pipeline. +type: keyword +-- +*`cisco.rsa.misc.devvendor`*:: ++ +-- type: keyword -example: main - -- -*`logstash.log.message`*:: +*`cisco.rsa.misc.distance`*:: + -- -type: alias - -alias to: message +type: keyword -- -*`logstash.log.level`*:: +*`cisco.rsa.misc.dstburb`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -[float] -=== slowlog +*`cisco.rsa.misc.edomain`*:: ++ +-- +type: keyword -slowlog +-- +*`cisco.rsa.misc.edomaub`*:: ++ +-- +type: keyword +-- -*`logstash.slowlog.module`*:: +*`cisco.rsa.misc.euid`*:: + -- -The module or class where the event originate. +type: keyword +-- +*`cisco.rsa.misc.facility`*:: ++ +-- type: keyword -- -*`logstash.slowlog.thread`*:: +*`cisco.rsa.misc.finterface`*:: + -- -Information about the running thread where the log originate. +type: keyword +-- +*`cisco.rsa.misc.flags`*:: ++ +-- type: keyword -- -*`logstash.slowlog.thread.text`*:: +*`cisco.rsa.misc.gaddr`*:: + -- -type: text +type: keyword -- -*`logstash.slowlog.event`*:: +*`cisco.rsa.misc.id3`*:: + -- -Raw dump of the original event +type: keyword +-- +*`cisco.rsa.misc.im_buddyname`*:: ++ +-- type: keyword -- -*`logstash.slowlog.event.text`*:: +*`cisco.rsa.misc.im_croomid`*:: + -- -type: text +type: keyword -- -*`logstash.slowlog.plugin_name`*:: +*`cisco.rsa.misc.im_croomtype`*:: + -- -Name of the plugin +type: keyword +-- +*`cisco.rsa.misc.im_members`*:: ++ +-- type: keyword -- -*`logstash.slowlog.plugin_type`*:: +*`cisco.rsa.misc.im_username`*:: + -- -Type of the plugin: Inputs, Filters, Outputs or Codecs. +type: keyword +-- +*`cisco.rsa.misc.ipkt`*:: ++ +-- type: keyword -- -*`logstash.slowlog.took_in_millis`*:: +*`cisco.rsa.misc.ipscat`*:: + -- -Execution time for the plugin in milliseconds. +type: keyword +-- -type: long +*`cisco.rsa.misc.ipspri`*:: ++ +-- +type: keyword -- -*`logstash.slowlog.plugin_params`*:: +*`cisco.rsa.misc.latitude`*:: + -- -String value of the plugin configuration +type: keyword +-- +*`cisco.rsa.misc.linenum`*:: ++ +-- type: keyword -- -*`logstash.slowlog.plugin_params.text`*:: +*`cisco.rsa.misc.list_name`*:: + -- -type: text +type: keyword -- -*`logstash.slowlog.plugin_params_object`*:: +*`cisco.rsa.misc.load_data`*:: + -- -key -> value of the configuration used by the plugin. +type: keyword +-- -type: object +*`cisco.rsa.misc.location_floor`*:: ++ +-- +type: keyword -- -*`logstash.slowlog.level`*:: +*`cisco.rsa.misc.location_mark`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`logstash.slowlog.took_in_nanos`*:: +*`cisco.rsa.misc.log_id`*:: + -- -type: alias - -alias to: event.duration +type: keyword -- -[[exported-fields-misp]] -== MISP fields +*`cisco.rsa.misc.log_type`*:: ++ +-- +type: keyword -Module for handling threat information from MISP. +-- +*`cisco.rsa.misc.logid`*:: ++ +-- +type: keyword +-- -[float] -=== misp +*`cisco.rsa.misc.logip`*:: ++ +-- +type: keyword -Fields from MISP threat information. +-- +*`cisco.rsa.misc.logname`*:: ++ +-- +type: keyword +-- -[float] -=== attack_pattern +*`cisco.rsa.misc.longitude`*:: ++ +-- +type: keyword -Fields provide support for specifying information about attack patterns. +-- +*`cisco.rsa.misc.lport`*:: ++ +-- +type: keyword +-- -*`misp.attack_pattern.id`*:: +*`cisco.rsa.misc.mbug_data`*:: + -- -Identifier of the threat indicator. +type: keyword +-- +*`cisco.rsa.misc.misc_name`*:: ++ +-- type: keyword -- -*`misp.attack_pattern.name`*:: +*`cisco.rsa.misc.msg_type`*:: + -- -Name of the attack pattern. +type: keyword +-- +*`cisco.rsa.misc.msgid`*:: ++ +-- type: keyword -- -*`misp.attack_pattern.description`*:: +*`cisco.rsa.misc.netsessid`*:: + -- -Description of the attack pattern. +type: keyword +-- -type: text +*`cisco.rsa.misc.num`*:: ++ +-- +type: keyword -- -*`misp.attack_pattern.kill_chain_phases`*:: +*`cisco.rsa.misc.number1`*:: + -- -The kill chain phase(s) to which this attack pattern corresponds. +type: keyword +-- +*`cisco.rsa.misc.number2`*:: ++ +-- type: keyword -- -[float] -=== campaign +*`cisco.rsa.misc.nwwn`*:: ++ +-- +type: keyword -Fields provide support for specifying information about campaigns. +-- +*`cisco.rsa.misc.object`*:: ++ +-- +type: keyword +-- -*`misp.campaign.id`*:: +*`cisco.rsa.misc.operation`*:: + -- -Identifier of the campaign. +type: keyword +-- +*`cisco.rsa.misc.opkt`*:: ++ +-- type: keyword -- -*`misp.campaign.name`*:: +*`cisco.rsa.misc.orig_from`*:: + -- -Name of the campaign. +type: keyword +-- +*`cisco.rsa.misc.owner_id`*:: ++ +-- type: keyword -- -*`misp.campaign.description`*:: +*`cisco.rsa.misc.p_action`*:: + -- -Description of the campaign. +type: keyword +-- -type: text +*`cisco.rsa.misc.p_filter`*:: ++ +-- +type: keyword -- -*`misp.campaign.aliases`*:: +*`cisco.rsa.misc.p_group_object`*:: + -- -Alternative names used to identify this campaign. +type: keyword +-- -type: text +*`cisco.rsa.misc.p_id`*:: ++ +-- +type: keyword -- -*`misp.campaign.first_seen`*:: +*`cisco.rsa.misc.p_msgid1`*:: + -- -The time that this Campaign was first seen, in RFC3339 format. +type: keyword +-- -type: date +*`cisco.rsa.misc.p_msgid2`*:: ++ +-- +type: keyword -- -*`misp.campaign.last_seen`*:: +*`cisco.rsa.misc.p_result1`*:: + -- -The time that this Campaign was last seen, in RFC3339 format. +type: keyword +-- -type: date +*`cisco.rsa.misc.password_chg`*:: ++ +-- +type: keyword -- -*`misp.campaign.objective`*:: +*`cisco.rsa.misc.password_expire`*:: + -- -This field defines the Campaign's primary goal, objective, desired outcome, or intended effect. +type: keyword +-- +*`cisco.rsa.misc.permgranted`*:: ++ +-- type: keyword -- -[float] -=== course_of_action +*`cisco.rsa.misc.permwanted`*:: ++ +-- +type: keyword -A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. +-- +*`cisco.rsa.misc.pgid`*:: ++ +-- +type: keyword +-- -*`misp.course_of_action.id`*:: +*`cisco.rsa.misc.policyUUID`*:: + -- -Identifier of the Course of Action. +type: keyword +-- +*`cisco.rsa.misc.prog_asp_num`*:: ++ +-- type: keyword -- -*`misp.course_of_action.name`*:: +*`cisco.rsa.misc.program`*:: + -- -The name used to identify the Course of Action. +type: keyword +-- +*`cisco.rsa.misc.real_data`*:: ++ +-- type: keyword -- -*`misp.course_of_action.description`*:: +*`cisco.rsa.misc.rec_asp_device`*:: + -- -Description of the Course of Action. +type: keyword +-- -type: text +*`cisco.rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword -- -[float] -=== identity +*`cisco.rsa.misc.rec_library`*:: ++ +-- +type: keyword -Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups. +-- +*`cisco.rsa.misc.recordnum`*:: ++ +-- +type: keyword +-- -*`misp.identity.id`*:: +*`cisco.rsa.misc.ruid`*:: + -- -Identifier of the Identity. +type: keyword +-- +*`cisco.rsa.misc.sburb`*:: ++ +-- type: keyword -- -*`misp.identity.name`*:: +*`cisco.rsa.misc.sdomain_fld`*:: + -- -The name used to identify the Identity. +type: keyword +-- +*`cisco.rsa.misc.sec`*:: ++ +-- type: keyword -- -*`misp.identity.description`*:: +*`cisco.rsa.misc.sensorname`*:: + -- -Description of the Identity. +type: keyword +-- -type: text +*`cisco.rsa.misc.seqnum`*:: ++ +-- +type: keyword -- -*`misp.identity.identity_class`*:: +*`cisco.rsa.misc.session`*:: + -- -The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov +type: keyword +-- +*`cisco.rsa.misc.sessiontype`*:: ++ +-- type: keyword -- -*`misp.identity.labels`*:: +*`cisco.rsa.misc.sigUUID`*:: + -- -The list of roles that this Identity performs. +type: keyword +-- +*`cisco.rsa.misc.spi`*:: ++ +-- type: keyword -example: CEO +-- +*`cisco.rsa.misc.srcburb`*:: ++ +-- +type: keyword -- -*`misp.identity.sectors`*:: +*`cisco.rsa.misc.srcdom`*:: + -- -The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov +type: keyword +-- +*`cisco.rsa.misc.srcservice`*:: ++ +-- type: keyword -- -*`misp.identity.contact_information`*:: +*`cisco.rsa.misc.state`*:: + -- -The contact information (e-mail, phone number, etc.) for this Identity. +type: keyword +-- -type: text +*`cisco.rsa.misc.status1`*:: ++ +-- +type: keyword -- -[float] -=== intrusion_set +*`cisco.rsa.misc.svcno`*:: ++ +-- +type: keyword -An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization. +-- +*`cisco.rsa.misc.system`*:: ++ +-- +type: keyword +-- -*`misp.intrusion_set.id`*:: +*`cisco.rsa.misc.tbdstr1`*:: + -- -Identifier of the Intrusion Set. +type: keyword +-- +*`cisco.rsa.misc.tgtdom`*:: ++ +-- type: keyword -- -*`misp.intrusion_set.name`*:: +*`cisco.rsa.misc.tgtdomain`*:: + -- -The name used to identify the Intrusion Set. +type: keyword +-- +*`cisco.rsa.misc.threshold`*:: ++ +-- type: keyword -- -*`misp.intrusion_set.description`*:: +*`cisco.rsa.misc.type1`*:: + -- -Description of the Intrusion Set. +type: keyword +-- -type: text +*`cisco.rsa.misc.udb_class`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.aliases`*:: +*`cisco.rsa.misc.url_fld`*:: + -- -Alternative names used to identify the Intrusion Set. +type: keyword +-- -type: text +*`cisco.rsa.misc.user_div`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.first_seen`*:: +*`cisco.rsa.misc.userid`*:: + -- -The time that this Intrusion Set was first seen, in RFC3339 format. +type: keyword +-- -type: date +*`cisco.rsa.misc.username_fld`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.last_seen`*:: +*`cisco.rsa.misc.utcstamp`*:: + -- -The time that this Intrusion Set was last seen, in RFC3339 format. +type: keyword +-- -type: date +*`cisco.rsa.misc.v_instafname`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.goals`*:: +*`cisco.rsa.misc.virt_data`*:: + -- -The high level goals of this Intrusion Set, namely, what are they trying to do. +type: keyword +-- -type: text +*`cisco.rsa.misc.vpnid`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.resource_level`*:: +*`cisco.rsa.misc.autorun_type`*:: + -- -This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov +This is used to capture Auto Run type - -type: text +type: keyword -- -*`misp.intrusion_set.primary_motivation`*:: +*`cisco.rsa.misc.cc_number`*:: + -- -The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov - +Valid Credit Card Numbers only -type: text +type: long -- -*`misp.intrusion_set.secondary_motivations`*:: +*`cisco.rsa.misc.content`*:: + -- -The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov +This key captures the content type from protocol headers - -type: text +type: keyword -- -[float] -=== malware - -Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. +*`cisco.rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only +type: long +-- -*`misp.malware.id`*:: +*`cisco.rsa.misc.found`*:: + -- -Identifier of the Malware. - +This is used to capture the results of regex match type: keyword -- -*`misp.malware.name`*:: +*`cisco.rsa.misc.language`*:: + -- -The name used to identify the Malware. - +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`misp.malware.description`*:: +*`cisco.rsa.misc.lifetime`*:: + -- -Description of the Malware. - +This key is used to capture the session lifetime in seconds. -type: text +type: long -- -*`misp.malware.labels`*:: +*`cisco.rsa.misc.link`*:: + -- -The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm - +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`misp.malware.kill_chain_phases`*:: +*`cisco.rsa.misc.match`*:: + -- -The list of kill chain phases for which this Malware instance can be used. - +This key is for regex match name from search.ini type: keyword -format: string - -- -[float] -=== note - -A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object. - - - -*`misp.note.id`*:: +*`cisco.rsa.misc.param_dst`*:: + -- -Identifier of the Note. - +This key captures the command line/launch argument of the target process or file type: keyword -- -*`misp.note.summary`*:: +*`cisco.rsa.misc.param_src`*:: + -- -A brief description used as a summary of the Note. - +This key captures source parameter type: keyword -- -*`misp.note.description`*:: +*`cisco.rsa.misc.search_text`*:: + -- -The content of the Note. - +This key captures the Search Text used -type: text +type: keyword -- -*`misp.note.authors`*:: +*`cisco.rsa.misc.sig_name`*:: + -- -The name of the author(s) of this Note. - +This key is used to capture the Signature Name only. type: keyword -- -*`misp.note.object_refs`*:: +*`cisco.rsa.misc.snmp_value`*:: + -- -The STIX Objects (SDOs and SROs) that the note is being applied to. - +SNMP set request value type: keyword -- -[float] -=== threat_indicator +*`cisco.rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session -Fields provide support for specifying information about threat indicators, and related matching patterns. +type: long +-- -*`misp.threat_indicator.labels`*:: +*`cisco.rsa.db.index`*:: + -- -list of type open-vocab that specifies the type of indicator. - +This key captures IndexID of the index. type: keyword -example: Domain Watchlist - - -- -*`misp.threat_indicator.id`*:: +*`cisco.rsa.db.instance`*:: + -- -Identifier of the threat indicator. - +This key is used to capture the database server instance name type: keyword -- -*`misp.threat_indicator.version`*:: +*`cisco.rsa.db.database`*:: + -- -Version of the threat indicator. - +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`misp.threat_indicator.type`*:: +*`cisco.rsa.db.transact_id`*:: + -- -Type of the threat indicator. - +This key captures the SQL transantion ID of the current session type: keyword -- -*`misp.threat_indicator.description`*:: +*`cisco.rsa.db.permissions`*:: + -- -Description of the threat indicator. +This key captures permission or privilege level assigned to a resource. - -type: text +type: keyword -- -*`misp.threat_indicator.feed`*:: +*`cisco.rsa.db.table_name`*:: + -- -Name of the threat feed. - +This key is used to capture the table name -type: text +type: keyword -- -*`misp.threat_indicator.valid_from`*:: +*`cisco.rsa.db.db_id`*:: + -- -The time from which this Indicator should be considered valuable intelligence, in RFC3339 format. +This key is used to capture the unique identifier for a database - -type: date +type: keyword -- -*`misp.threat_indicator.valid_until`*:: +*`cisco.rsa.db.db_pid`*:: + -- -The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format. - +This key captures the process id of a connection with database server -type: date +type: long -- -*`misp.threat_indicator.severity`*:: +*`cisco.rsa.db.lread`*:: + -- -Threat severity to which this indicator corresponds. +This key is used for the number of logical reads +type: long -type: keyword +-- -example: high +*`cisco.rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes -format: string +type: long -- -*`misp.threat_indicator.confidence`*:: +*`cisco.rsa.db.pread`*:: + -- -Confidence level to which this indicator corresponds. - - -type: keyword +This key is used for the number of physical writes -example: high +type: long -- -*`misp.threat_indicator.kill_chain_phases`*:: + +*`cisco.rsa.network.alias_host`*:: + -- -The kill chain phase(s) to which this indicator corresponds. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -format: string - -- -*`misp.threat_indicator.mitre_tactic`*:: +*`cisco.rsa.network.domain`*:: + -- -MITRE tactics to which this indicator corresponds. - - type: keyword -example: Initial Access - -format: string - -- -*`misp.threat_indicator.mitre_technique`*:: +*`cisco.rsa.network.host_dst`*:: + -- -MITRE techniques to which this indicator corresponds. - +This key should only be used when it’s a Destination Hostname type: keyword -example: Drive-by Compromise - -format: string - -- -*`misp.threat_indicator.attack_pattern`*:: +*`cisco.rsa.network.network_service`*:: + -- -The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. - +This is used to capture layer 7 protocols/service names type: keyword -example: [destination:ip = '91.219.29.188/32'] - - -- -*`misp.threat_indicator.attack_pattern_kql`*:: +*`cisco.rsa.network.interface`*:: + -- -The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. - +This key should be used when the source or destination context of an interface is not clear type: keyword -example: destination.ip: "91.219.29.188/32" - - -- -*`misp.threat_indicator.negate`*:: +*`cisco.rsa.network.network_port`*:: + -- -When set to true, it specifies the absence of the attack_pattern. +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: boolean +type: long -- -*`misp.threat_indicator.intrusion_set`*:: +*`cisco.rsa.network.eth_host`*:: + -- -Name of the intrusion set if known. - +Deprecated, use alias.mac type: keyword -- -*`misp.threat_indicator.campaign`*:: +*`cisco.rsa.network.sinterface`*:: + -- -Name of the attack campaign if known. - +This key should only be used when it’s a Source Interface type: keyword -- -*`misp.threat_indicator.threat_actor`*:: +*`cisco.rsa.network.dinterface`*:: + -- -Name of the threat actor if known. - +This key should only be used when it’s a Destination Interface type: keyword -- -[float] -=== observed_data - -Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification. +*`cisco.rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN +type: long +-- -*`misp.observed_data.id`*:: +*`cisco.rsa.network.zone_src`*:: + -- -Identifier of the Observed Data. - +This key should only be used when it’s a Source Zone. type: keyword -- -*`misp.observed_data.first_observed`*:: +*`cisco.rsa.network.zone`*:: + -- -The beginning of the time window that the data was observed, in RFC3339 format. - +This key should be used when the source or destination context of a Zone is not clear -type: date +type: keyword -- -*`misp.observed_data.last_observed`*:: +*`cisco.rsa.network.zone_dst`*:: + -- -The end of the time window that the data was observed, in RFC3339 format. +This key should only be used when it’s a Destination Zone. - -type: date +type: keyword -- -*`misp.observed_data.number_observed`*:: +*`cisco.rsa.network.gateway`*:: + -- -The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive. - +This key is used to capture the IP Address of the gateway -type: integer +type: keyword -- -*`misp.observed_data.objects`*:: +*`cisco.rsa.network.icmp_type`*:: + -- -A dictionary of Cyber Observable Objects that describes the single fact that was observed. +This key is used to capture the ICMP type only - -type: keyword +type: long -- -[float] -=== report - -Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. +*`cisco.rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. +type: keyword +-- -*`misp.report.id`*:: +*`cisco.rsa.network.icmp_code`*:: + -- -Identifier of the Report. - +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`misp.report.labels`*:: +*`cisco.rsa.network.protocol_detail`*:: + -- -This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability - +This key should be used to capture additional protocol information type: keyword -- -*`misp.report.name`*:: +*`cisco.rsa.network.dmask`*:: + -- -The name used to identify the Report. - +This key is used for Destionation Device network mask type: keyword -- -*`misp.report.description`*:: +*`cisco.rsa.network.port`*:: + -- -A description that provides more details and context about Report. +This key should only be used to capture a Network Port when the directionality is not clear - -type: text +type: long -- -*`misp.report.published`*:: +*`cisco.rsa.network.smask`*:: + -- -The date that this report object was officially published by the creator of this report, in RFC3339 format. - +This key is used for capturing source Network Mask -type: date +type: keyword -- -*`misp.report.object_refs`*:: +*`cisco.rsa.network.netname`*:: + -- -Specifies the STIX Objects that are referred to by this Report. +This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: text +type: keyword -- -[float] -=== threat_actor - -Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. +*`cisco.rsa.network.paddr`*:: ++ +-- +Deprecated +type: ip +-- -*`misp.threat_actor.id`*:: +*`cisco.rsa.network.faddr`*:: + -- -Identifier of the Threat Actor. - - type: keyword -- -*`misp.threat_actor.labels`*:: +*`cisco.rsa.network.lhost`*:: + -- -This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist - - type: keyword -- -*`misp.threat_actor.name`*:: +*`cisco.rsa.network.origin`*:: + -- -The name used to identify this Threat Actor or Threat Actor group. - - type: keyword -- -*`misp.threat_actor.description`*:: +*`cisco.rsa.network.remote_domain_id`*:: + -- -A description that provides more details and context about the Threat Actor. - - -type: text +type: keyword -- -*`misp.threat_actor.aliases`*:: +*`cisco.rsa.network.addr`*:: + -- -A list of other names that this Threat Actor is believed to use. - - -type: text +type: keyword -- -*`misp.threat_actor.roles`*:: +*`cisco.rsa.network.dns_a_record`*:: + -- -This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author - - -type: text +type: keyword -- -*`misp.threat_actor.goals`*:: +*`cisco.rsa.network.dns_ptr_record`*:: + -- -The high level goals of this Threat Actor, namely, what are they trying to do. - - -type: text +type: keyword -- -*`misp.threat_actor.sophistication`*:: +*`cisco.rsa.network.fhost`*:: + -- -The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator - - -type: text +type: keyword -- -*`misp.threat_actor.resource_level`*:: +*`cisco.rsa.network.fport`*:: + -- -This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government +type: keyword +-- -type: text +*`cisco.rsa.network.laddr`*:: ++ +-- +type: keyword -- -*`misp.threat_actor.primary_motivation`*:: +*`cisco.rsa.network.linterface`*:: + -- -The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable +type: keyword +-- -type: text +*`cisco.rsa.network.phost`*:: ++ +-- +type: keyword -- -*`misp.threat_actor.secondary_motivations`*:: +*`cisco.rsa.network.ad_computer_dst`*:: + -- -The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable - +Deprecated, use host.dst -type: text +type: keyword -- -*`misp.threat_actor.personal_motivations`*:: +*`cisco.rsa.network.eth_type`*:: + -- -The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: text +type: long -- -[float] -=== tool - -Tools are legitimate software that can be used by threat actors to perform attacks. +*`cisco.rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +type: long +-- -*`misp.tool.id`*:: +*`cisco.rsa.network.dns_cname_record`*:: + -- -Identifier of the Tool. +type: keyword +-- +*`cisco.rsa.network.dns_id`*:: ++ +-- type: keyword -- -*`misp.tool.labels`*:: +*`cisco.rsa.network.dns_opcode`*:: + -- -The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning +type: keyword +-- +*`cisco.rsa.network.dns_resp`*:: ++ +-- type: keyword -- -*`misp.tool.name`*:: +*`cisco.rsa.network.dns_type`*:: + -- -The name used to identify the Tool. +type: keyword +-- +*`cisco.rsa.network.domain1`*:: ++ +-- type: keyword -- -*`misp.tool.description`*:: +*`cisco.rsa.network.host_type`*:: + -- -A description that provides more details and context about the Tool. +type: keyword +-- -type: text +*`cisco.rsa.network.packet_length`*:: ++ +-- +type: keyword -- -*`misp.tool.tool_version`*:: +*`cisco.rsa.network.host_orig`*:: + -- -The version identifier associated with the Tool. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`misp.tool.kill_chain_phases`*:: +*`cisco.rsa.network.rpayload`*:: + -- -The list of kill chain phases for which this Tool instance can be used. +This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: text +type: keyword -- -[float] -=== vulnerability +*`cisco.rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN -A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. +type: keyword +-- -*`misp.vulnerability.id`*:: +*`cisco.rsa.investigations.ec_activity`*:: + -- -Identifier of the Vulnerability. - +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`misp.vulnerability.name`*:: +*`cisco.rsa.investigations.ec_theme`*:: + -- -The name used to identify the Vulnerability. - +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`misp.vulnerability.description`*:: +*`cisco.rsa.investigations.ec_subject`*:: + -- -A description that provides more details and context about the Vulnerability. +This key captures the Subject of a particular Event(Ex:User) - -type: text +type: keyword -- -[[exported-fields-mongodb]] -== mongodb fields +*`cisco.rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) -Module for parsing MongoDB log files. +type: keyword +-- +*`cisco.rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number -[float] -=== mongodb +type: long -Fields from MongoDB logs. +-- +*`cisco.rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code +type: keyword -[float] -=== log +-- -Contains fields from MongoDB logs. +*`cisco.rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +type: keyword +-- -*`mongodb.log.component`*:: +*`cisco.rsa.investigations.analysis_file`*:: + -- -Functional categorization of message - +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -example: COMMAND - -- -*`mongodb.log.context`*:: +*`cisco.rsa.investigations.analysis_service`*:: + -- -Context of message - +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -example: initandlisten - -- -*`mongodb.log.severity`*:: +*`cisco.rsa.investigations.analysis_session`*:: + -- -type: alias +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session -alias to: log.level +type: keyword -- -*`mongodb.log.message`*:: +*`cisco.rsa.investigations.boc`*:: + -- -type: alias +This is used to capture behaviour of compromise -alias to: message +type: keyword -- -[[exported-fields-mssql]] -== mssql fields +*`cisco.rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise -MS SQL Filebeat Module +type: keyword +-- -[float] -=== mssql +*`cisco.rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category -Fields from the MSSQL log files +type: keyword +-- -[float] -=== log +*`cisco.rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context -Common log fields +type: keyword +-- -*`mssql.log.origin`*:: +*`cisco.rsa.investigations.ioc`*:: + -- -Origin of the message, usually the server but it can also be a recovery process +This is key capture indicator of compromise type: keyword -- -[[exported-fields-mysql]] -== MySQL fields - -Module for parsing the MySQL log files. +*`cisco.rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only +type: long -[float] -=== mysql +-- -Fields from the MySQL log files. +*`cisco.rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only +type: long +-- -*`mysql.thread_id`*:: +*`cisco.rsa.counters.event_counter`*:: + -- -The connection or thread ID for the query. - +This is used to capture the number of times an event repeated type: long -- -[float] -=== error - -Contains fields from the MySQL error logs. +*`cisco.rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only +type: keyword +-- -*`mysql.error.thread_id`*:: +*`cisco.rsa.counters.dclass_c3`*:: + -- -type: alias +This is a generic counter key that should be used with the label dclass.c3.str only -alias to: mysql.thread_id +type: long -- -*`mysql.error.level`*:: +*`cisco.rsa.counters.dclass_c1_str`*:: + -- -type: alias +This is a generic counter string key that should be used with the label dclass.c1 only -alias to: log.level +type: keyword -- -*`mysql.error.message`*:: +*`cisco.rsa.counters.dclass_c2_str`*:: + -- -type: alias +This is a generic counter string key that should be used with the label dclass.c2 only -alias to: message +type: keyword -- -[float] -=== slowlog - -Contains fields from the MySQL slow logs. +*`cisco.rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only +type: keyword +-- -*`mysql.slowlog.lock_time.sec`*:: +*`cisco.rsa.counters.dclass_r2`*:: + -- -The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number. - +This is a generic ratio key that should be used with the label dclass.r2.str only -type: float +type: keyword -- -*`mysql.slowlog.rows_sent`*:: +*`cisco.rsa.counters.dclass_c3_str`*:: + -- -The number of rows returned by the query. +This is a generic counter string key that should be used with the label dclass.c3 only - -type: long +type: keyword -- -*`mysql.slowlog.rows_examined`*:: +*`cisco.rsa.counters.dclass_r3`*:: + -- -The number of rows scanned by the query. - +This is a generic ratio key that should be used with the label dclass.r3.str only -type: long +type: keyword -- -*`mysql.slowlog.rows_affected`*:: +*`cisco.rsa.counters.dclass_r2_str`*:: + -- -The number of rows modified by the query. +This is a generic ratio string key that should be used with the label dclass.r2 only - -type: long +type: keyword -- -*`mysql.slowlog.bytes_sent`*:: +*`cisco.rsa.counters.dclass_r3_str`*:: + -- -The number of bytes sent to client. - - -type: long +This is a generic ratio string key that should be used with the label dclass.r3 only -format: bytes +type: keyword -- -*`mysql.slowlog.bytes_received`*:: + +*`cisco.rsa.identity.auth_method`*:: + -- -The number of bytes received from client. - - -type: long +This key is used to capture authentication methods used only -format: bytes +type: keyword -- -*`mysql.slowlog.query`*:: +*`cisco.rsa.identity.user_role`*:: + -- -The slow query. +This key is used to capture the Role of a user only +type: keyword -- -*`mysql.slowlog.id`*:: +*`cisco.rsa.identity.dn`*:: + -- -type: alias +X.500 (LDAP) Distinguished Name -alias to: mysql.thread_id +type: keyword -- -*`mysql.slowlog.schema`*:: +*`cisco.rsa.identity.logon_type`*:: + -- -The schema where the slow query was executed. - +This key is used to capture the type of logon method used. type: keyword -- -*`mysql.slowlog.current_user`*:: +*`cisco.rsa.identity.profile`*:: + -- -Current authenticated user, used to determine access privileges. Can differ from the value for user. - +This key is used to capture the user profile type: keyword -- -*`mysql.slowlog.last_errno`*:: +*`cisco.rsa.identity.accesses`*:: + -- -Last SQL error seen. - +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`mysql.slowlog.killed`*:: +*`cisco.rsa.identity.realm`*:: + -- -Code of the reason if the query was killed. - +Radius realm or similar grouping of accounts type: keyword -- -*`mysql.slowlog.query_cache_hit`*:: +*`cisco.rsa.identity.user_sid_dst`*:: + -- -Whether the query cache was hit. - +This key captures Destination User Session ID -type: boolean +type: keyword -- -*`mysql.slowlog.tmp_table`*:: +*`cisco.rsa.identity.dn_src`*:: + -- -Whether a temporary table was used to resolve the query. +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: boolean +type: keyword -- -*`mysql.slowlog.tmp_table_on_disk`*:: +*`cisco.rsa.identity.org`*:: + -- -Whether the query needed temporary tables on disk. - +This key captures the User organization -type: boolean +type: keyword -- -*`mysql.slowlog.tmp_tables`*:: +*`cisco.rsa.identity.dn_dst`*:: + -- -Number of temporary tables created for this query +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: long +type: keyword -- -*`mysql.slowlog.tmp_disk_tables`*:: +*`cisco.rsa.identity.firstname`*:: + -- -Number of temporary tables created on disk for this query. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`mysql.slowlog.tmp_table_sizes`*:: +*`cisco.rsa.identity.lastname`*:: + -- -Size of temporary tables created for this query. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information -type: long - -format: bytes +type: keyword -- -*`mysql.slowlog.filesort`*:: +*`cisco.rsa.identity.user_dept`*:: + -- -Whether filesort optimization was used. +User's Department Names only - -type: boolean +type: keyword -- -*`mysql.slowlog.filesort_on_disk`*:: +*`cisco.rsa.identity.user_sid_src`*:: + -- -Whether filesort optimization was used and it needed temporary tables on disk. +This key captures Source User Session ID - -type: boolean +type: keyword -- -*`mysql.slowlog.priority_queue`*:: +*`cisco.rsa.identity.federated_sp`*:: + -- -Whether a priority queue was used for filesort. +This key is the Federated Service Provider. This is the application requesting authentication. - -type: boolean +type: keyword -- -*`mysql.slowlog.full_scan`*:: +*`cisco.rsa.identity.federated_idp`*:: + -- -Whether a full table scan was needed for the slow query. - +This key is the federated Identity Provider. This is the server providing the authentication. -type: boolean +type: keyword -- -*`mysql.slowlog.full_join`*:: +*`cisco.rsa.identity.logon_type_desc`*:: + -- -Whether a full join was needed for the slow query (no indexes were used for joins). +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: boolean +type: keyword -- -*`mysql.slowlog.merge_passes`*:: +*`cisco.rsa.identity.middlename`*:: + -- -Number of merge passes executed for the query. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`mysql.slowlog.sort_merge_passes`*:: +*`cisco.rsa.identity.password`*:: + -- -Number of merge passes that the sort algorithm has had to do. +This key is for Passwords seen in any session, plain text or encrypted - -type: long +type: keyword -- -*`mysql.slowlog.sort_range_count`*:: +*`cisco.rsa.identity.host_role`*:: + -- -Number of sorts that were done using ranges. - +This key should only be used to capture the role of a Host Machine -type: long +type: keyword -- -*`mysql.slowlog.sort_rows`*:: +*`cisco.rsa.identity.ldap`*:: + -- -Number of sorted rows. +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: long +type: keyword -- -*`mysql.slowlog.sort_scan_count`*:: +*`cisco.rsa.identity.ldap_query`*:: + -- -Number of sorts that were done by scanning the table. - +This key is the Search criteria from an LDAP search -type: long +type: keyword -- -*`mysql.slowlog.log_slow_rate_type`*:: +*`cisco.rsa.identity.ldap_response`*:: + -- -Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query. - +This key is to capture Results from an LDAP search type: keyword -- -*`mysql.slowlog.log_slow_rate_limit`*:: +*`cisco.rsa.identity.owner`*:: + -- -Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged. - +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`mysql.slowlog.read_first`*:: +*`cisco.rsa.identity.service_account`*:: + -- -The number of times the first entry in an index was read. +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: long +type: keyword -- -*`mysql.slowlog.read_last`*:: + +*`cisco.rsa.email.email_dst`*:: + -- -The number of times the last key in an index was read. +This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: long +type: keyword -- -*`mysql.slowlog.read_key`*:: +*`cisco.rsa.email.email_src`*:: + -- -The number of requests to read a row based on a key. - +This key is used to capture the source email address only, when the source context is not clear use email -type: long +type: keyword -- -*`mysql.slowlog.read_next`*:: +*`cisco.rsa.email.subject`*:: + -- -The number of requests to read the next row in key order. +This key is used to capture the subject string from an Email only. - -type: long +type: keyword -- -*`mysql.slowlog.read_prev`*:: +*`cisco.rsa.email.email`*:: + -- -The number of requests to read the previous row in key order. - +This key is used to capture a generic email address where the source or destination context is not clear -type: long +type: keyword -- -*`mysql.slowlog.read_rnd`*:: +*`cisco.rsa.email.trans_from`*:: + -- -The number of requests to read a row based on a fixed position. +Deprecated key defined only in table map. - -type: long +type: keyword -- -*`mysql.slowlog.read_rnd_next`*:: +*`cisco.rsa.email.trans_to`*:: + -- -The number of requests to read the next row in the data file. - +Deprecated key defined only in table map. -type: long +type: keyword -- -[float] -=== innodb - -Contains fields relative to InnoDB engine - - -*`mysql.slowlog.innodb.trx_id`*:: +*`cisco.rsa.file.privilege`*:: + -- -Transaction ID - +Deprecated, use permissions type: keyword -- -*`mysql.slowlog.innodb.io_r_ops`*:: +*`cisco.rsa.file.attachment`*:: + -- -Number of page read operations. - +This key captures the attachment file name -type: long +type: keyword -- -*`mysql.slowlog.innodb.io_r_bytes`*:: +*`cisco.rsa.file.filesystem`*:: + -- -Bytes read during page read operations. - - -type: long - -format: bytes +type: keyword -- -*`mysql.slowlog.innodb.io_r_wait.sec`*:: +*`cisco.rsa.file.binary`*:: + -- -How long it took to read all needed data from storage. +Deprecated key defined only in table map. - -type: long +type: keyword -- -*`mysql.slowlog.innodb.rec_lock_wait.sec`*:: +*`cisco.rsa.file.filename_dst`*:: + -- -How long the query waited for locks. - +This is used to capture name of the file targeted by the action -type: long +type: keyword -- -*`mysql.slowlog.innodb.queue_wait.sec`*:: +*`cisco.rsa.file.filename_src`*:: + -- -How long the query waited to enter the InnoDB queue and to be executed once in the queue. +This is used to capture name of the parent filename, the file which performed the action - -type: long +type: keyword -- -*`mysql.slowlog.innodb.pages_distinct`*:: +*`cisco.rsa.file.filename_tmp`*:: + -- -Approximated count of pages accessed to execute the query. - - -type: long +type: keyword -- -*`mysql.slowlog.user`*:: +*`cisco.rsa.file.directory_dst`*:: + -- -type: alias +This key is used to capture the directory of the target process or file -alias to: user.name +type: keyword -- -*`mysql.slowlog.host`*:: +*`cisco.rsa.file.directory_src`*:: + -- -type: alias +This key is used to capture the directory of the source process or file -alias to: source.domain +type: keyword -- -*`mysql.slowlog.ip`*:: +*`cisco.rsa.file.file_entropy`*:: + -- -type: alias +This is used to capture entropy vale of a file -alias to: source.ip +type: double -- -[[exported-fields-nats]] -== NATS fields - -Module for parsing NATS log files. +*`cisco.rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info +type: keyword +-- -[float] -=== nats +*`cisco.rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task -Fields from NATS logs. +type: keyword +-- -[float] -=== log +*`cisco.rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names -Nats log files +type: keyword +-- +*`cisco.rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. -[float] -=== client +type: keyword -Fields from NATS logs client. +-- +*`cisco.rsa.web.alias_host`*:: ++ +-- +type: keyword +-- -*`nats.log.client.id`*:: +*`cisco.rsa.web.reputation_num`*:: + -- -The id of the client +Reputation Number of an entity. Typically used for Web Domains - -type: integer +type: double -- -[float] -=== msg - -Fields from NATS logs message. +*`cisco.rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain +type: keyword +-- -*`nats.log.msg.bytes`*:: +*`cisco.rsa.web.web_ref_query`*:: + -- -Size of the payload in bytes +This key captures Web referer's query portion of the URL +type: keyword -type: long +-- -format: bytes +*`cisco.rsa.web.remote_domain`*:: ++ +-- +type: keyword -- -*`nats.log.msg.type`*:: +*`cisco.rsa.web.web_ref_page`*:: + -- -The protocol message type - +This key captures Web referer's page information type: keyword -- -*`nats.log.msg.subject`*:: +*`cisco.rsa.web.web_ref_root`*:: + -- -Subject name this message was received on - +Web referer's root URL path type: keyword -- -*`nats.log.msg.sid`*:: +*`cisco.rsa.web.cn_asn_dst`*:: + -- -The unique alphanumeric subscription ID of the subject - - -type: integer +type: keyword -- -*`nats.log.msg.reply_to`*:: +*`cisco.rsa.web.cn_rpackets`*:: + -- -The inbox subject on which the publisher is listening for responses +type: keyword +-- +*`cisco.rsa.web.urlpage`*:: ++ +-- type: keyword -- -*`nats.log.msg.max_messages`*:: +*`cisco.rsa.web.urlroot`*:: + -- -An optional number of messages to wait for before automatically unsubscribing +type: keyword +-- -type: integer +*`cisco.rsa.web.p_url`*:: ++ +-- +type: keyword -- -*`nats.log.msg.error.message`*:: +*`cisco.rsa.web.p_user_agent`*:: + -- -Details about the error occurred +type: keyword +-- -type: text +*`cisco.rsa.web.p_web_cookie`*:: ++ +-- +type: keyword -- -*`nats.log.msg.queue_group`*:: +*`cisco.rsa.web.p_web_method`*:: + -- -The queue group which subscriber will join +type: keyword +-- -type: text +*`cisco.rsa.web.p_web_referer`*:: ++ +-- +type: keyword -- -[[exported-fields-netflow]] -== NetFlow fields +*`cisco.rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword -Fields from NetFlow and IPFIX flows. +-- +*`cisco.rsa.web.web_page`*:: ++ +-- +type: keyword +-- -[float] -=== netflow -Fields from NetFlow and IPFIX. +*`cisco.rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert +type: keyword +-- -*`netflow.type`*:: +*`cisco.rsa.threat.threat_desc`*:: + -- -The type of NetFlow record described by this event. - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -[float] -=== exporter - -Metadata related to the exporter device that generated this record. +*`cisco.rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert +type: keyword +-- -*`netflow.exporter.address`*:: +*`cisco.rsa.threat.threat_source`*:: + -- -Exporter's network address in IP:port format. - +This key is used to capture source of the threat type: keyword -- -*`netflow.exporter.source_id`*:: + +*`cisco.rsa.crypto.crypto`*:: + -- -Observation domain ID to which this record belongs. - +This key is used to capture the Encryption Type or Encryption Key only -type: long +type: keyword -- -*`netflow.exporter.timestamp`*:: +*`cisco.rsa.crypto.cipher_src`*:: + -- -Time and date of export. +This key is for Source (Client) Cipher - -type: date +type: keyword -- -*`netflow.exporter.uptime_millis`*:: +*`cisco.rsa.crypto.cert_subject`*:: + -- -How long the exporter process has been running, in milliseconds. - +This key is used to capture the Certificate organization only -type: long +type: keyword -- -*`netflow.exporter.version`*:: +*`cisco.rsa.crypto.peer`*:: + -- -NetFlow version used. +This key is for Encryption peer's IP Address - -type: integer +type: keyword -- -*`netflow.octet_delta_count`*:: +*`cisco.rsa.crypto.cipher_size_src`*:: + -- +This key captures Source (Client) Cipher Size + type: long -- -*`netflow.packet_delta_count`*:: +*`cisco.rsa.crypto.ike`*:: + -- -type: long +IKE negotiation phase. + +type: keyword -- -*`netflow.delta_flow_count`*:: +*`cisco.rsa.crypto.scheme`*:: + -- -type: long +This key captures the Encryption scheme used + +type: keyword -- -*`netflow.protocol_identifier`*:: +*`cisco.rsa.crypto.peer_id`*:: + -- -type: short +This key is for Encryption peer’s identity + +type: keyword -- -*`netflow.ip_class_of_service`*:: +*`cisco.rsa.crypto.sig_type`*:: + -- -type: short +This key captures the Signature Type + +type: keyword -- -*`netflow.tcp_control_bits`*:: +*`cisco.rsa.crypto.cert_issuer`*:: + -- -type: integer +type: keyword -- -*`netflow.source_transport_port`*:: +*`cisco.rsa.crypto.cert_host_name`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.source_ipv4_address`*:: +*`cisco.rsa.crypto.cert_error`*:: + -- -type: ip +This key captures the Certificate Error String + +type: keyword -- -*`netflow.source_ipv4_prefix_length`*:: +*`cisco.rsa.crypto.cipher_dst`*:: + -- -type: short +This key is for Destination (Server) Cipher + +type: keyword -- -*`netflow.ingress_interface`*:: +*`cisco.rsa.crypto.cipher_size_dst`*:: + -- +This key captures Destination (Server) Cipher Size + type: long -- -*`netflow.destination_transport_port`*:: +*`cisco.rsa.crypto.ssl_ver_src`*:: + -- -type: integer +Deprecated, use version + +type: keyword -- -*`netflow.destination_ipv4_address`*:: +*`cisco.rsa.crypto.d_certauth`*:: + -- -type: ip +type: keyword -- -*`netflow.destination_ipv4_prefix_length`*:: +*`cisco.rsa.crypto.s_certauth`*:: + -- -type: short +type: keyword -- -*`netflow.egress_interface`*:: +*`cisco.rsa.crypto.ike_cookie1`*:: + -- -type: long +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword -- -*`netflow.ip_next_hop_ipv4_address`*:: +*`cisco.rsa.crypto.ike_cookie2`*:: + -- -type: ip +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword -- -*`netflow.bgp_source_as_number`*:: +*`cisco.rsa.crypto.cert_checksum`*:: + -- -type: long +type: keyword -- -*`netflow.bgp_destination_as_number`*:: +*`cisco.rsa.crypto.cert_host_cat`*:: + -- -type: long +This key is used for the hostname category value of a certificate + +type: keyword -- -*`netflow.bgp_next_hop_ipv4_address`*:: +*`cisco.rsa.crypto.cert_serial`*:: + -- -type: ip +This key is used to capture the Certificate serial number only + +type: keyword -- -*`netflow.post_mcast_packet_delta_count`*:: +*`cisco.rsa.crypto.cert_status`*:: + -- -type: long +This key captures Certificate validation status + +type: keyword -- -*`netflow.post_mcast_octet_delta_count`*:: +*`cisco.rsa.crypto.ssl_ver_dst`*:: + -- -type: long +Deprecated, use version + +type: keyword -- -*`netflow.flow_end_sys_up_time`*:: +*`cisco.rsa.crypto.cert_keysize`*:: + -- -type: long +type: keyword -- -*`netflow.flow_start_sys_up_time`*:: +*`cisco.rsa.crypto.cert_username`*:: + -- -type: long +type: keyword -- -*`netflow.post_octet_delta_count`*:: +*`cisco.rsa.crypto.https_insact`*:: + -- -type: long +type: keyword -- -*`netflow.post_packet_delta_count`*:: +*`cisco.rsa.crypto.https_valid`*:: + -- -type: long +type: keyword -- -*`netflow.minimum_ip_total_length`*:: +*`cisco.rsa.crypto.cert_ca`*:: + -- -type: long +This key is used to capture the Certificate signing authority only + +type: keyword -- -*`netflow.maximum_ip_total_length`*:: +*`cisco.rsa.crypto.cert_common`*:: + -- -type: long +This key is used to capture the Certificate common name only --- +type: keyword -*`netflow.source_ipv6_address`*:: -+ -- -type: ip --- -*`netflow.destination_ipv6_address`*:: +*`cisco.rsa.wireless.wlan_ssid`*:: + -- -type: ip +This key is used to capture the ssid of a Wireless Session + +type: keyword -- -*`netflow.source_ipv6_prefix_length`*:: +*`cisco.rsa.wireless.access_point`*:: + -- -type: short +This key is used to capture the access point name. + +type: keyword -- -*`netflow.destination_ipv6_prefix_length`*:: +*`cisco.rsa.wireless.wlan_channel`*:: + -- -type: short +This is used to capture the channel names + +type: long -- -*`netflow.flow_label_ipv6`*:: +*`cisco.rsa.wireless.wlan_name`*:: + -- -type: long +This key captures either WLAN number/name + +type: keyword -- -*`netflow.icmp_type_code_ipv4`*:: + +*`cisco.rsa.storage.disk_volume`*:: + -- -type: integer +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword -- -*`netflow.igmp_type`*:: +*`cisco.rsa.storage.lun`*:: + -- -type: short +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword -- -*`netflow.sampling_interval`*:: +*`cisco.rsa.storage.pwwn`*:: + -- -type: long +This uniquely identifies a port on a HBA. + +type: keyword -- -*`netflow.sampling_algorithm`*:: + +*`cisco.rsa.physical.org_dst`*:: + -- -type: short +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword -- -*`netflow.flow_active_timeout`*:: +*`cisco.rsa.physical.org_src`*:: + -- -type: integer +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword -- -*`netflow.flow_idle_timeout`*:: + +*`cisco.rsa.healthcare.patient_fname`*:: + -- -type: integer +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.engine_type`*:: +*`cisco.rsa.healthcare.patient_id`*:: + -- -type: short +This key captures the unique ID for a patient + +type: keyword -- -*`netflow.engine_id`*:: +*`cisco.rsa.healthcare.patient_lname`*:: + -- -type: short +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.exported_octet_total_count`*:: +*`cisco.rsa.healthcare.patient_mname`*:: + -- -type: long +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.exported_message_total_count`*:: + +*`cisco.rsa.endpoint.host_state`*:: + -- -type: long +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword -- -*`netflow.exported_flow_record_total_count`*:: +*`cisco.rsa.endpoint.registry_key`*:: + -- -type: long +This key captures the path to the registry key + +type: keyword -- -*`netflow.ipv4_router_sc`*:: +*`cisco.rsa.endpoint.registry_value`*:: + -- -type: ip +This key captures values or decorators used within a registry entry + +type: keyword -- -*`netflow.source_ipv4_prefix`*:: +[[exported-fields-citrix]] +== Citrix XenApp fields + +citrix fields. + + + +*`network.interface.name`*:: + -- -type: ip +Name of the network interface where the traffic has been observed. + + +type: keyword -- -*`netflow.destination_ipv4_prefix`*:: + + +*`rsa.internal.msg`*:: + -- -type: ip +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword -- -*`netflow.mpls_top_label_type`*:: +*`rsa.internal.messageid`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_top_label_ipv4_address`*:: +*`rsa.internal.event_desc`*:: + -- -type: ip +type: keyword -- -*`netflow.sampler_id`*:: +*`rsa.internal.message`*:: + -- -type: short +This key captures the contents of instant messages + +type: keyword -- -*`netflow.sampler_mode`*:: +*`rsa.internal.time`*:: + -- -type: short +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date -- -*`netflow.sampler_random_interval`*:: +*`rsa.internal.level`*:: + -- +Deprecated key defined only in table map. + type: long -- -*`netflow.class_id`*:: +*`rsa.internal.msg_id`*:: + -- -type: long +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.minimum_ttl`*:: +*`rsa.internal.msg_vid`*:: + -- -type: short +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.maximum_ttl`*:: +*`rsa.internal.data`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.fragment_identification`*:: +*`rsa.internal.obj_server`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.post_ip_class_of_service`*:: +*`rsa.internal.obj_val`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.source_mac_address`*:: +*`rsa.internal.resource`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`netflow.post_destination_mac_address`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`netflow.vlan_id`*:: +*`rsa.internal.statement`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.post_vlan_id`*:: +*`rsa.internal.audit_class`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.ip_version`*:: +*`rsa.internal.entry`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.flow_direction`*:: +*`rsa.internal.hcode`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.ip_next_hop_ipv6_address`*:: +*`rsa.internal.inode`*:: + -- -type: ip +Deprecated key defined only in table map. + +type: long -- -*`netflow.bgp_next_hop_ipv6_address`*:: +*`rsa.internal.resource_class`*:: + -- -type: ip +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.ipv6_extension_headers`*:: +*`rsa.internal.dead`*:: + -- +Deprecated key defined only in table map. + type: long -- -*`netflow.mpls_top_label_stack_section`*:: +*`rsa.internal.feed_desc`*:: + -- -type: short +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section2`*:: +*`rsa.internal.feed_name`*:: + -- -type: short +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section3`*:: +*`rsa.internal.cid`*:: + -- -type: short +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section4`*:: +*`rsa.internal.device_class`*:: + -- -type: short +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section5`*:: +*`rsa.internal.device_group`*:: + -- -type: short +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section6`*:: +*`rsa.internal.device_host`*:: + -- -type: short +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section7`*:: +*`rsa.internal.device_ip`*:: + -- -type: short +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`netflow.mpls_label_stack_section8`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: short +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`netflow.mpls_label_stack_section9`*:: +*`rsa.internal.device_type`*:: + -- -type: short +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_label_stack_section10`*:: +*`rsa.internal.device_type_id`*:: + -- -type: short +Deprecated key defined only in table map. + +type: long -- -*`netflow.destination_mac_address`*:: +*`rsa.internal.did`*:: + -- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`netflow.post_source_mac_address`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`netflow.interface_name`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`netflow.interface_description`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`netflow.sampler_name`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`netflow.octet_total_count`*:: +*`rsa.internal.forward_ip`*:: + -- -type: long - --- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -*`netflow.packet_total_count`*:: -+ --- -type: long +type: ip -- -*`netflow.flags_and_sampler_id`*:: +*`rsa.internal.forward_ipv6`*:: + -- -type: long +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`netflow.fragment_offset`*:: +*`rsa.internal.header_id`*:: + -- -type: integer +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.forwarding_status`*:: +*`rsa.internal.lc_cid`*:: + -- -type: short +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.mpls_vpn_route_distinguisher`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: short +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`netflow.mpls_top_label_prefix_length`*:: +*`rsa.internal.mcb_req`*:: + -- -type: short +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`netflow.src_traffic_index`*:: +*`rsa.internal.mcb_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + type: long -- -*`netflow.dst_traffic_index`*:: +*`rsa.internal.mcbc_req`*:: + -- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + type: long -- -*`netflow.application_description`*:: +*`rsa.internal.mcbc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`netflow.application_id`*:: +*`rsa.internal.medium`*:: + -- -type: short +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long -- -*`netflow.application_name`*:: +*`rsa.internal.node_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`netflow.post_ip_diff_serv_code_point`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -type: short - --- +This key denotes that event is endpoint related -*`netflow.multicast_replication_factor`*:: -+ --- -type: long +type: keyword -- -*`netflow.class_name`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`netflow.classification_engine_id`*:: +*`rsa.internal.payload_req`*:: + -- -type: short - --- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -*`netflow.layer2packet_section_offset`*:: -+ --- -type: integer +type: long -- -*`netflow.layer2packet_section_size`*:: +*`rsa.internal.payload_res`*:: + -- -type: integer +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`netflow.layer2packet_section_data`*:: +*`rsa.internal.process_vid_dst`*:: + -- -type: short +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword -- -*`netflow.bgp_next_adjacent_as_number`*:: +*`rsa.internal.process_vid_src`*:: + -- -type: long +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword -- -*`netflow.bgp_prev_adjacent_as_number`*:: +*`rsa.internal.rid`*:: + -- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- -*`netflow.exporter_ipv4_address`*:: +*`rsa.internal.session_split`*:: + -- -type: ip +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.exporter_ipv6_address`*:: +*`rsa.internal.site`*:: + -- -type: ip +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.dropped_octet_delta_count`*:: +*`rsa.internal.size`*:: + -- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- -*`netflow.dropped_packet_delta_count`*:: +*`rsa.internal.sourcefile`*:: + -- -type: long +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.dropped_octet_total_count`*:: +*`rsa.internal.ubc_req`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`netflow.dropped_packet_total_count`*:: +*`rsa.internal.ubc_res`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`netflow.flow_end_reason`*:: +*`rsa.internal.word`*:: + -- -type: short +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword -- -*`netflow.common_properties_id`*:: + +*`rsa.time.event_time`*:: + -- -type: long +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date -- -*`netflow.observation_point_id`*:: +*`rsa.time.duration_time`*:: + -- -type: long +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`netflow.icmp_type_code_ipv6`*:: +*`rsa.time.event_time_str`*:: + -- -type: integer +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword -- -*`netflow.mpls_top_label_ipv6_address`*:: +*`rsa.time.starttime`*:: + -- -type: ip +This key is used to capture the Start time mentioned in a session in a standard form + +type: date -- -*`netflow.line_card_id`*:: +*`rsa.time.month`*:: + -- -type: long +type: keyword -- -*`netflow.port_id`*:: +*`rsa.time.day`*:: + -- -type: long +type: keyword -- -*`netflow.metering_process_id`*:: +*`rsa.time.endtime`*:: + -- -type: long +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`netflow.exporting_process_id`*:: +*`rsa.time.timezone`*:: + -- -type: long +This key is used to capture the timezone of the Event Time + +type: keyword -- -*`netflow.template_id`*:: +*`rsa.time.duration_str`*:: + -- -type: integer +A text string version of the duration + +type: keyword -- -*`netflow.wlan_channel_id`*:: +*`rsa.time.date`*:: + -- -type: short +type: keyword -- -*`netflow.wlan_ssid`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`netflow.flow_id`*:: +*`rsa.time.recorded_time`*:: + -- -type: long +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`netflow.observation_domain_id`*:: +*`rsa.time.datetime`*:: + -- -type: long +type: keyword -- -*`netflow.flow_start_seconds`*:: +*`rsa.time.effective_time`*:: + -- +This key is the effective time referenced by an individual event in a Standard Timestamp format + type: date -- -*`netflow.flow_end_seconds`*:: +*`rsa.time.expire_time`*:: + -- +This key is the timestamp that explicitly refers to an expiration. + type: date -- -*`netflow.flow_start_milliseconds`*:: +*`rsa.time.process_time`*:: + -- -type: date +Deprecated, use duration.time + +type: keyword -- -*`netflow.flow_end_milliseconds`*:: +*`rsa.time.hour`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_microseconds`*:: +*`rsa.time.min`*:: + -- -type: date +type: keyword -- -*`netflow.flow_end_microseconds`*:: +*`rsa.time.timestamp`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_nanoseconds`*:: +*`rsa.time.event_queue_time`*:: + -- +This key is the Time that the event was queued. + type: date -- -*`netflow.flow_end_nanoseconds`*:: +*`rsa.time.p_time1`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_delta_microseconds`*:: +*`rsa.time.tzone`*:: + -- -type: long +type: keyword -- -*`netflow.flow_end_delta_microseconds`*:: +*`rsa.time.eventtime`*:: + -- -type: long +type: keyword -- -*`netflow.system_init_time_milliseconds`*:: +*`rsa.time.gmtdate`*:: + -- -type: date +type: keyword -- -*`netflow.flow_duration_milliseconds`*:: +*`rsa.time.gmttime`*:: + -- -type: long +type: keyword -- -*`netflow.flow_duration_microseconds`*:: +*`rsa.time.p_date`*:: + -- -type: long +type: keyword -- -*`netflow.observed_flow_total_count`*:: +*`rsa.time.p_month`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_packet_total_count`*:: +*`rsa.time.p_time`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_octet_total_count`*:: +*`rsa.time.p_time2`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_flow_total_count`*:: +*`rsa.time.p_year`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_packet_total_count`*:: +*`rsa.time.expire_time_str`*:: + -- -type: long +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword -- -*`netflow.not_sent_octet_total_count`*:: +*`rsa.time.stamp`*:: + -- -type: long +Deprecated key defined only in table map. + +type: date -- -*`netflow.destination_ipv6_prefix`*:: + +*`rsa.misc.action`*:: + -- -type: ip +type: keyword -- -*`netflow.source_ipv6_prefix`*:: +*`rsa.misc.result`*:: + -- -type: ip +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword -- -*`netflow.post_octet_total_count`*:: +*`rsa.misc.severity`*:: + -- -type: long +This key is used to capture the severity given the session + +type: keyword -- -*`netflow.post_packet_total_count`*:: +*`rsa.misc.event_type`*:: + -- -type: long +This key captures the event category type as specified by the event source. + +type: keyword -- -*`netflow.flow_key_indicator`*:: +*`rsa.misc.reference_id`*:: + -- -type: long +This key is used to capture an event id from the session directly + +type: keyword -- -*`netflow.post_mcast_packet_total_count`*:: +*`rsa.misc.version`*:: + -- -type: long +This key captures Version of the application or OS which is generating the event. + +type: keyword -- -*`netflow.post_mcast_octet_total_count`*:: +*`rsa.misc.disposition`*:: + -- -type: long +This key captures the The end state of an action. + +type: keyword -- -*`netflow.icmp_type_ipv4`*:: +*`rsa.misc.result_code`*:: + -- -type: short +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword -- -*`netflow.icmp_code_ipv4`*:: +*`rsa.misc.category`*:: + -- -type: short +This key is used to capture the category of an event given by the vendor in the session + +type: keyword -- -*`netflow.icmp_type_ipv6`*:: +*`rsa.misc.obj_name`*:: + -- -type: short +This is used to capture name of object + +type: keyword -- -*`netflow.icmp_code_ipv6`*:: +*`rsa.misc.obj_type`*:: + -- -type: short +This is used to capture type of object + +type: keyword -- -*`netflow.udp_source_port`*:: +*`rsa.misc.event_source`*:: + -- -type: integer +This key captures Source of the event that’s not a hostname + +type: keyword -- -*`netflow.udp_destination_port`*:: +*`rsa.misc.log_session_id`*:: + -- -type: integer +This key is used to capture a sessionid from the session directly + +type: keyword -- -*`netflow.tcp_source_port`*:: +*`rsa.misc.group`*:: + -- -type: integer +This key captures the Group Name value + +type: keyword -- -*`netflow.tcp_destination_port`*:: +*`rsa.misc.policy_name`*:: + -- -type: integer +This key is used to capture the Policy Name only. + +type: keyword -- -*`netflow.tcp_sequence_number`*:: +*`rsa.misc.rule_name`*:: + -- -type: long +This key captures the Rule Name + +type: keyword -- -*`netflow.tcp_acknowledgement_number`*:: +*`rsa.misc.context`*:: + -- -type: long +This key captures Information which adds additional context to the event. + +type: keyword -- -*`netflow.tcp_window_size`*:: +*`rsa.misc.change_new`*:: + -- -type: integer +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword -- -*`netflow.tcp_urgent_pointer`*:: +*`rsa.misc.space`*:: + -- -type: integer +type: keyword -- -*`netflow.tcp_header_length`*:: +*`rsa.misc.client`*:: + -- -type: short +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword -- -*`netflow.ip_header_length`*:: +*`rsa.misc.msgIdPart1`*:: + -- -type: short +type: keyword -- -*`netflow.total_length_ipv4`*:: +*`rsa.misc.msgIdPart2`*:: + -- -type: integer +type: keyword -- -*`netflow.payload_length_ipv6`*:: +*`rsa.misc.change_old`*:: + -- -type: integer +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword -- -*`netflow.ip_ttl`*:: +*`rsa.misc.operation_id`*:: + -- -type: short +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword -- -*`netflow.next_header_ipv6`*:: +*`rsa.misc.event_state`*:: + -- -type: short +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword -- -*`netflow.mpls_payload_length`*:: +*`rsa.misc.group_object`*:: + -- -type: long +This key captures a collection/grouping of entities. Specific usage + +type: keyword -- -*`netflow.ip_diff_serv_code_point`*:: +*`rsa.misc.node`*:: + -- -type: short +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword -- -*`netflow.ip_precedence`*:: +*`rsa.misc.rule`*:: + -- -type: short +This key captures the Rule number + +type: keyword -- -*`netflow.fragment_flags`*:: +*`rsa.misc.device_name`*:: + -- -type: short +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword -- -*`netflow.octet_delta_sum_of_squares`*:: +*`rsa.misc.param`*:: + -- -type: long +This key is the parameters passed as part of a command or application, etc. + +type: keyword -- -*`netflow.octet_total_sum_of_squares`*:: +*`rsa.misc.change_attrib`*:: + -- -type: long +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword -- -*`netflow.mpls_top_label_ttl`*:: +*`rsa.misc.event_computer`*:: + -- -type: short +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword -- -*`netflow.mpls_label_stack_length`*:: +*`rsa.misc.reference_id1`*:: + -- -type: long +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword -- -*`netflow.mpls_label_stack_depth`*:: +*`rsa.misc.event_log`*:: + -- -type: long +This key captures the Name of the event log + +type: keyword -- -*`netflow.mpls_top_label_exp`*:: +*`rsa.misc.OS`*:: + -- -type: short +This key captures the Name of the Operating System + +type: keyword -- -*`netflow.ip_payload_length`*:: +*`rsa.misc.terminal`*:: + -- -type: long +This key captures the Terminal Names only + +type: keyword -- -*`netflow.udp_message_length`*:: +*`rsa.misc.msgIdPart3`*:: + -- -type: integer +type: keyword -- -*`netflow.is_multicast`*:: +*`rsa.misc.filter`*:: + -- -type: short +This key captures Filter used to reduce result set + +type: keyword -- -*`netflow.ipv4_ihl`*:: +*`rsa.misc.serial_number`*:: + -- -type: short +This key is the Serial number associated with a physical asset. + +type: keyword -- -*`netflow.ipv4_options`*:: +*`rsa.misc.checksum`*:: + -- -type: long +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword -- -*`netflow.tcp_options`*:: +*`rsa.misc.event_user`*:: + -- -type: long +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword -- -*`netflow.padding_octets`*:: +*`rsa.misc.virusname`*:: + -- -type: short +This key captures the name of the virus + +type: keyword -- -*`netflow.collector_ipv4_address`*:: +*`rsa.misc.content_type`*:: + -- -type: ip +This key is used to capture Content Type only. + +type: keyword -- -*`netflow.collector_ipv6_address`*:: +*`rsa.misc.group_id`*:: + -- -type: ip +This key captures Group ID Number (related to the group name) + +type: keyword -- -*`netflow.export_interface`*:: +*`rsa.misc.policy_id`*:: + -- -type: long +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword -- -*`netflow.export_protocol_version`*:: +*`rsa.misc.vsys`*:: + -- -type: short +This key captures Virtual System Name + +type: keyword -- -*`netflow.export_transport_protocol`*:: +*`rsa.misc.connection_id`*:: + -- -type: short +This key captures the Connection ID + +type: keyword -- -*`netflow.collector_transport_port`*:: +*`rsa.misc.reference_id2`*:: + -- -type: integer +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword -- -*`netflow.exporter_transport_port`*:: +*`rsa.misc.sensor`*:: + -- -type: integer +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword -- -*`netflow.tcp_syn_total_count`*:: +*`rsa.misc.sig_id`*:: + -- +This key captures IDS/IPS Int Signature ID + type: long -- -*`netflow.tcp_fin_total_count`*:: +*`rsa.misc.port_name`*:: + -- -type: long +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword -- -*`netflow.tcp_rst_total_count`*:: +*`rsa.misc.rule_group`*:: + -- -type: long +This key captures the Rule group name + +type: keyword -- -*`netflow.tcp_psh_total_count`*:: +*`rsa.misc.risk_num`*:: + -- -type: long +This key captures a Numeric Risk value + +type: double -- -*`netflow.tcp_ack_total_count`*:: +*`rsa.misc.trigger_val`*:: + -- -type: long +This key captures the Value of the trigger or threshold condition. + +type: keyword -- -*`netflow.tcp_urg_total_count`*:: +*`rsa.misc.log_session_id1`*:: + -- -type: long +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword -- -*`netflow.ip_total_length`*:: +*`rsa.misc.comp_version`*:: + -- -type: long +This key captures the Version level of a sub-component of a product. + +type: keyword -- -*`netflow.post_nat_source_ipv4_address`*:: +*`rsa.misc.content_version`*:: + -- -type: ip +This key captures Version level of a signature or database content. + +type: keyword -- -*`netflow.post_nat_destination_ipv4_address`*:: +*`rsa.misc.hardware_id`*:: + -- -type: ip +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword -- -*`netflow.post_napt_source_transport_port`*:: +*`rsa.misc.risk`*:: + -- -type: integer +This key captures the non-numeric risk value + +type: keyword -- -*`netflow.post_napt_destination_transport_port`*:: +*`rsa.misc.event_id`*:: + -- -type: integer +type: keyword -- -*`netflow.nat_originating_address_realm`*:: +*`rsa.misc.reason`*:: + -- -type: short +type: keyword -- -*`netflow.nat_event`*:: +*`rsa.misc.status`*:: + -- -type: short +type: keyword -- -*`netflow.initiator_octets`*:: +*`rsa.misc.mail_id`*:: + -- -type: long +This key is used to capture the mailbox id/name + +type: keyword -- -*`netflow.responder_octets`*:: +*`rsa.misc.rule_uid`*:: + -- -type: long +This key is the Unique Identifier for a rule. + +type: keyword -- -*`netflow.firewall_event`*:: +*`rsa.misc.trigger_desc`*:: + -- -type: short +This key captures the Description of the trigger or threshold condition. + +type: keyword -- -*`netflow.ingress_vrfid`*:: +*`rsa.misc.inout`*:: + -- -type: long +type: keyword -- -*`netflow.egress_vrfid`*:: +*`rsa.misc.p_msgid`*:: + -- -type: long +type: keyword -- -*`netflow.vr_fname`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`netflow.post_mpls_top_label_exp`*:: +*`rsa.misc.msgIdPart4`*:: + -- -type: short +type: keyword -- -*`netflow.tcp_window_scale`*:: +*`rsa.misc.error`*:: + -- -type: integer +This key captures All non successful Error codes or responses + +type: keyword -- -*`netflow.biflow_direction`*:: +*`rsa.misc.index`*:: + -- -type: short +type: keyword -- -*`netflow.ethernet_header_length`*:: +*`rsa.misc.listnum`*:: + -- -type: short +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword -- -*`netflow.ethernet_payload_length`*:: +*`rsa.misc.ntype`*:: + -- -type: integer +type: keyword -- -*`netflow.ethernet_total_length`*:: +*`rsa.misc.observed_val`*:: + -- -type: integer +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword -- -*`netflow.dot1q_vlan_id`*:: +*`rsa.misc.policy_value`*:: + -- -type: integer +This key captures the contents of the policy. This contains details about the policy + +type: keyword -- -*`netflow.dot1q_priority`*:: +*`rsa.misc.pool_name`*:: + -- -type: short +This key captures the name of a resource pool + +type: keyword -- -*`netflow.dot1q_customer_vlan_id`*:: +*`rsa.misc.rule_template`*:: + -- -type: integer +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword -- -*`netflow.dot1q_customer_priority`*:: +*`rsa.misc.count`*:: + -- -type: short +type: keyword -- -*`netflow.metro_evc_id`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`netflow.metro_evc_type`*:: +*`rsa.misc.sigcat`*:: + -- -type: short +type: keyword -- -*`netflow.pseudo_wire_id`*:: +*`rsa.misc.type`*:: + -- -type: long +type: keyword -- -*`netflow.pseudo_wire_type`*:: +*`rsa.misc.comments`*:: + -- -type: integer +Comment information provided in the log message + +type: keyword -- -*`netflow.pseudo_wire_control_word`*:: +*`rsa.misc.doc_number`*:: + -- +This key captures File Identification number + type: long -- -*`netflow.ingress_physical_interface`*:: +*`rsa.misc.expected_val`*:: + -- -type: long +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword -- -*`netflow.egress_physical_interface`*:: +*`rsa.misc.job_num`*:: + -- -type: long +This key captures the Job Number + +type: keyword -- -*`netflow.post_dot1q_vlan_id`*:: +*`rsa.misc.spi_dst`*:: + -- -type: integer +Destination SPI Index + +type: keyword -- -*`netflow.post_dot1q_customer_vlan_id`*:: +*`rsa.misc.spi_src`*:: + -- -type: integer +Source SPI Index + +type: keyword -- -*`netflow.ethernet_type`*:: +*`rsa.misc.code`*:: + -- -type: integer +type: keyword -- -*`netflow.post_ip_precedence`*:: +*`rsa.misc.agent_id`*:: + -- -type: short +This key is used to capture agent id + +type: keyword -- -*`netflow.collection_time_milliseconds`*:: +*`rsa.misc.message_body`*:: + -- -type: date +This key captures the The contents of the message body. + +type: keyword -- -*`netflow.export_sctp_stream_id`*:: +*`rsa.misc.phone`*:: + -- -type: integer +type: keyword -- -*`netflow.max_export_seconds`*:: +*`rsa.misc.sig_id_str`*:: + -- -type: date +This key captures a string object of the sigid variable. + +type: keyword -- -*`netflow.max_flow_end_seconds`*:: +*`rsa.misc.cmd`*:: + -- -type: date +type: keyword -- -*`netflow.message_md5_checksum`*:: +*`rsa.misc.misc`*:: + -- -type: short +type: keyword -- -*`netflow.message_scope`*:: +*`rsa.misc.name`*:: + -- -type: short +type: keyword -- -*`netflow.min_export_seconds`*:: +*`rsa.misc.cpu`*:: + -- -type: date +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`netflow.min_flow_start_seconds`*:: +*`rsa.misc.event_desc`*:: + -- -type: date +This key is used to capture a description of an event available directly or inferred + +type: keyword -- -*`netflow.opaque_octets`*:: +*`rsa.misc.sig_id1`*:: + -- -type: short +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long -- -*`netflow.session_scope`*:: +*`rsa.misc.im_buddyid`*:: + -- -type: short +type: keyword -- -*`netflow.max_flow_end_microseconds`*:: +*`rsa.misc.im_client`*:: + -- -type: date +type: keyword -- -*`netflow.max_flow_end_milliseconds`*:: +*`rsa.misc.im_userid`*:: + -- -type: date +type: keyword -- -*`netflow.max_flow_end_nanoseconds`*:: +*`rsa.misc.pid`*:: + -- -type: date +type: keyword -- -*`netflow.min_flow_start_microseconds`*:: +*`rsa.misc.priority`*:: + -- -type: date +type: keyword -- -*`netflow.min_flow_start_milliseconds`*:: +*`rsa.misc.context_subject`*:: + -- -type: date +This key is to be used in an audit context where the subject is the object being identified + +type: keyword -- -*`netflow.min_flow_start_nanoseconds`*:: +*`rsa.misc.context_target`*:: + -- -type: date +type: keyword -- -*`netflow.collector_certificate`*:: +*`rsa.misc.cve`*:: + -- -type: short +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword -- -*`netflow.exporter_certificate`*:: +*`rsa.misc.fcatnum`*:: + -- -type: short +This key captures Filter Category Number. Legacy Usage + +type: keyword -- -*`netflow.data_records_reliability`*:: +*`rsa.misc.library`*:: + -- -type: boolean +This key is used to capture library information in mainframe devices + +type: keyword -- -*`netflow.observation_point_type`*:: +*`rsa.misc.parent_node`*:: + -- -type: short +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword -- -*`netflow.new_connection_delta_count`*:: +*`rsa.misc.risk_info`*:: + -- -type: long +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.connection_sum_duration_seconds`*:: +*`rsa.misc.tcp_flags`*:: + -- +This key is captures the TCP flags set in any packet of session + type: long -- -*`netflow.connection_transaction_id`*:: +*`rsa.misc.tos`*:: + -- +This key describes the type of service + type: long -- -*`netflow.post_nat_source_ipv6_address`*:: +*`rsa.misc.vm_target`*:: + -- -type: ip +VMWare Target **VMWARE** only varaible. + +type: keyword -- -*`netflow.post_nat_destination_ipv6_address`*:: +*`rsa.misc.workspace`*:: + -- -type: ip +This key captures Workspace Description + +type: keyword -- -*`netflow.nat_pool_id`*:: +*`rsa.misc.command`*:: + -- -type: long +type: keyword -- -*`netflow.nat_pool_name`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`netflow.anonymization_flags`*:: +*`rsa.misc.facilityname`*:: + -- -type: integer +type: keyword -- -*`netflow.anonymization_technique`*:: +*`rsa.misc.forensic_info`*:: + -- -type: integer +type: keyword -- -*`netflow.information_element_index`*:: +*`rsa.misc.jobname`*:: + -- -type: integer +type: keyword -- -*`netflow.p2p_technology`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`netflow.tunnel_technology`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`netflow.encrypted_technology`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`netflow.bgp_validity_state`*:: +*`rsa.misc.second`*:: + -- -type: short +type: keyword -- -*`netflow.ip_sec_spi`*:: +*`rsa.misc.space1`*:: + -- -type: long +type: keyword -- -*`netflow.gre_key`*:: +*`rsa.misc.subcategory`*:: + -- -type: long +type: keyword -- -*`netflow.nat_type`*:: +*`rsa.misc.tbdstr2`*:: + -- -type: short +type: keyword -- -*`netflow.initiator_packets`*:: +*`rsa.misc.alert_id`*:: + -- -type: long +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.responder_packets`*:: +*`rsa.misc.checksum_dst`*:: + -- -type: long +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword -- -*`netflow.observation_domain_name`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`netflow.selection_sequence_id`*:: +*`rsa.misc.fresult`*:: + -- +This key captures the Filter Result + type: long -- -*`netflow.selector_id`*:: +*`rsa.misc.payload_dst`*:: + -- -type: long +This key is used to capture destination payload + +type: keyword -- -*`netflow.information_element_id`*:: +*`rsa.misc.payload_src`*:: + -- -type: integer +This key is used to capture source payload + +type: keyword -- -*`netflow.selector_algorithm`*:: +*`rsa.misc.pool_id`*:: + -- -type: integer +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword -- -*`netflow.sampling_packet_interval`*:: +*`rsa.misc.process_id_val`*:: + -- -type: long +This key is a failure key for Process ID when it is not an integer value + +type: keyword -- -*`netflow.sampling_packet_space`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: long +This key captures Risk Number Community + +type: double -- -*`netflow.sampling_time_interval`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: long +This key captures Risk Number NextGen + +type: double -- -*`netflow.sampling_time_space`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: long +This key captures Risk Number SandBox + +type: double -- -*`netflow.sampling_size`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: long +This key captures Risk Number Static + +type: double -- -*`netflow.sampling_population`*:: +*`rsa.misc.risk_suspicious`*:: + -- -type: long +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.sampling_probability`*:: +*`rsa.misc.risk_warning`*:: + -- -type: double +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.data_link_frame_size`*:: +*`rsa.misc.snmp_oid`*:: + -- -type: integer +SNMP Object Identifier + +type: keyword -- -*`netflow.ip_header_packet_section`*:: +*`rsa.misc.sql`*:: + -- -type: short +This key captures the SQL query + +type: keyword -- -*`netflow.ip_payload_packet_section`*:: +*`rsa.misc.vuln_ref`*:: + -- -type: short +This key captures the Vulnerability Reference details + +type: keyword -- -*`netflow.data_link_frame_section`*:: +*`rsa.misc.acl_id`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section`*:: +*`rsa.misc.acl_op`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_payload_packet_section`*:: +*`rsa.misc.acl_pos`*:: + -- -type: short +type: keyword -- -*`netflow.selector_id_total_pkts_observed`*:: +*`rsa.misc.acl_table`*:: + -- -type: long +type: keyword -- -*`netflow.selector_id_total_pkts_selected`*:: +*`rsa.misc.admin`*:: + -- -type: long +type: keyword -- -*`netflow.absolute_error`*:: +*`rsa.misc.alarm_id`*:: + -- -type: double +type: keyword -- -*`netflow.relative_error`*:: +*`rsa.misc.alarmname`*:: + -- -type: double +type: keyword -- -*`netflow.observation_time_seconds`*:: +*`rsa.misc.app_id`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_milliseconds`*:: +*`rsa.misc.audit`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_microseconds`*:: +*`rsa.misc.audit_object`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_nanoseconds`*:: +*`rsa.misc.auditdata`*:: + -- -type: date +type: keyword -- -*`netflow.digest_hash_value`*:: +*`rsa.misc.benchmark`*:: + -- -type: long +type: keyword -- -*`netflow.hash_ip_payload_offset`*:: +*`rsa.misc.bypass`*:: + -- -type: long +type: keyword -- -*`netflow.hash_ip_payload_size`*:: +*`rsa.misc.cache`*:: + -- -type: long +type: keyword -- -*`netflow.hash_output_range_min`*:: +*`rsa.misc.cache_hit`*:: + -- -type: long +type: keyword -- -*`netflow.hash_output_range_max`*:: +*`rsa.misc.cefversion`*:: + -- -type: long +type: keyword -- -*`netflow.hash_selected_range_min`*:: +*`rsa.misc.cfg_attr`*:: + -- -type: long +type: keyword -- -*`netflow.hash_selected_range_max`*:: +*`rsa.misc.cfg_obj`*:: + -- -type: long +type: keyword -- -*`netflow.hash_digest_output`*:: +*`rsa.misc.cfg_path`*:: + -- -type: boolean +type: keyword -- -*`netflow.hash_initialiser_value`*:: +*`rsa.misc.changes`*:: + -- -type: long +type: keyword -- -*`netflow.selector_name`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`netflow.upper_ci_limit`*:: +*`rsa.misc.clustermembers`*:: + -- -type: double +type: keyword -- -*`netflow.lower_ci_limit`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -type: double +type: keyword -- -*`netflow.confidence_level`*:: +*`rsa.misc.cn_asn_src`*:: + -- -type: double +type: keyword -- -*`netflow.information_element_data_type`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -type: short +type: keyword -- -*`netflow.information_element_description`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`netflow.information_element_name`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`netflow.information_element_range_begin`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -type: long +type: keyword -- -*`netflow.information_element_range_end`*:: +*`rsa.misc.cn_engine_id`*:: + -- -type: long +type: keyword -- -*`netflow.information_element_semantics`*:: +*`rsa.misc.cn_engine_type`*:: + -- -type: short +type: keyword -- -*`netflow.information_element_units`*:: +*`rsa.misc.cn_f_switch`*:: + -- -type: integer +type: keyword -- -*`netflow.private_enterprise_number`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -type: long +type: keyword -- -*`netflow.virtual_station_interface_id`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -type: short +type: keyword -- -*`netflow.virtual_station_interface_name`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`netflow.virtual_station_uuid`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -type: short +type: keyword -- -*`netflow.virtual_station_name`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`netflow.layer2_segment_id`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_delta_count`*:: +*`rsa.misc.cn_invalid`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_total_count`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -type: long +type: keyword -- -*`netflow.ingress_unicast_packet_total_count`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -type: long +type: keyword -- -*`netflow.ingress_multicast_packet_total_count`*:: +*`rsa.misc.cn_l_switch`*:: + -- -type: long +type: keyword -- -*`netflow.ingress_broadcast_packet_total_count`*:: +*`rsa.misc.cn_log_did`*:: + -- -type: long +type: keyword -- -*`netflow.egress_unicast_packet_total_count`*:: +*`rsa.misc.cn_log_rid`*:: + -- -type: long +type: keyword -- -*`netflow.egress_broadcast_packet_total_count`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -type: long +type: keyword -- -*`netflow.monitoring_interval_start_milli_seconds`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -type: date +type: keyword -- -*`netflow.monitoring_interval_end_milli_seconds`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -type: date +type: keyword -- -*`netflow.port_range_start`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -type: integer +type: keyword -- -*`netflow.port_range_end`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -type: integer +type: keyword -- -*`netflow.port_range_step_size`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -type: integer +type: keyword -- -*`netflow.port_range_num_ports`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -type: integer +type: keyword -- -*`netflow.sta_mac_address`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`netflow.sta_ipv4_address`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -type: ip +type: keyword -- -*`netflow.wtp_mac_address`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`netflow.ingress_interface_type`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -type: long +type: keyword -- -*`netflow.egress_interface_type`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -type: long +type: keyword -- -*`netflow.rtp_sequence_number`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -type: integer +type: keyword -- -*`netflow.user_name`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`netflow.application_category_name`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`netflow.application_sub_category_name`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`netflow.application_group_name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`netflow.original_flows_present`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -type: long +type: keyword -- -*`netflow.original_flows_initiated`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -type: long +type: keyword -- -*`netflow.original_flows_completed`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_source_ip_address`*:: +*`rsa.misc.cn_sampint`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ip_address`*:: +*`rsa.misc.cn_seqctr`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_source_ipv4_address`*:: +*`rsa.misc.cn_spackets`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ipv4_address`*:: +*`rsa.misc.cn_src_tos`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_source_ipv6_address`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ipv6_address`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -type: long +type: keyword -- -*`netflow.value_distribution_method`*:: +*`rsa.misc.cn_template_id`*:: + -- -type: short +type: keyword -- -*`netflow.rfc3550_jitter_milliseconds`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -type: long +type: keyword -- -*`netflow.rfc3550_jitter_microseconds`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -type: long +type: keyword -- -*`netflow.rfc3550_jitter_nanoseconds`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -type: long +type: keyword -- -*`netflow.dot1q_dei`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -type: boolean +type: keyword -- -*`netflow.dot1q_customer_dei`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -type: boolean +type: keyword -- -*`netflow.flow_selector_algorithm`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -type: integer +type: keyword -- -*`netflow.flow_selected_octet_delta_count`*:: +*`rsa.misc.comp_class`*:: + -- -type: long +type: keyword -- -*`netflow.flow_selected_packet_delta_count`*:: +*`rsa.misc.comp_name`*:: + -- -type: long +type: keyword -- -*`netflow.flow_selected_flow_delta_count`*:: +*`rsa.misc.comp_rbytes`*:: + -- -type: long +type: keyword -- -*`netflow.selector_id_total_flows_observed`*:: +*`rsa.misc.comp_sbytes`*:: + -- -type: long +type: keyword -- -*`netflow.selector_id_total_flows_selected`*:: +*`rsa.misc.cpu_data`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_flow_interval`*:: +*`rsa.misc.criticality`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_flow_spacing`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -type: long +type: keyword -- -*`netflow.flow_sampling_time_interval`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -type: long +type: keyword -- -*`netflow.flow_sampling_time_spacing`*:: +*`rsa.misc.cs_av_other`*:: + -- -type: long +type: keyword -- -*`netflow.hash_flow_domain`*:: +*`rsa.misc.cs_av_primary`*:: + -- -type: integer +type: keyword -- -*`netflow.transport_octet_delta_count`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -type: long +type: keyword -- -*`netflow.transport_packet_delta_count`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -type: long +type: keyword -- -*`netflow.original_exporter_ipv4_address`*:: +*`rsa.misc.cs_bit9status`*:: + -- -type: ip +type: keyword -- -*`netflow.original_exporter_ipv6_address`*:: +*`rsa.misc.cs_context`*:: + -- -type: ip +type: keyword -- -*`netflow.original_observation_domain_id`*:: +*`rsa.misc.cs_control`*:: + -- -type: long +type: keyword -- -*`netflow.intermediate_process_id`*:: +*`rsa.misc.cs_data`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_data_record_total_count`*:: +*`rsa.misc.cs_datecret`*:: + -- -type: long +type: keyword -- -*`netflow.data_link_frame_type`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -type: integer +type: keyword -- -*`netflow.section_offset`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -type: integer +type: keyword -- -*`netflow.section_exported_octets`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -type: integer +type: keyword -- -*`netflow.dot1q_service_instance_tag`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -type: short +type: keyword -- -*`netflow.dot1q_service_instance_id`*:: +*`rsa.misc.cs_filetype`*:: + -- -type: long +type: keyword -- -*`netflow.dot1q_service_instance_priority`*:: +*`rsa.misc.cs_fld`*:: + -- -type: short +type: keyword -- -*`netflow.dot1q_customer_source_mac_address`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`netflow.dot1q_customer_destination_mac_address`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`netflow.post_layer2_octet_delta_count`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_layer2_octet_delta_count`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -type: long +type: keyword -- -*`netflow.post_layer2_octet_total_count`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_layer2_octet_total_count`*:: +*`rsa.misc.cs_lifetime`*:: + -- -type: long +type: keyword -- -*`netflow.minimum_layer2_total_length`*:: +*`rsa.misc.cs_log_medium`*:: + -- -type: long +type: keyword -- -*`netflow.maximum_layer2_total_length`*:: +*`rsa.misc.cs_loginname`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_layer2_octet_delta_count`*:: +*`rsa.misc.cs_modulescore`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_layer2_octet_total_count`*:: +*`rsa.misc.cs_modulesign`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_layer2_octet_total_count`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_layer2_octet_total_count`*:: +*`rsa.misc.cs_payload`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_delta_sum_of_squares`*:: +*`rsa.misc.cs_registrant`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_total_sum_of_squares`*:: +*`rsa.misc.cs_registrar`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_frame_delta_count`*:: +*`rsa.misc.cs_represult`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_frame_total_count`*:: +*`rsa.misc.cs_rpayload`*:: + -- -type: long +type: keyword -- -*`netflow.pseudo_wire_destination_ipv4_address`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -type: ip +type: keyword -- -*`netflow.ignored_layer2_frame_total_count`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_value_integer`*:: +*`rsa.misc.cs_streams`*:: + -- -type: integer +type: keyword -- -*`netflow.mib_object_value_octet_string`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -type: short +type: keyword -- -*`netflow.mib_object_value_oid`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -type: short +type: keyword -- -*`netflow.mib_object_value_bits`*:: +*`rsa.misc.cs_whois_server`*:: + -- -type: short +type: keyword -- -*`netflow.mib_object_value_ip_address`*:: +*`rsa.misc.cs_yararesult`*:: + -- -type: ip +type: keyword -- -*`netflow.mib_object_value_counter`*:: +*`rsa.misc.description`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_value_gauge`*:: +*`rsa.misc.devvendor`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_value_time_ticks`*:: +*`rsa.misc.distance`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_value_unsigned`*:: +*`rsa.misc.dstburb`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_identifier`*:: +*`rsa.misc.edomain`*:: + -- -type: short +type: keyword -- -*`netflow.mib_sub_identifier`*:: +*`rsa.misc.edomaub`*:: + -- -type: long +type: keyword -- -*`netflow.mib_index_indicator`*:: +*`rsa.misc.euid`*:: + -- -type: long +type: keyword -- -*`netflow.mib_capture_time_semantics`*:: +*`rsa.misc.facility`*:: + -- -type: short +type: keyword -- -*`netflow.mib_context_engine_id`*:: +*`rsa.misc.finterface`*:: + -- -type: short +type: keyword -- -*`netflow.mib_context_name`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`netflow.mib_object_name`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`netflow.mib_object_description`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`netflow.mib_object_syntax`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`netflow.mib_module_name`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`netflow.mobile_imsi`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`netflow.mobile_msisdn`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`netflow.http_status_code`*:: +*`rsa.misc.im_username`*:: + -- -type: integer +type: keyword -- -*`netflow.source_transport_ports_limit`*:: +*`rsa.misc.ipkt`*:: + -- -type: integer +type: keyword -- -*`netflow.http_request_method`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`netflow.http_request_host`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`netflow.http_request_target`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`netflow.http_message_version`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`netflow.nat_instance_id`*:: +*`rsa.misc.list_name`*:: + -- -type: long +type: keyword -- -*`netflow.internal_address_realm`*:: +*`rsa.misc.load_data`*:: + -- -type: short +type: keyword -- -*`netflow.external_address_realm`*:: +*`rsa.misc.location_floor`*:: + -- -type: short +type: keyword -- -*`netflow.nat_quota_exceeded_event`*:: +*`rsa.misc.location_mark`*:: + -- -type: long +type: keyword -- -*`netflow.nat_threshold_event`*:: +*`rsa.misc.log_id`*:: + -- -type: long +type: keyword -- -*`netflow.http_user_agent`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`netflow.http_content_type`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`netflow.http_reason_phrase`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`netflow.max_session_entries`*:: +*`rsa.misc.logname`*:: + -- -type: long +type: keyword -- -*`netflow.max_bib_entries`*:: +*`rsa.misc.longitude`*:: + -- -type: long +type: keyword -- -*`netflow.max_entries_per_user`*:: +*`rsa.misc.lport`*:: + -- -type: long +type: keyword -- -*`netflow.max_subscribers`*:: +*`rsa.misc.mbug_data`*:: + -- -type: long +type: keyword -- -*`netflow.max_fragments_pending_reassembly`*:: +*`rsa.misc.misc_name`*:: + -- -type: long +type: keyword -- -*`netflow.address_pool_high_threshold`*:: +*`rsa.misc.msg_type`*:: + -- -type: long +type: keyword -- -*`netflow.address_pool_low_threshold`*:: +*`rsa.misc.msgid`*:: + -- -type: long +type: keyword -- -*`netflow.address_port_mapping_high_threshold`*:: +*`rsa.misc.netsessid`*:: + -- -type: long +type: keyword -- -*`netflow.address_port_mapping_low_threshold`*:: +*`rsa.misc.num`*:: + -- -type: long +type: keyword -- -*`netflow.address_port_mapping_per_user_high_threshold`*:: +*`rsa.misc.number1`*:: + -- -type: long +type: keyword -- -*`netflow.global_address_mapping_high_threshold`*:: +*`rsa.misc.number2`*:: + -- -type: long +type: keyword -- -*`netflow.vpn_identifier`*:: +*`rsa.misc.nwwn`*:: + -- -type: short +type: keyword -- -[[exported-fields-nginx]] -== Nginx fields - -Module for parsing the Nginx log files. - +*`rsa.misc.object`*:: ++ +-- +type: keyword +-- -[float] -=== nginx +*`rsa.misc.operation`*:: ++ +-- +type: keyword -Fields from the Nginx log files. +-- +*`rsa.misc.opkt`*:: ++ +-- +type: keyword +-- -[float] -=== access +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword -Contains fields for the Nginx access logs. +-- +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword +-- -*`nginx.access.remote_ip_list`*:: +*`rsa.misc.p_action`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. +type: keyword +-- -type: array +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword -- -*`nginx.access.body_sent.bytes`*:: +*`rsa.misc.p_group_object`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: keyword -- -*`nginx.access.user_name`*:: +*`rsa.misc.p_id`*:: + -- -type: alias - -alias to: user.name +type: keyword -- -*`nginx.access.method`*:: +*`rsa.misc.p_msgid1`*:: + -- -type: alias - -alias to: http.request.method +type: keyword -- -*`nginx.access.url`*:: +*`rsa.misc.p_msgid2`*:: + -- -type: alias - -alias to: url.original +type: keyword -- -*`nginx.access.http_version`*:: +*`rsa.misc.p_result1`*:: + -- -type: alias - -alias to: http.version +type: keyword -- -*`nginx.access.response_code`*:: +*`rsa.misc.password_chg`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -*`nginx.access.referrer`*:: +*`rsa.misc.password_expire`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`nginx.access.agent`*:: +*`rsa.misc.permgranted`*:: + -- -type: alias +type: keyword -alias to: user_agent.original +-- +*`rsa.misc.permwanted`*:: ++ -- +type: keyword +-- -*`nginx.access.user_agent.device`*:: +*`rsa.misc.pgid`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`nginx.access.user_agent.name`*:: +*`rsa.misc.policyUUID`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`nginx.access.user_agent.os`*:: +*`rsa.misc.prog_asp_num`*:: + -- -type: alias - -alias to: user_agent.os.full_name +type: keyword -- -*`nginx.access.user_agent.os_name`*:: +*`rsa.misc.program`*:: + -- -type: alias - -alias to: user_agent.os.name +type: keyword -- -*`nginx.access.user_agent.original`*:: +*`rsa.misc.real_data`*:: + -- -type: alias +type: keyword -alias to: user_agent.original +-- +*`rsa.misc.rec_asp_device`*:: ++ -- +type: keyword +-- -*`nginx.access.geoip.continent_name`*:: +*`rsa.misc.rec_asp_num`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: keyword -- -*`nginx.access.geoip.country_iso_code`*:: +*`rsa.misc.rec_library`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`nginx.access.geoip.location`*:: +*`rsa.misc.recordnum`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`nginx.access.geoip.region_name`*:: +*`rsa.misc.ruid`*:: + -- -type: alias - -alias to: source.geo.region_name +type: keyword -- -*`nginx.access.geoip.city_name`*:: +*`rsa.misc.sburb`*:: + -- -type: alias - -alias to: source.geo.city_name +type: keyword -- -*`nginx.access.geoip.region_iso_code`*:: +*`rsa.misc.sdomain_fld`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== error +*`rsa.misc.sec`*:: ++ +-- +type: keyword -Contains fields for the Nginx error logs. +-- +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword +-- -*`nginx.error.connection_id`*:: +*`rsa.misc.seqnum`*:: + -- -Connection identifier. +type: keyword +-- -type: long +*`rsa.misc.session`*:: ++ +-- +type: keyword -- -*`nginx.error.level`*:: +*`rsa.misc.sessiontype`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`nginx.error.pid`*:: +*`rsa.misc.sigUUID`*:: + -- -type: alias - -alias to: process.pid +type: keyword -- -*`nginx.error.tid`*:: +*`rsa.misc.spi`*:: + -- -type: alias - -alias to: process.thread.id +type: keyword -- -*`nginx.error.message`*:: +*`rsa.misc.srcburb`*:: + -- -type: alias - -alias to: message +type: keyword -- -[float] -=== ingress_controller +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword -Contains fields for the Ingress Nginx controller access logs. +-- +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword +-- -*`nginx.ingress_controller.remote_ip_list`*:: +*`rsa.misc.state`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. +type: keyword +-- -type: array +*`rsa.misc.status1`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.http.request.length`*:: +*`rsa.misc.svcno`*:: + -- -The request length (including request line, header, and request body) - +type: keyword -type: long +-- -format: bytes +*`rsa.misc.system`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.http.request.time`*:: +*`rsa.misc.tbdstr1`*:: + -- -Time elapsed since the first bytes were read from the client - +type: keyword -type: double +-- -format: duration +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.upstream.name`*:: +*`rsa.misc.tgtdomain`*:: + -- -The name of the upstream. +type: keyword +-- +*`rsa.misc.threshold`*:: ++ +-- type: keyword -- -*`nginx.ingress_controller.upstream.alternative_name`*:: +*`rsa.misc.type1`*:: + -- -The name of the alternative upstream. +type: keyword +-- +*`rsa.misc.udb_class`*:: ++ +-- type: keyword -- -*`nginx.ingress_controller.upstream.response.length`*:: +*`rsa.misc.url_fld`*:: + -- -The length of the response obtained from the upstream server - +type: keyword -type: long +-- -format: bytes +*`rsa.misc.user_div`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.upstream.response.time`*:: +*`rsa.misc.userid`*:: + -- -The time spent on receiving the response from the upstream server as seconds with millisecond resolution - +type: keyword -type: double +-- -format: duration +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.upstream.response.status_code`*:: +*`rsa.misc.utcstamp`*:: + -- -The status code of the response obtained from the upstream server +type: keyword +-- -type: long +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword -- -*`nginx.ingress_controller.http.request.id`*:: +*`rsa.misc.virt_data`*:: + -- -The randomly generated ID of the request +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`nginx.ingress_controller.upstream.ip`*:: +*`rsa.misc.autorun_type`*:: + -- -The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. +This is used to capture Auto Run type - -type: ip +type: keyword -- -*`nginx.ingress_controller.upstream.port`*:: +*`rsa.misc.cc_number`*:: + -- -The port of the upstream server. - +Valid Credit Card Numbers only type: long -- -*`nginx.ingress_controller.body_sent.bytes`*:: +*`rsa.misc.content`*:: + -- -type: alias +This key captures the content type from protocol headers -alias to: http.response.body.bytes +type: keyword -- -*`nginx.ingress_controller.user_name`*:: +*`rsa.misc.ein_number`*:: + -- -type: alias +Employee Identification Numbers only -alias to: user.name +type: long -- -*`nginx.ingress_controller.method`*:: +*`rsa.misc.found`*:: + -- -type: alias +This is used to capture the results of regex match -alias to: http.request.method +type: keyword -- -*`nginx.ingress_controller.url`*:: +*`rsa.misc.language`*:: + -- -type: alias +This is used to capture list of languages the client support and what it prefers -alias to: url.original +type: keyword -- -*`nginx.ingress_controller.http_version`*:: +*`rsa.misc.lifetime`*:: + -- -type: alias +This key is used to capture the session lifetime in seconds. -alias to: http.version +type: long -- -*`nginx.ingress_controller.response_code`*:: +*`rsa.misc.link`*:: + -- -type: alias +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: http.response.status_code +type: keyword -- -*`nginx.ingress_controller.referrer`*:: +*`rsa.misc.match`*:: + -- -type: alias +This key is for regex match name from search.ini -alias to: http.request.referrer +type: keyword -- -*`nginx.ingress_controller.agent`*:: +*`rsa.misc.param_dst`*:: + -- -type: alias +This key captures the command line/launch argument of the target process or file -alias to: user_agent.original +type: keyword -- - -*`nginx.ingress_controller.user_agent.device`*:: +*`rsa.misc.param_src`*:: + -- -type: alias +This key captures source parameter -alias to: user_agent.device.name +type: keyword -- -*`nginx.ingress_controller.user_agent.name`*:: +*`rsa.misc.search_text`*:: + -- -type: alias +This key captures the Search Text used -alias to: user_agent.name +type: keyword -- -*`nginx.ingress_controller.user_agent.os`*:: +*`rsa.misc.sig_name`*:: + -- -type: alias +This key is used to capture the Signature Name only. -alias to: user_agent.os.full_name +type: keyword -- -*`nginx.ingress_controller.user_agent.os_name`*:: +*`rsa.misc.snmp_value`*:: + -- -type: alias +SNMP set request value -alias to: user_agent.os.name +type: keyword -- -*`nginx.ingress_controller.user_agent.original`*:: +*`rsa.misc.streams`*:: + -- -type: alias +This key captures number of streams in session -alias to: user_agent.original +type: long -- -*`nginx.ingress_controller.geoip.continent_name`*:: +*`rsa.db.index`*:: + -- -type: alias +This key captures IndexID of the index. -alias to: source.geo.continent_name +type: keyword -- -*`nginx.ingress_controller.geoip.country_iso_code`*:: +*`rsa.db.instance`*:: + -- -type: alias +This key is used to capture the database server instance name -alias to: source.geo.country_iso_code +type: keyword -- -*`nginx.ingress_controller.geoip.location`*:: +*`rsa.db.database`*:: + -- -type: alias +This key is used to capture the name of a database or an instance as seen in a session -alias to: source.geo.location +type: keyword -- -*`nginx.ingress_controller.geoip.region_name`*:: +*`rsa.db.transact_id`*:: + -- -type: alias +This key captures the SQL transantion ID of the current session -alias to: source.geo.region_name +type: keyword -- -*`nginx.ingress_controller.geoip.city_name`*:: +*`rsa.db.permissions`*:: + -- -type: alias +This key captures permission or privilege level assigned to a resource. -alias to: source.geo.city_name +type: keyword -- -*`nginx.ingress_controller.geoip.region_iso_code`*:: +*`rsa.db.table_name`*:: + -- -type: alias +This key is used to capture the table name -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-o365]] -== Office 365 fields +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database -Module for handling logs from Office 365. +type: keyword +-- +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server -[float] -=== o365.audit +type: long -Fields from Office 365 Management API audit logs. +-- +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads +type: long -*`o365.audit.Actor`*:: +-- + +*`rsa.db.lwrite`*:: + -- -type: array +This key is used for the number of logical writes + +type: long -- -*`o365.audit.ActorContextId`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`o365.audit.ActorIpAddress`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`o365.audit.ActorUserId`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`o365.audit.ActorYammerUserId`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`o365.audit.AlertEntityId`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`o365.audit.AlertId`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`o365.audit.AlertLinks`*:: +*`rsa.network.network_port`*:: + -- -type: array +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`o365.audit.AlertType`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`o365.audit.AppId`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`o365.audit.ApplicationDisplayName`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`o365.audit.ApplicationId`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`o365.audit.AzureActiveDirectoryEventType`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`o365.audit.ExchangeMetaData.*`*:: +*`rsa.network.zone`*:: + -- -type: object +This key should be used when the source or destination context of a Zone is not clear + +type: keyword -- -*`o365.audit.Category`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`o365.audit.ClientAppId`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`o365.audit.ClientInfoString`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`o365.audit.ClientIP`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`o365.audit.ClientIPAddress`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`o365.audit.Comments`*:: +*`rsa.network.protocol_detail`*:: + -- -type: text +This key should be used to capture additional protocol information + +type: keyword -- -*`o365.audit.CorrelationId`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`o365.audit.CreationTime`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`o365.audit.CustomUniqueId`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`o365.audit.Data`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`o365.audit.DataType`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`o365.audit.EntityType`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`o365.audit.EventData`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`o365.audit.EventSource`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`o365.audit.ExceptionInfo.*`*:: +*`rsa.network.remote_domain_id`*:: + -- -type: object +type: keyword -- -*`o365.audit.ExtendedProperties.*`*:: +*`rsa.network.addr`*:: + -- -type: object +type: keyword -- -*`o365.audit.ExternalAccess`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`o365.audit.GroupName`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`o365.audit.Id`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`o365.audit.ImplicitShare`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`o365.audit.IncidentId`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`o365.audit.InternalLogonType`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`o365.audit.InterSystemsId`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`o365.audit.IntraSystemId`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`o365.audit.Item.*`*:: +*`rsa.network.eth_type`*:: + -- -type: object +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`o365.audit.Item.*.*`*:: +*`rsa.network.ip_proto`*:: + -- -type: object +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`o365.audit.ItemName`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`o365.audit.ItemType`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`o365.audit.ListId`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`o365.audit.ListItemUniqueId`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`o365.audit.LogonError`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`o365.audit.LogonType`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`o365.audit.LogonUserSid`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`o365.audit.MailboxGuid`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`o365.audit.MailboxOwnerMasterAccountSid`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`o365.audit.MailboxOwnerSid`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`o365.audit.MailboxOwnerUPN`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`o365.audit.Members`*:: + +*`rsa.investigations.ec_activity`*:: + -- -type: array +This key captures the particular event activity(Ex:Logoff) + +type: keyword -- -*`o365.audit.Members.*`*:: +*`rsa.investigations.ec_theme`*:: + -- -type: object +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword -- -*`o365.audit.ModifiedProperties.*.*`*:: +*`rsa.investigations.ec_subject`*:: + -- -type: object +This key captures the Subject of a particular Event(Ex:User) + +type: keyword -- -*`o365.audit.Name`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`o365.audit.ObjectId`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`o365.audit.Operation`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`o365.audit.OrganizationId`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`o365.audit.OrganizationName`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`o365.audit.OriginatingServer`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`o365.audit.Parameters.*`*:: +*`rsa.investigations.analysis_session`*:: + -- -type: object +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword -- -*`o365.audit.PolicyDetails`*:: +*`rsa.investigations.boc`*:: + -- -type: array +This is used to capture behaviour of compromise + +type: keyword -- -*`o365.audit.PolicyId`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`o365.audit.RecordType`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`o365.audit.ResultStatus`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`o365.audit.SharePointMetaData.*`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: object +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`o365.audit.SessionId`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`o365.audit.Severity`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`o365.audit.Site`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`o365.audit.SiteUrl`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`o365.audit.Source`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`o365.audit.SourceFileExtension`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`o365.audit.SourceFileName`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`o365.audit.SourceRelativeUrl`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`o365.audit.Status`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`o365.audit.SupportTicketId`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`o365.audit.Target`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -type: array +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword -- -*`o365.audit.TargetContextId`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`o365.audit.TargetUserOrGroupName`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`o365.audit.TargetUserOrGroupType`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`o365.audit.TeamName`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`o365.audit.TeamGuid`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`o365.audit.UniqueSharingId`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`o365.audit.UserAgent`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`o365.audit.UserId`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`o365.audit.UserKey`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`o365.audit.UserType`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`o365.audit.Version`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`o365.audit.WebId`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`o365.audit.Workload`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`o365.audit.YammerNetworkId`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -[[exported-fields-okta]] -== Okta fields - -Module for handling system logs from Okta. - - - -[float] -=== okta - -Fields from Okta. - - - -*`okta.uuid`*:: +*`rsa.identity.user_dept`*:: + -- -The unique identifier of the Okta LogEvent. - +User's Department Names only type: keyword -- -*`okta.event_type`*:: +*`rsa.identity.user_sid_src`*:: + -- -The type of the LogEvent. - +This key captures Source User Session ID type: keyword -- -*`okta.version`*:: +*`rsa.identity.federated_sp`*:: + -- -The version of the LogEvent. - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -*`okta.severity`*:: +*`rsa.identity.federated_idp`*:: + -- -The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. - +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`okta.display_message`*:: +*`rsa.identity.logon_type_desc`*:: + -- -The display message of the LogEvent. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -[float] -=== actor - -Fields that let you store information of the actor for the LogEvent. +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +type: keyword +-- -*`okta.actor.id`*:: +*`rsa.identity.password`*:: + -- -Identifier of the actor. - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`okta.actor.type`*:: +*`rsa.identity.host_role`*:: + -- -Type of the actor. - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`okta.actor.alternate_id`*:: +*`rsa.identity.ldap`*:: + -- -Alternate identifier of the actor. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`okta.actor.display_name`*:: +*`rsa.identity.ldap_query`*:: + -- -Display name of the actor. - +This key is the Search criteria from an LDAP search type: keyword -- -[float] -=== client - -Fields that let you store information about the client of the actor. +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search +type: keyword +-- -*`okta.client.ip`*:: +*`rsa.identity.owner`*:: + -- -The IP address of the client. +This is used to capture username the process or service is running as, the author of the task - -type: ip +type: keyword -- -[float] -=== user_agent +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -Fields about the user agent information of the client. +type: keyword +-- -*`okta.client.user_agent.raw_user_agent`*:: +*`rsa.email.email_dst`*:: + -- -The raw informaton of the user agent. - +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`okta.client.user_agent.os`*:: +*`rsa.email.email_src`*:: + -- -The OS informaton. - +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`okta.client.user_agent.browser`*:: +*`rsa.email.subject`*:: + -- -The browser informaton of the client. - +This key is used to capture the subject string from an Email only. type: keyword -- -*`okta.client.zone`*:: +*`rsa.email.email`*:: + -- -The zone information of the client. - +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`okta.client.device`*:: +*`rsa.email.trans_from`*:: + -- -The information of the client device. - +Deprecated key defined only in table map. type: keyword -- -*`okta.client.id`*:: +*`rsa.email.trans_to`*:: + -- -The identifier of the client. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== outcome - -Fields that let you store information about the outcome. - - -*`okta.outcome.reason`*:: +*`rsa.file.privilege`*:: + -- -The reason of the outcome. - +Deprecated, use permissions type: keyword -- -*`okta.outcome.result`*:: +*`rsa.file.attachment`*:: + -- -The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. - +This key captures the attachment file name type: keyword -- -*`okta.target`*:: +*`rsa.file.filesystem`*:: + -- -The list of targets. - - -type: array +type: keyword -- -[float] -=== transaction - -Fields that let you store information about related transaction. - - - -*`okta.transaction.id`*:: +*`rsa.file.binary`*:: + -- -Identifier of the transaction. - +Deprecated key defined only in table map. type: keyword -- -*`okta.transaction.type`*:: +*`rsa.file.filename_dst`*:: + -- -The type of transaction. Must be one of "WEB", "JOB". - +This is used to capture name of the file targeted by the action type: keyword -- -[float] -=== debug_context - -Fields that let you store information about the debug context. - - - -[float] -=== debug_data - -The debug data. - - - -*`okta.debug_context.debug_data.device_fingerprint`*:: +*`rsa.file.filename_src`*:: + -- -The fingerprint of the device. - +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`okta.debug_context.debug_data.request_id`*:: +*`rsa.file.filename_tmp`*:: + -- -The identifier of the request. - - type: keyword -- -*`okta.debug_context.debug_data.request_uri`*:: +*`rsa.file.directory_dst`*:: + -- -The request URI. - +This key is used to capture the directory of the target process or file type: keyword -- -*`okta.debug_context.debug_data.threat_suspected`*:: +*`rsa.file.directory_src`*:: + -- -Threat suspected. - +This key is used to capture the directory of the source process or file type: keyword -- -*`okta.debug_context.debug_data.url`*:: +*`rsa.file.file_entropy`*:: + -- -The URL. +This is used to capture entropy vale of a file - -type: keyword +type: double -- -[float] -=== authentication_context - -Fields that let you store information about authentication context. +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info +type: keyword +-- -*`okta.authentication_context.authentication_provider`*:: +*`rsa.file.task_name`*:: + -- -The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. - +This is used to capture name of the task type: keyword -- -*`okta.authentication_context.authentication_step`*:: + +*`rsa.web.fqdn`*:: + -- -The authentication step. - +Fully Qualified Domain Names -type: integer +type: keyword -- -*`okta.authentication_context.credential_provider`*:: +*`rsa.web.web_cookie`*:: + -- -The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. - +This key is used to capture the Web cookies specifically. type: keyword -- -*`okta.authentication_context.credential_type`*:: +*`rsa.web.alias_host`*:: + -- -The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. - - type: keyword -- -*`okta.authentication_context.issuer`*:: +*`rsa.web.reputation_num`*:: + -- -The information about the issuer. - +Reputation Number of an entity. Typically used for Web Domains -type: array +type: double -- -*`okta.authentication_context.external_session_id`*:: +*`rsa.web.web_ref_domain`*:: + -- -The session identifer of the external session if any. - +Web referer's domain type: keyword -- -*`okta.authentication_context.interface`*:: +*`rsa.web.web_ref_query`*:: + -- -The interface used. e.g., Outlook, Office365, wsTrust - +This key captures Web referer's query portion of the URL type: keyword -- -[float] -=== security_context +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword -Fields that let you store information about security context. +-- +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information +type: keyword -[float] -=== as +-- -The autonomous system. +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path +type: keyword +-- -*`okta.security_context.as.number`*:: +*`rsa.web.cn_asn_dst`*:: + -- -The AS number. - - -type: integer +type: keyword -- -[float] -=== organization +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword -The organization that owns the AS number. +-- +*`rsa.web.urlpage`*:: ++ +-- +type: keyword +-- -*`okta.security_context.as.organization.name`*:: +*`rsa.web.urlroot`*:: + -- -The organization name. +type: keyword +-- +*`rsa.web.p_url`*:: ++ +-- type: keyword -- -*`okta.security_context.isp`*:: +*`rsa.web.p_user_agent`*:: + -- -The Internet Service Provider. +type: keyword +-- +*`rsa.web.p_web_cookie`*:: ++ +-- type: keyword -- -*`okta.security_context.domain`*:: +*`rsa.web.p_web_method`*:: + -- -The domain name. +type: keyword +-- +*`rsa.web.p_web_referer`*:: ++ +-- type: keyword -- -*`okta.security_context.is_proxy`*:: +*`rsa.web.web_extension_tmp`*:: + -- -Whether it is a proxy or not. - - -type: boolean +type: keyword -- -[float] -=== request - -Fields that let you store information about the request, in the form of list of ip_chain. - - - -[float] -=== ip_chain - -List of ip_chain objects. +*`rsa.web.web_page`*:: ++ +-- +type: keyword +-- -*`okta.request.ip_chain.ip`*:: +*`rsa.threat.threat_category`*:: + -- -IP address. +This key captures Threat Name/Threat Category/Categorization of alert - -type: ip +type: keyword -- -*`okta.request.ip_chain.version`*:: +*`rsa.threat.threat_desc`*:: + -- -IP version. Must be one of V4, V6. - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`okta.request.ip_chain.source`*:: +*`rsa.threat.alert`*:: + -- -Source information. - +This key is used to capture name of the alert type: keyword -- -[float] -=== geographical_context +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat -Geographical information. +type: keyword +-- -*`okta.request.ip_chain.geographical_context.city`*:: +*`rsa.crypto.crypto`*:: + -- -The city. +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`okta.request.ip_chain.geographical_context.state`*:: +*`rsa.crypto.cipher_src`*:: + -- -The state. +This key is for Source (Client) Cipher type: keyword -- -*`okta.request.ip_chain.geographical_context.postal_code`*:: +*`rsa.crypto.cert_subject`*:: + -- -The postal code. +This key is used to capture the Certificate organization only type: keyword -- -*`okta.request.ip_chain.geographical_context.country`*:: +*`rsa.crypto.peer`*:: + -- -The country. +This key is for Encryption peer's IP Address type: keyword -- -*`okta.request.ip_chain.geographical_context.geolocation`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Geolocation information. +This key captures Source (Client) Cipher Size - -type: geo_point +type: long -- -[[exported-fields-osquery]] -== Osquery fields +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. -Fields exported by the `osquery` module +type: keyword +-- +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used -[float] -=== osquery +type: keyword +-- +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity +type: keyword -[float] -=== result +-- -Common fields exported by the result metricset. +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type +type: keyword +-- -*`osquery.result.name`*:: +*`rsa.crypto.cert_issuer`*:: + -- -The name of the query that generated this event. +type: keyword + +-- +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. type: keyword -- -*`osquery.result.action`*:: +*`rsa.crypto.cert_error`*:: + -- -For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". - +This key captures the Certificate Error String type: keyword -- -*`osquery.result.host_identifier`*:: +*`rsa.crypto.cipher_dst`*:: + -- -The identifier for the host on which the osquery agent is running. Normally the hostname. - +This key is for Destination (Server) Cipher type: keyword -- -*`osquery.result.unix_time`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. - +This key captures Destination (Server) Cipher Size type: long -- -*`osquery.result.calendar_time`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -String representation of the collection time, as formatted by osquery. - +Deprecated, use version type: keyword -- -[[exported-fields-panw]] -== panw fields - -Module for Palo Alto Networks (PAN-OS) - - - -[float] -=== panw - -Fields from the panw module. +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword +-- +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword -[float] -=== panos +-- -Fields for the Palo Alto Networks PAN-OS logs. +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One +type: keyword +-- -*`panw.panos.ruleset`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Name of the rule that matched this session. - +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -- -[float] -=== source - -Fields to extend the top-level source object. - +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword +-- -*`panw.panos.source.zone`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Source zone for this session. - +This key is used for the hostname category value of a certificate type: keyword -- -*`panw.panos.source.interface`*:: +*`rsa.crypto.cert_serial`*:: + -- -Source interface for this session. - +This key is used to capture the Certificate serial number only type: keyword -- -[float] -=== nat - -Post-NAT source address, if source NAT is performed. +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status +type: keyword +-- -*`panw.panos.source.nat.ip`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -Post-NAT source IP. +Deprecated, use version - -type: ip +type: keyword -- -*`panw.panos.source.nat.port`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Post-NAT source port. +type: keyword +-- -type: long +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword -- -[float] -=== destination +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword -Fields to extend the top-level destination object. +-- +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword +-- -*`panw.panos.destination.zone`*:: +*`rsa.crypto.cert_ca`*:: + -- -Destination zone for this session. - +This key is used to capture the Certificate signing authority only type: keyword -- -*`panw.panos.destination.interface`*:: +*`rsa.crypto.cert_common`*:: + -- -Destination interface for this session. - +This key is used to capture the Certificate common name only type: keyword -- -[float] -=== nat -Post-NAT destination address, if destination NAT is performed. +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session +type: keyword +-- -*`panw.panos.destination.nat.ip`*:: +*`rsa.wireless.access_point`*:: + -- -Post-NAT destination IP. - +This key is used to capture the access point name. -type: ip +type: keyword -- -*`panw.panos.destination.nat.port`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Post-NAT destination port. - +This is used to capture the channel names type: long -- -[float] -=== network - -Fields to extend the top-level network object. - - - -*`panw.panos.network.pcap_id`*:: +*`rsa.wireless.wlan_name`*:: + -- -Packet capture ID for a threat. - +This key captures either WLAN number/name type: keyword -- -*`panw.panos.network.nat.community_id`*:: +*`rsa.storage.disk_volume`*:: + -- -Community ID flow-hash for the NAT 5-tuple. - +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -[float] -=== file - -Fields to extend the top-level file object. - - - -*`panw.panos.file.hash`*:: +*`rsa.storage.lun`*:: + -- -Binary hash for a threat file sent to be analyzed by the WildFire service. - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -[float] -=== url - -Fields to extend the top-level url object. - - - -*`panw.panos.url.category`*:: +*`rsa.storage.pwwn`*:: + -- -For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. - +This uniquely identifies a port on a HBA. type: keyword -- -*`panw.panos.flow_id`*:: + +*`rsa.physical.org_dst`*:: + -- -Internal numeric identifier for each session. - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`panw.panos.sequence_number`*:: +*`rsa.physical.org_src`*:: + -- -Log entry identifier that is incremented sequentially. Unique for each log type. +This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: long +type: keyword -- -*`panw.panos.threat.resource`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -URL or file name for a threat. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`panw.panos.threat.id`*:: +*`rsa.healthcare.patient_id`*:: + -- -Palo Alto Networks identifier for the threat. - +This key captures the unique ID for a patient type: keyword -- -*`panw.panos.threat.name`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Palo Alto Networks name for the threat. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`panw.panos.action`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Action taken for the session. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -[[exported-fields-postgresql]] -== PostgreSQL fields - -Module for parsing the PostgreSQL log files. - - - -[float] -=== postgresql - -Fields from PostgreSQL logs. - - - -[float] -=== log - -Fields from the PostgreSQL log files. - - -*`postgresql.log.timestamp`*:: +*`rsa.endpoint.host_state`*:: + -- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on -deprecated:[7.3.0] - -The timestamp from the log line. - +type: keyword -- -*`postgresql.log.core_id`*:: +*`rsa.endpoint.registry_key`*:: + -- -Core id - +This key captures the path to the registry key -type: long +type: keyword -- -*`postgresql.log.database`*:: +*`rsa.endpoint.registry_value`*:: + -- -Name of database +This key captures values or decorators used within a registry entry - -example: mydb +type: keyword -- -*`postgresql.log.query`*:: -+ --- -Query statement. +[[exported-fields-cloud]] +== Cloud provider metadata fields +Metadata from cloud providers added by the add_cloud_metadata processor. -example: SELECT * FROM users; --- -*`postgresql.log.query_step`*:: +*`cloud.project.id`*:: + -- -Statement step when using extended query protocol (one of statement, parse, bind or execute) +Name of the project in Google Cloud. -example: parse +example: project-x -- -*`postgresql.log.query_name`*:: +*`cloud.image.id`*:: + -- -Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. +Image ID for the cloud instance. -example: pdo_stmt_00000001 +example: ami-abcd1234 -- -*`postgresql.log.error.code`*:: +*`meta.cloud.provider`*:: + -- -Error code returned by Postgres (if any) +type: alias -type: long +alias to: cloud.provider -- -*`postgresql.log.timezone`*:: +*`meta.cloud.instance_id`*:: + -- type: alias -alias to: event.timezone +alias to: cloud.instance.id -- -*`postgresql.log.thread_id`*:: +*`meta.cloud.instance_name`*:: + -- type: alias -alias to: process.pid +alias to: cloud.instance.name -- -*`postgresql.log.user`*:: +*`meta.cloud.machine_type`*:: + -- type: alias -alias to: user.name +alias to: cloud.machine.type -- -*`postgresql.log.level`*:: +*`meta.cloud.availability_zone`*:: + -- type: alias -alias to: log.level +alias to: cloud.availability_zone -- -*`postgresql.log.message`*:: +*`meta.cloud.project_id`*:: + -- type: alias -alias to: message +alias to: cloud.project.id -- -[[exported-fields-process]] -== Process fields - -Process metadata fields - - - - -*`process.exe`*:: +*`meta.cloud.region`*:: + -- type: alias -alias to: process.executable +alias to: cloud.region -- -[[exported-fields-rabbitmq]] -== RabbitMQ fields +[[exported-fields-coredns]] +== Coredns fields -RabbitMQ Module +Module for handling logs produced by coredns [float] -=== rabbitmq +=== coredns +coredns fields after normalization -[float] -=== log +*`coredns.id`*:: ++ +-- +id of the DNS transaction -RabbitMQ log files +type: keyword +-- -*`rabbitmq.log.pid`*:: +*`coredns.query.size`*:: + -- -The Erlang process id +size of the DNS query -type: keyword -example: <0.222.0> +type: integer + +format: bytes -- -[[exported-fields-redis]] -== Redis fields +*`coredns.query.class`*:: ++ +-- +DNS query class -Redis Module +type: keyword +-- -[float] -=== redis +*`coredns.query.name`*:: ++ +-- +DNS query name +type: keyword +-- -[float] -=== log +*`coredns.query.type`*:: ++ +-- +DNS query type -Redis log files +type: keyword +-- -*`redis.log.role`*:: +*`coredns.response.code`*:: + -- -The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. +DNS response code type: keyword -- -*`redis.log.pid`*:: +*`coredns.response.flags`*:: + -- -type: alias +DNS response flags -alias to: process.pid + +type: keyword -- -*`redis.log.level`*:: +*`coredns.response.size`*:: + -- -type: alias +size of the DNS response -alias to: log.level + +type: integer + +format: bytes -- -*`redis.log.message`*:: +*`coredns.dnssec_ok`*:: + -- -type: alias +dnssec flag -alias to: message + +type: boolean -- +[[exported-fields-crowdstrike]] +== Crowdstrike fields + +Module for collecting Crowdstrike events. + + + [float] -=== slowlog +=== crowdstrike -Slow logs are retrieved from Redis via a network connection. +Fields for Crowdstrike Falcon event and alert data. -*`redis.slowlog.cmd`*:: +[float] +=== metadata + +Meta data fields for each event that include type and timestamp. + + + +*`crowdstrike.metadata.eventType`*:: + -- -The command executed. +DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent type: keyword -- -*`redis.slowlog.duration.us`*:: +*`crowdstrike.metadata.eventCreationTime`*:: + -- -How long it took to execute the command in microseconds. +The time this event occurred on the endpoint in UTC UNIX_MS format. -type: long +type: date -- -*`redis.slowlog.id`*:: +*`crowdstrike.metadata.offset`*:: + -- -The ID of the query. +Offset number that tracks the location of the event in stream. This is used to identify unique detection events. -type: long +type: integer -- -*`redis.slowlog.key`*:: +*`crowdstrike.metadata.customerIDString`*:: + -- -The key on which the command was executed. +Customer identifier type: keyword -- -*`redis.slowlog.args`*:: +*`crowdstrike.metadata.version`*:: + -- -The arguments with which the command was called. +Schema version type: keyword -- -[[exported-fields-s3]] -== s3 fields +[float] +=== event -S3 fields from s3 input. +Event data fields for each event and alert. -*`bucket_name`*:: +*`crowdstrike.event.ProcessStartTime`*:: + -- -Name of the S3 bucket that this log retrieved from. +The process start time in UTC UNIX_MS format. -type: keyword +type: date -- -*`object_key`*:: +*`crowdstrike.event.ProcessEndTime`*:: + -- -Name of the S3 object that this log retrieved from. +The process termination time in UTC UNIX_MS format. -type: keyword +type: date -- -[[exported-fields-santa]] -== Google Santa fields +*`crowdstrike.event.ProcessId`*:: ++ +-- +Process ID related to the detection. -Santa Module +type: integer +-- -[float] -=== santa +*`crowdstrike.event.ParentProcessId`*:: ++ +-- +Parent process ID related to the detection. +type: integer +-- -*`santa.action`*:: +*`crowdstrike.event.ComputerName`*:: + -- -Action +Name of the computer where the detection occurred. -type: keyword -example: EXEC +type: keyword -- -*`santa.decision`*:: +*`crowdstrike.event.UserName`*:: + -- -Decision that santad took. +User name associated with the detection. -type: keyword -example: ALLOW +type: keyword -- -*`santa.reason`*:: +*`crowdstrike.event.DetectName`*:: + -- -Reason for the decsision. +Name of the detection. -type: keyword -example: CERT +type: keyword -- -*`santa.mode`*:: +*`crowdstrike.event.DetectDescription`*:: + -- -Operating mode of Santa. +Description of the detection. + type: keyword -example: M +-- +*`crowdstrike.event.Severity`*:: ++ -- +Severity score of the detection. -[float] -=== disk -Fields for DISKAPPEAR actions. +type: integer +-- -*`santa.disk.volume`*:: +*`crowdstrike.event.SeverityName`*:: + -- -The volume name. +Severity score text. --- -*`santa.disk.bus`*:: -+ --- -The disk bus protocol. +type: keyword -- -*`santa.disk.serial`*:: +*`crowdstrike.event.FileName`*:: + -- -The disk serial number. +File name of the associated process for the detection. + + +type: keyword -- -*`santa.disk.bsdname`*:: +*`crowdstrike.event.FilePath`*:: + -- -The disk BSD name. +Path of the executable associated with the detection. -example: disk1s3 + +type: keyword -- -*`santa.disk.model`*:: +*`crowdstrike.event.CommandLine`*:: + -- -The disk model. +Executable path with command line arguments. -example: APPLE SSD SM0512L + +type: keyword -- -*`santa.disk.fs`*:: +*`crowdstrike.event.SHA256String`*:: + -- -The disk volume kind (filesystem type). +SHA256 sum of the executable associated with the detection. -example: apfs + +type: keyword -- -*`santa.disk.mount`*:: +*`crowdstrike.event.MD5String`*:: + -- -The disk volume path. +MD5 sum of the executable associated with the detection. + + +type: keyword -- -*`santa.certificate.common_name`*:: +*`crowdstrike.event.MachineDomain`*:: + -- -Common name from code signing certificate. +Domain for the machine associated with the detection. + type: keyword -- -*`santa.certificate.sha256`*:: +*`crowdstrike.event.FalconHostLink`*:: + -- -SHA256 hash of code signing certificate. +URL to view the detection in Falcon. + type: keyword -- -[[exported-fields-suricata]] -== Suricata fields +*`crowdstrike.event.SensorId`*:: ++ +-- +Unique ID associated with the Falcon sensor. -Module for handling the EVE JSON logs produced by Suricata. +type: keyword +-- -[float] -=== suricata +*`crowdstrike.event.DetectId`*:: ++ +-- +Unique ID associated with the detection. -Fields from the Suricata EVE log file. +type: keyword +-- -[float] -=== eve +*`crowdstrike.event.LocalIP`*:: ++ +-- +IP address of the host associated with the detection. -Fields exported by the EVE JSON logs +type: keyword +-- -*`suricata.eve.event_type`*:: +*`crowdstrike.event.MACAddress`*:: + -- +MAC address of the host associated with the detection. + + type: keyword -- -*`suricata.eve.app_proto_orig`*:: +*`crowdstrike.event.Tactic`*:: + -- +MITRE tactic category of the detection. + + type: keyword -- - -*`suricata.eve.tcp.tcp_flags`*:: +*`crowdstrike.event.Technique`*:: + -- +MITRE technique category of the detection. + + type: keyword -- -*`suricata.eve.tcp.psh`*:: +*`crowdstrike.event.Objective`*:: + -- -type: boolean +Method of detection. + + +type: keyword -- -*`suricata.eve.tcp.tcp_flags_tc`*:: +*`crowdstrike.event.PatternDispositionDescription`*:: + -- +Action taken by Falcon. + + type: keyword -- -*`suricata.eve.tcp.ack`*:: +*`crowdstrike.event.PatternDispositionValue`*:: + -- -type: boolean +Unique ID associated with action taken. + + +type: integer -- -*`suricata.eve.tcp.syn`*:: +*`crowdstrike.event.PatternDispositionFlags`*:: + -- -type: boolean +Flags indicating actions taken. + + +type: object -- -*`suricata.eve.tcp.state`*:: +*`crowdstrike.event.State`*:: + -- +Whether the incident summary is open and ongoing or closed. + + type: keyword -- -*`suricata.eve.tcp.tcp_flags_ts`*:: +*`crowdstrike.event.IncidentStartTime`*:: + -- -type: keyword +Start time for the incident in UTC UNIX format. + + +type: date -- -*`suricata.eve.tcp.rst`*:: +*`crowdstrike.event.IncidentEndTime`*:: + -- -type: boolean +End time for the incident in UTC UNIX format. + + +type: date -- -*`suricata.eve.tcp.fin`*:: +*`crowdstrike.event.FineScore`*:: + -- -type: boolean +Score for incident. --- +type: float -*`suricata.eve.fileinfo.sha1`*:: +-- + +*`crowdstrike.event.UserId`*:: + -- +Email address or user ID associated with the event. + + type: keyword -- -*`suricata.eve.fileinfo.filename`*:: +*`crowdstrike.event.UserIp`*:: + -- -type: alias +IP address associated with the user. -alias to: file.path + +type: keyword -- -*`suricata.eve.fileinfo.tx_id`*:: +*`crowdstrike.event.OperationName`*:: + -- -type: long +Event subtype. --- -*`suricata.eve.fileinfo.state`*:: -+ --- type: keyword -- -*`suricata.eve.fileinfo.stored`*:: +*`crowdstrike.event.ServiceName`*:: + -- -type: boolean +Service associated with this event. + + +type: keyword -- -*`suricata.eve.fileinfo.gaps`*:: +*`crowdstrike.event.Success`*:: + -- +Indicator of whether or not this event was successful. + + type: boolean -- -*`suricata.eve.fileinfo.sha256`*:: +*`crowdstrike.event.UTCTimestamp`*:: + -- -type: keyword +Timestamp associated with this event in UTC UNIX format. --- -*`suricata.eve.fileinfo.md5`*:: -+ --- -type: keyword +type: date -- -*`suricata.eve.fileinfo.size`*:: +*`crowdstrike.event.AuditKeyValues`*:: + -- -type: alias +Fields that were changed in this event. -alias to: file.size + +type: nested -- -*`suricata.eve.icmp_type`*:: +*`crowdstrike.event.SessionId`*:: + -- -type: long +Session ID of the remote response session. + + +type: keyword -- -*`suricata.eve.dest_port`*:: +*`crowdstrike.event.HostnameField`*:: + -- -type: alias +Host name of the machine for the remote session. -alias to: destination.port + +type: keyword -- -*`suricata.eve.src_port`*:: +*`crowdstrike.event.StartTimestamp`*:: + -- -type: alias +Start time for the remote session in UTC UNIX format. -alias to: source.port + +type: date -- -*`suricata.eve.proto`*:: +*`crowdstrike.event.EndTimestamp`*:: + -- -type: alias +End time for the remote session in UTC UNIX format. -alias to: network.transport --- +type: date -*`suricata.eve.pcap_cnt`*:: -+ -- -type: long --- +[[exported-fields-cylance]] +== CylanceProtect fields -*`suricata.eve.src_ip`*:: +cylance fields. + + + +*`network.interface.name`*:: + -- -type: alias +Name of the network interface where the traffic has been observed. -alias to: source.ip + +type: keyword -- -*`suricata.eve.dns.type`*:: + +*`rsa.internal.msg`*:: + -- +This key is used to capture the raw message that comes into the Log Decoder + type: keyword -- -*`suricata.eve.dns.rrtype`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`suricata.eve.dns.rrname`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`suricata.eve.dns.rdata`*:: +*`rsa.internal.message`*:: + -- +This key captures the contents of instant messages + type: keyword -- -*`suricata.eve.dns.tx_id`*:: +*`rsa.internal.time`*:: + -- -type: long +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date -- -*`suricata.eve.dns.ttl`*:: +*`rsa.internal.level`*:: + -- +Deprecated key defined only in table map. + type: long -- -*`suricata.eve.dns.rcode`*:: +*`rsa.internal.msg_id`*:: + -- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`suricata.eve.dns.id`*:: +*`rsa.internal.msg_vid`*:: + -- -type: long +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.flow_id`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- - -*`suricata.eve.email.status`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.dest_ip`*:: +*`rsa.internal.obj_val`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: destination.ip +type: keyword -- -*`suricata.eve.icmp_code`*:: +*`rsa.internal.resource`*:: + -- -type: long +Deprecated key defined only in table map. --- +type: keyword +-- -*`suricata.eve.http.status`*:: +*`rsa.internal.obj_id`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: http.response.status_code +type: keyword -- -*`suricata.eve.http.redirect`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.http.http_user_agent`*:: +*`rsa.internal.audit_class`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: user_agent.original +type: keyword -- -*`suricata.eve.http.protocol`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.http.http_refer`*:: +*`rsa.internal.hcode`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: http.request.referrer +type: keyword -- -*`suricata.eve.http.url`*:: +*`rsa.internal.inode`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: url.original +type: long -- -*`suricata.eve.http.hostname`*:: +*`rsa.internal.resource_class`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: url.domain +type: keyword -- -*`suricata.eve.http.length`*:: +*`rsa.internal.dead`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: http.response.body.bytes +type: long -- -*`suricata.eve.http.http_method`*:: +*`rsa.internal.feed_desc`*:: + -- -type: alias +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: http.request.method +type: keyword -- -*`suricata.eve.http.http_content_type`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`suricata.eve.timestamp`*:: +*`rsa.internal.cid`*:: + -- -type: alias +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: @timestamp +type: keyword -- -*`suricata.eve.in_iface`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- - -*`suricata.eve.alert.category`*:: +*`rsa.internal.device_group`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`suricata.eve.alert.severity`*:: +*`rsa.internal.device_host`*:: + -- -type: alias +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: event.severity +type: keyword -- -*`suricata.eve.alert.rev`*:: +*`rsa.internal.device_ip`*:: + -- -type: long +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`suricata.eve.alert.gid`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: long +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`suricata.eve.alert.signature`*:: +*`rsa.internal.device_type`*:: + -- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`suricata.eve.alert.action`*:: +*`rsa.internal.device_type_id`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: event.outcome +type: long -- -*`suricata.eve.alert.signature_id`*:: +*`rsa.internal.did`*:: + -- -type: long - --- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`suricata.eve.ssh.client.proto_version`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`suricata.eve.ssh.client.software_version`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration --- +type: long +-- -*`suricata.eve.ssh.server.proto_version`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.ssh.server.software_version`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- - - -*`suricata.eve.stats.capture.kernel_packets`*:: +*`rsa.internal.forward_ip`*:: + -- -type: long +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip -- -*`suricata.eve.stats.capture.kernel_drops`*:: +*`rsa.internal.forward_ipv6`*:: + -- -type: long +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`suricata.eve.stats.capture.kernel_ifdrops`*:: +*`rsa.internal.header_id`*:: + -- -type: long +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.uptime`*:: +*`rsa.internal.lc_cid`*:: + -- -type: long +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness --- +type: keyword +-- -*`suricata.eve.stats.detect.alert`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: long +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness --- +type: date +-- -*`suricata.eve.stats.http.memcap`*:: +*`rsa.internal.mcb_req`*:: + -- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + type: long -- -*`suricata.eve.stats.http.memuse`*:: +*`rsa.internal.mcb_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + type: long -- - -*`suricata.eve.stats.file_store.open_files`*:: +*`rsa.internal.mcbc_req`*:: + -- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + type: long -- - -*`suricata.eve.stats.defrag.max_frag_hits`*:: +*`rsa.internal.mcbc_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + type: long -- - -*`suricata.eve.stats.defrag.ipv4.timeouts`*:: +*`rsa.internal.medium`*:: + -- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + type: long -- -*`suricata.eve.stats.defrag.ipv4.fragments`*:: +*`rsa.internal.node_name`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.defrag.ipv4.reassembled`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -type: long +This key denotes that event is endpoint related --- +type: keyword +-- -*`suricata.eve.stats.defrag.ipv6.timeouts`*:: +*`rsa.internal.parse_error`*:: + -- -type: long +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.defrag.ipv6.fragments`*:: +*`rsa.internal.payload_req`*:: + -- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + type: long -- -*`suricata.eve.stats.defrag.ipv6.reassembled`*:: +*`rsa.internal.payload_res`*:: + -- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + type: long -- - -*`suricata.eve.stats.flow.tcp_reuse`*:: +*`rsa.internal.process_vid_dst`*:: + -- -type: long +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword -- -*`suricata.eve.stats.flow.udp`*:: +*`rsa.internal.process_vid_src`*:: + -- -type: long +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword -- -*`suricata.eve.stats.flow.memcap`*:: +*`rsa.internal.rid`*:: + -- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- -*`suricata.eve.stats.flow.emerg_mode_entered`*:: +*`rsa.internal.session_split`*:: + -- -type: long +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.flow.emerg_mode_over`*:: +*`rsa.internal.site`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.flow.tcp`*:: +*`rsa.internal.size`*:: + -- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- -*`suricata.eve.stats.flow.icmpv6`*:: +*`rsa.internal.sourcefile`*:: + -- -type: long +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.flow.icmpv4`*:: +*`rsa.internal.ubc_req`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`suricata.eve.stats.flow.spare`*:: +*`rsa.internal.ubc_res`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`suricata.eve.stats.flow.memuse`*:: +*`rsa.internal.word`*:: + -- -type: long +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword -- -*`suricata.eve.stats.tcp.pseudo_failed`*:: +*`rsa.time.event_time`*:: + -- -type: long +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date -- -*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: +*`rsa.time.duration_time`*:: + -- -type: long +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: +*`rsa.time.event_time_str`*:: + -- -type: long +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword -- -*`suricata.eve.stats.tcp.sessions`*:: +*`rsa.time.starttime`*:: + -- -type: long +This key is used to capture the Start time mentioned in a session in a standard form + +type: date -- -*`suricata.eve.stats.tcp.pseudo`*:: +*`rsa.time.month`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.synack`*:: +*`rsa.time.day`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: +*`rsa.time.endtime`*:: + -- -type: long +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`suricata.eve.stats.tcp.syn`*:: +*`rsa.time.timezone`*:: + -- -type: long +This key is used to capture the timezone of the Event Time + +type: keyword -- -*`suricata.eve.stats.tcp.memuse`*:: +*`rsa.time.duration_str`*:: + -- -type: long +A text string version of the duration + +type: keyword -- -*`suricata.eve.stats.tcp.invalid_checksum`*:: +*`rsa.time.date`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.segment_memcap_drop`*:: +*`rsa.time.year`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.overlap`*:: +*`rsa.time.recorded_time`*:: + -- -type: long +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`suricata.eve.stats.tcp.insert_list_fail`*:: +*`rsa.time.datetime`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.rst`*:: +*`rsa.time.effective_time`*:: + -- -type: long +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`suricata.eve.stats.tcp.stream_depth_reached`*:: +*`rsa.time.expire_time`*:: + -- -type: long +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`suricata.eve.stats.tcp.reassembly_memuse`*:: +*`rsa.time.process_time`*:: + -- -type: long +Deprecated, use duration.time + +type: keyword -- -*`suricata.eve.stats.tcp.reassembly_gap`*:: +*`rsa.time.hour`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.overlap_diff_data`*:: +*`rsa.time.min`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.no_flow`*:: +*`rsa.time.timestamp`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.decoder.avg_pkt_size`*:: +*`rsa.time.event_queue_time`*:: + -- -type: long +This key is the Time that the event was queued. + +type: date -- -*`suricata.eve.stats.decoder.bytes`*:: +*`rsa.time.p_time1`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.tcp`*:: +*`rsa.time.tzone`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.raw`*:: +*`rsa.time.eventtime`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ppp`*:: +*`rsa.time.gmtdate`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.vlan_qinq`*:: +*`rsa.time.gmttime`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.null`*:: +*`rsa.time.p_date`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: +*`rsa.time.p_month`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: +*`rsa.time.p_time`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.invalid`*:: +*`rsa.time.p_time2`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.gre`*:: +*`rsa.time.p_year`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ipv4`*:: +*`rsa.time.expire_time_str`*:: + -- -type: long +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword -- -*`suricata.eve.stats.decoder.ipv6`*:: +*`rsa.time.stamp`*:: + -- -type: long +Deprecated key defined only in table map. + +type: date -- -*`suricata.eve.stats.decoder.pkts`*:: + +*`rsa.misc.action`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: +*`rsa.misc.result`*:: + -- -type: long +This key is used to capture the outcome/result string value of an action in a session. --- +type: keyword +-- -*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: +*`rsa.misc.severity`*:: + -- -type: long +This key is used to capture the severity given the session + +type: keyword -- -*`suricata.eve.stats.decoder.pppoe`*:: +*`rsa.misc.event_type`*:: + -- -type: long +This key captures the event category type as specified by the event source. + +type: keyword -- -*`suricata.eve.stats.decoder.udp`*:: +*`rsa.misc.reference_id`*:: + -- -type: long +This key is used to capture an event id from the session directly --- +type: keyword +-- -*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: +*`rsa.misc.version`*:: + -- -type: long +This key captures Version of the application or OS which is generating the event. + +type: keyword -- -*`suricata.eve.stats.decoder.vlan`*:: +*`rsa.misc.disposition`*:: + -- -type: long +This key captures the The end state of an action. + +type: keyword -- -*`suricata.eve.stats.decoder.sctp`*:: +*`rsa.misc.result_code`*:: + -- -type: long +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword -- -*`suricata.eve.stats.decoder.max_pkt_size`*:: +*`rsa.misc.category`*:: + -- -type: long +This key is used to capture the category of an event given by the vendor in the session + +type: keyword -- -*`suricata.eve.stats.decoder.teredo`*:: +*`rsa.misc.obj_name`*:: + -- -type: long +This is used to capture name of object + +type: keyword -- -*`suricata.eve.stats.decoder.mpls`*:: +*`rsa.misc.obj_type`*:: + -- -type: long +This is used to capture type of object + +type: keyword -- -*`suricata.eve.stats.decoder.sll`*:: +*`rsa.misc.event_source`*:: + -- -type: long +This key captures Source of the event that’s not a hostname + +type: keyword -- -*`suricata.eve.stats.decoder.icmpv6`*:: +*`rsa.misc.log_session_id`*:: + -- -type: long +This key is used to capture a sessionid from the session directly + +type: keyword -- -*`suricata.eve.stats.decoder.icmpv4`*:: +*`rsa.misc.group`*:: + -- -type: long +This key captures the Group Name value + +type: keyword -- -*`suricata.eve.stats.decoder.erspan`*:: +*`rsa.misc.policy_name`*:: + -- -type: long +This key is used to capture the Policy Name only. + +type: keyword -- -*`suricata.eve.stats.decoder.ethernet`*:: +*`rsa.misc.rule_name`*:: + -- -type: long +This key captures the Rule Name + +type: keyword -- -*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: +*`rsa.misc.context`*:: + -- -type: long +This key captures Information which adds additional context to the event. + +type: keyword -- -*`suricata.eve.stats.decoder.ieee8021ah`*:: +*`rsa.misc.change_new`*:: + -- -type: long +This key is used to capture the new values of the attribute that’s changing in a session --- +type: keyword +-- -*`suricata.eve.stats.dns.memcap_global`*:: +*`rsa.misc.space`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.dns.memcap_state`*:: +*`rsa.misc.client`*:: + -- -type: long +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword -- -*`suricata.eve.stats.dns.memuse`*:: +*`rsa.misc.msgIdPart1`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.flow_mgr.rows_busy`*:: +*`rsa.misc.msgIdPart2`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_timeout`*:: +*`rsa.misc.change_old`*:: + -- -type: long +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: +*`rsa.misc.operation_id`*:: + -- -type: long +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_skipped`*:: +*`rsa.misc.event_state`*:: + -- -type: long +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.closed_pruned`*:: +*`rsa.misc.group_object`*:: + -- -type: long +This key captures a collection/grouping of entities. Specific usage + +type: keyword -- -*`suricata.eve.stats.flow_mgr.new_pruned`*:: +*`rsa.misc.node`*:: + -- -type: long +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_removed`*:: +*`rsa.misc.rule`*:: + -- -type: long +This key captures the Rule number + +type: keyword -- -*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: +*`rsa.misc.device_name`*:: + -- -type: long +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword -- -*`suricata.eve.stats.flow_mgr.est_pruned`*:: +*`rsa.misc.param`*:: + -- -type: long +This key is the parameters passed as part of a command or application, etc. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: +*`rsa.misc.change_attrib`*:: + -- -type: long +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_checked`*:: +*`rsa.misc.event_computer`*:: + -- -type: long +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: +*`rsa.misc.reference_id1`*:: + -- -type: long +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_checked`*:: +*`rsa.misc.event_log`*:: + -- -type: long +This key captures the Name of the event log + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_empty`*:: +*`rsa.misc.OS`*:: + -- -type: long +This key captures the Name of the Operating System +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ -- +This key captures the Terminal Names only +type: keyword +-- -*`suricata.eve.stats.app_layer.flow.tls`*:: +*`rsa.misc.msgIdPart3`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.app_layer.flow.ftp`*:: +*`rsa.misc.filter`*:: + -- -type: long +This key captures Filter used to reduce result set + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.http`*:: +*`rsa.misc.serial_number`*:: + -- -type: long +This key is the Serial number associated with a physical asset. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.failed_udp`*:: +*`rsa.misc.checksum`*:: + -- -type: long +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dns_udp`*:: +*`rsa.misc.event_user`*:: + -- -type: long +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: +*`rsa.misc.virusname`*:: + -- -type: long +This key captures the name of the virus + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.smtp`*:: +*`rsa.misc.content_type`*:: + -- -type: long +This key is used to capture Content Type only. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: +*`rsa.misc.group_id`*:: + -- -type: long +This key captures Group ID Number (related to the group name) + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.msn`*:: +*`rsa.misc.policy_id`*:: + -- -type: long +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.ssh`*:: +*`rsa.misc.vsys`*:: + -- -type: long +This key captures Virtual System Name + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.imap`*:: +*`rsa.misc.connection_id`*:: + -- -type: long +This key captures the Connection ID + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: +*`rsa.misc.reference_id2`*:: + -- -type: long +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: +*`rsa.misc.sensor`*:: + -- -type: long +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.smb`*:: +*`rsa.misc.sig_id`*:: + -- +This key captures IDS/IPS Int Signature ID + type: long -- - -*`suricata.eve.stats.app_layer.tx.tls`*:: +*`rsa.misc.port_name`*:: + -- -type: long +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.ftp`*:: +*`rsa.misc.rule_group`*:: + -- -type: long +This key captures the Rule group name + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.http`*:: +*`rsa.misc.risk_num`*:: + -- -type: long +This key captures a Numeric Risk value + +type: double -- -*`suricata.eve.stats.app_layer.tx.dns_udp`*:: +*`rsa.misc.trigger_val`*:: + -- -type: long +This key captures the Value of the trigger or threshold condition. + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: +*`rsa.misc.log_session_id1`*:: + -- -type: long +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.smtp`*:: +*`rsa.misc.comp_version`*:: + -- -type: long +This key captures the Version level of a sub-component of a product. + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.ssh`*:: +*`rsa.misc.content_version`*:: + -- -type: long +This key captures Version level of a signature or database content. + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: +*`rsa.misc.hardware_id`*:: + -- -type: long +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: +*`rsa.misc.risk`*:: + -- -type: long +This key captures the non-numeric risk value + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.smb`*:: +*`rsa.misc.event_id`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.tls.notbefore`*:: +*`rsa.misc.reason`*:: + -- -type: date +type: keyword -- -*`suricata.eve.tls.issuerdn`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`suricata.eve.tls.sni`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`suricata.eve.tls.version`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`suricata.eve.tls.session_resumed`*:: +*`rsa.misc.trigger_desc`*:: + -- -type: boolean +This key captures the Description of the trigger or threshold condition. + +type: keyword -- -*`suricata.eve.tls.fingerprint`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`suricata.eve.tls.serial`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`suricata.eve.tls.notafter`*:: +*`rsa.misc.data_type`*:: + -- -type: date +type: keyword -- -*`suricata.eve.tls.subject`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- - -*`suricata.eve.tls.ja3s.string`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`suricata.eve.tls.ja3s.hash`*:: +*`rsa.misc.index`*:: + -- type: keyword -- - -*`suricata.eve.tls.ja3.string`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`suricata.eve.tls.ja3.hash`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`suricata.eve.app_proto_ts`*:: +*`rsa.misc.observed_val`*:: + -- +This key captures the Value observed (from the perspective of the device generating the log). + type: keyword -- - -*`suricata.eve.flow.bytes_toclient`*:: +*`rsa.misc.policy_value`*:: + -- -type: alias +This key captures the contents of the policy. This contains details about the policy -alias to: destination.bytes +type: keyword -- -*`suricata.eve.flow.start`*:: +*`rsa.misc.pool_name`*:: + -- -type: alias +This key captures the name of a resource pool -alias to: event.start +type: keyword -- -*`suricata.eve.flow.pkts_toclient`*:: +*`rsa.misc.rule_template`*:: + -- -type: alias +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -alias to: destination.packets +type: keyword -- -*`suricata.eve.flow.age`*:: +*`rsa.misc.count`*:: + -- -type: long +type: keyword -- -*`suricata.eve.flow.state`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`suricata.eve.flow.bytes_toserver`*:: +*`rsa.misc.sigcat`*:: + -- -type: alias - -alias to: source.bytes +type: keyword -- -*`suricata.eve.flow.reason`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`suricata.eve.flow.pkts_toserver`*:: +*`rsa.misc.comments`*:: + -- -type: alias +Comment information provided in the log message -alias to: source.packets +type: keyword -- -*`suricata.eve.flow.end`*:: +*`rsa.misc.doc_number`*:: + -- -type: date +This key captures File Identification number + +type: long -- -*`suricata.eve.flow.alerted`*:: +*`rsa.misc.expected_val`*:: + -- -type: boolean +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword -- -*`suricata.eve.app_proto`*:: +*`rsa.misc.job_num`*:: + -- -type: alias +This key captures the Job Number -alias to: network.protocol +type: keyword -- -*`suricata.eve.tx_id`*:: +*`rsa.misc.spi_dst`*:: + -- -type: long +Destination SPI Index + +type: keyword -- -*`suricata.eve.app_proto_tc`*:: +*`rsa.misc.spi_src`*:: + -- +Source SPI Index + type: keyword -- - -*`suricata.eve.smtp.rcpt_to`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`suricata.eve.smtp.mail_from`*:: +*`rsa.misc.agent_id`*:: + -- +This key is used to capture agent id + type: keyword -- -*`suricata.eve.smtp.helo`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`suricata.eve.app_proto_expected`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -[[exported-fields-system]] -== System fields - -Module for parsing system log files. - - - -[float] -=== system - -Fields from the system log files. +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. +type: keyword +-- -[float] -=== auth +*`rsa.misc.cmd`*:: ++ +-- +type: keyword -Fields from the Linux authorization logs. +-- +*`rsa.misc.misc`*:: ++ +-- +type: keyword +-- -*`system.auth.timestamp`*:: +*`rsa.misc.name`*:: + -- -type: alias - -alias to: @timestamp +type: keyword -- -*`system.auth.hostname`*:: +*`rsa.misc.cpu`*:: + -- -type: alias +This key is the CPU time used in the execution of the event being recorded. -alias to: host.hostname +type: long -- -*`system.auth.program`*:: +*`rsa.misc.event_desc`*:: + -- -type: alias +This key is used to capture a description of an event available directly or inferred -alias to: process.name +type: keyword -- -*`system.auth.pid`*:: +*`rsa.misc.sig_id1`*:: + -- -type: alias +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -alias to: process.pid +type: long -- -*`system.auth.message`*:: +*`rsa.misc.im_buddyid`*:: + -- -type: alias - -alias to: message +type: keyword -- -*`system.auth.user`*:: +*`rsa.misc.im_client`*:: + -- -type: alias +type: keyword -alias to: user.name +-- +*`rsa.misc.im_userid`*:: ++ -- +type: keyword +-- -*`system.auth.ssh.method`*:: +*`rsa.misc.pid`*:: + -- -The SSH authentication method. Can be one of "password" or "publickey". - +type: keyword -- -*`system.auth.ssh.signature`*:: +*`rsa.misc.priority`*:: + -- -The signature of the client public key. - +type: keyword -- -*`system.auth.ssh.dropped_ip`*:: +*`rsa.misc.context_subject`*:: + -- -The client IP from SSH connections that are open and immediately dropped. - +This key is to be used in an audit context where the subject is the object being identified -type: ip +type: keyword -- -*`system.auth.ssh.event`*:: +*`rsa.misc.context_target`*:: + -- -The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - -example: Accepted +type: keyword -- -*`system.auth.ssh.ip`*:: +*`rsa.misc.cve`*:: + -- -type: alias +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -alias to: source.ip +type: keyword -- -*`system.auth.ssh.port`*:: +*`rsa.misc.fcatnum`*:: + -- -type: alias +This key captures Filter Category Number. Legacy Usage -alias to: source.port +type: keyword -- - -*`system.auth.ssh.geoip.continent_name`*:: +*`rsa.misc.library`*:: + -- -type: alias +This key is used to capture library information in mainframe devices -alias to: source.geo.continent_name +type: keyword -- -*`system.auth.ssh.geoip.country_iso_code`*:: +*`rsa.misc.parent_node`*:: + -- -type: alias +This key captures the Parent Node Name. Must be related to node variable. -alias to: source.geo.country_iso_code +type: keyword -- -*`system.auth.ssh.geoip.location`*:: +*`rsa.misc.risk_info`*:: + -- -type: alias +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -alias to: source.geo.location +type: keyword -- -*`system.auth.ssh.geoip.region_name`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: alias +This key is captures the TCP flags set in any packet of session -alias to: source.geo.region_name +type: long -- -*`system.auth.ssh.geoip.city_name`*:: +*`rsa.misc.tos`*:: + -- -type: alias +This key describes the type of service -alias to: source.geo.city_name +type: long -- -*`system.auth.ssh.geoip.region_iso_code`*:: +*`rsa.misc.vm_target`*:: + -- -type: alias +VMWare Target **VMWARE** only varaible. -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== sudo - -Fields specific to events created by the `sudo` command. +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description +type: keyword +-- -*`system.auth.sudo.error`*:: +*`rsa.misc.command`*:: + -- -The error message in case the sudo command failed. - - -example: user NOT in sudoers +type: keyword -- -*`system.auth.sudo.tty`*:: +*`rsa.misc.event_category`*:: + -- -The TTY where the sudo command is executed. - +type: keyword -- -*`system.auth.sudo.pwd`*:: +*`rsa.misc.facilityname`*:: + -- -The current directory where the sudo command is executed. - +type: keyword -- -*`system.auth.sudo.user`*:: +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-docker-processor]] +== Docker fields + +Docker stats collected from Docker. + + + + +*`docker.container.id`*:: ++ +-- +type: alias + +alias to: container.id + +-- + +*`docker.container.image`*:: ++ +-- +type: alias + +alias to: container.image.name + +-- + +*`docker.container.name`*:: ++ +-- +type: alias + +alias to: container.name + +-- + +*`docker.container.labels`*:: ++ +-- +Image labels. + + +type: object + +-- + +[[exported-fields-ecs]] +== ECS fields + +ECS Fields. + + +*`@timestamp`*:: ++ +-- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + +type: date + +example: 2016-05-23T08:05:34.853Z + +required: True + +-- + +*`labels`*:: ++ +-- +Custom key/value pairs. +Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. +Example: `docker` and `k8s` labels. + +type: object + +example: {"application": "foo-bar", "env": "production"} + +-- + +*`message`*:: ++ +-- +For log events the message field contains the log message, optimized for viewing in a log viewer. +For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. +If multiple messages exist, they can be combined into one message. + +type: text + +example: Hello World + +-- + +*`tags`*:: ++ +-- +List of keywords used to tag each event. + +type: keyword + +example: ["production", "env2"] + +-- + +[float] +=== agent + +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. + + +*`agent.ephemeral_id`*:: ++ +-- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + +type: keyword + +example: 8a4f500f + +-- + +*`agent.id`*:: ++ +-- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + +type: keyword + +example: 8a4f500d + +-- + +*`agent.name`*:: ++ +-- +Custom name of the agent. +This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. +If no name is given, the name is often left empty. + +type: keyword + +example: foo + +-- + +*`agent.type`*:: ++ +-- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + +type: keyword + +example: filebeat + +-- + +*`agent.version`*:: ++ +-- +Version of the agent. + +type: keyword + +example: 6.0.0-rc2 + +-- + +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`as.organization.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== client + +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`client.address`*:: ++ +-- +Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`client.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`client.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`client.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`client.bytes`*:: ++ +-- +Bytes sent from the client to the server. + +type: long + +example: 184 + +format: bytes + +-- + +*`client.domain`*:: ++ +-- +Client domain. + +type: keyword + +-- + +*`client.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`client.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`client.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`client.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`client.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`client.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`client.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`client.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`client.ip`*:: ++ +-- +IP address of the client. +Can be one or multiple IPv4 or IPv6 addresses. + +type: ip + +-- + +*`client.mac`*:: ++ +-- +MAC address of the client. + +type: keyword + +-- + +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`client.nat.port`*:: ++ +-- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`client.packets`*:: ++ +-- +Packets sent from the client to the server. + +type: long + +example: 12 + +-- + +*`client.port`*:: ++ +-- +Port of the client. + +type: long + +format: string + +-- + +*`client.registered_domain`*:: ++ +-- +The highest registered client domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`client.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`client.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`client.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`client.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`client.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`client.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`client.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`client.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`client.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`client.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`client.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`client.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== cloud + +Fields related to the cloud or infrastructure the events are coming from. + + +*`cloud.account.id`*:: ++ +-- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + +type: keyword + +example: 666777888999 + +-- + +*`cloud.availability_zone`*:: ++ +-- +Availability zone in which this host is running. + +type: keyword + +example: us-east-1c + +-- + +*`cloud.instance.id`*:: ++ +-- +Instance ID of the host machine. + +type: keyword + +example: i-1234567890abcdef0 + +-- + +*`cloud.instance.name`*:: ++ +-- +Instance name of the host machine. + +type: keyword + +-- + +*`cloud.machine.type`*:: ++ +-- +Machine type of the host machine. + +type: keyword + +example: t2.medium + +-- + +*`cloud.provider`*:: ++ +-- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + +type: keyword + +example: aws + +-- + +*`cloud.region`*:: ++ +-- +Region in which this host is running. + +type: keyword + +example: us-east-1 + +-- + +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +[float] +=== container + +Container fields are used for meta information about the specific container that is the source of information. +These fields help correlate data based containers from any runtime. + + +*`container.id`*:: ++ +-- +Unique container id. + +type: keyword + +-- + +*`container.image.name`*:: ++ +-- +Name of the image the container was built on. + +type: keyword + +-- + +*`container.image.tag`*:: ++ +-- +Container image tags. + +type: keyword + +-- + +*`container.labels`*:: ++ +-- +Image labels. + +type: object + +-- + +*`container.name`*:: ++ +-- +Container name. + +type: keyword + +-- + +*`container.runtime`*:: ++ +-- +Runtime managing this container. + +type: keyword + +example: docker + +-- + +[float] +=== destination + +Destination fields describe details about the destination of a packet/event. +Destination fields are usually populated in conjunction with source fields. + + +*`destination.address`*:: ++ +-- +Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`destination.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`destination.bytes`*:: ++ +-- +Bytes sent from the destination to the source. + +type: long + +example: 184 + +format: bytes + +-- + +*`destination.domain`*:: ++ +-- +Destination domain. + +type: keyword + +-- + +*`destination.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`destination.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`destination.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`destination.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`destination.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`destination.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`destination.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`destination.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`destination.ip`*:: ++ +-- +IP address of the destination. +Can be one or multiple IPv4 or IPv6 addresses. + +type: ip + +-- + +*`destination.mac`*:: ++ +-- +MAC address of the destination. + +type: keyword + +-- + +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`destination.packets`*:: ++ +-- +Packets sent from the destination to the source. + +type: long + +example: 12 + +-- + +*`destination.port`*:: ++ +-- +Port of the destination. + +type: long + +format: string + +-- + +*`destination.registered_domain`*:: ++ +-- +The highest registered destination domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`destination.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`destination.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`destination.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`destination.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`destination.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`destination.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`destination.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`destination.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`destination.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`destination.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`destination.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.google.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.google.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`dns.question.subdomain`*:: ++ +-- +The subdomain is all of the labels under the registered_domain. +If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + +example: www + +-- + +*`dns.question.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + +[float] +=== ecs + +Meta-information specific to ECS. + + +*`ecs.version`*:: ++ +-- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + +type: keyword + +example: 1.0.0 + +required: True + +-- + +[float] +=== error + +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. + + +*`error.code`*:: ++ +-- +Error code describing the error. + +type: keyword + +-- + +*`error.id`*:: ++ +-- +Unique identifier for the error. + +type: keyword + +-- + +*`error.message`*:: ++ +-- +Error message. + +type: text + +-- + +*`error.stack_trace`*:: ++ +-- +The stack trace of this error in plain text. + +type: keyword + +-- + +*`error.stack_trace.text`*:: ++ +-- +type: text + +-- + +*`error.type`*:: ++ +-- +The type of the error, for example the class name of the exception. + +type: keyword + +example: java.lang.NullPointerException + +-- + +[float] +=== event + +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. + + +*`event.action`*:: ++ +-- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + +type: keyword + +example: user-password-change + +-- + +*`event.category`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. +`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. +This field is an array. This will allow proper categorization of some events that fall in multiple categories. + +type: keyword + +example: authentication + +-- + +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + +*`event.created`*:: ++ +-- +event.created contains the date/time when the event was first read by an agent, or by your pipeline. +This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. +In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. +In case the two timestamps are identical, @timestamp should be used. + +type: date + +example: 2016-05-23T08:05:34.857Z + +-- + +*`event.dataset`*:: ++ +-- +Name of the dataset. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + +type: keyword + +example: apache.access + +-- + +*`event.duration`*:: ++ +-- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + +type: long + +format: duration + +-- + +*`event.end`*:: ++ +-- +event.end contains the date when the event ended or when the activity was last observed. + +type: date + +-- + +*`event.hash`*:: ++ +-- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + +type: keyword + +example: 123456789012345678901234567890ABCD + +-- + +*`event.id`*:: ++ +-- +Unique ID to describe the event. + +type: keyword + +example: 8a4f500d + +-- + +*`event.ingested`*:: ++ +-- +Timestamp when an event arrived in the central data store. +This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. +In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + +type: date + +example: 2016-05-23T08:05:35.101Z + +-- + +*`event.kind`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. +`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. +The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + +type: keyword + +example: alert + +-- + +*`event.module`*:: ++ +-- +Name of the module this data is coming from. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. + +type: keyword + +example: apache + +-- + +*`event.original`*:: ++ +-- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + +type: keyword + +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + +-- + +*`event.outcome`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + +type: keyword + +example: success + +-- + +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + +*`event.risk_score`*:: ++ +-- +Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + +type: float + +-- + +*`event.risk_score_norm`*:: ++ +-- +Normalized risk score or priority of the event, on a scale of 0 to 100. +This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + +type: float + +-- + +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + +type: long + +format: string + +-- + +*`event.severity`*:: ++ +-- +The numeric severity of the event according to your event source. +What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. +The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + +type: long + +example: 7 + +format: string + +-- + +*`event.start`*:: ++ +-- +event.start contains the date when the event started or when the activity was first observed. + +type: date + +-- + +*`event.timezone`*:: ++ +-- +This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. +Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + +type: keyword + +-- + +*`event.type`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. +`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. +This field is an array. This will allow proper categorization of some events that fall in multiple event types. + +type: keyword + +-- + +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.attributes`*:: ++ +-- +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + +type: keyword + +example: ["readonly", "system"] + +-- + +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice + +-- + +*`file.drive_letter`*:: ++ +-- +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. + +type: keyword + +example: C + +-- + +*`file.extension`*:: ++ +-- +File extension. + +type: keyword + +example: png + +-- + +*`file.gid`*:: ++ +-- +Primary group ID (GID) of the file. + +type: keyword + +example: 1001 + +-- + +*`file.group`*:: ++ +-- +Primary group name of the file. + +type: keyword + +example: alice + +-- + +*`file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`file.inode`*:: ++ +-- +Inode representing the file in the filesystem. + +type: keyword + +example: 256383 + +-- + +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + +*`file.mode`*:: ++ +-- +Mode of the file in octal representation. + +type: keyword + +example: 0640 + +-- + +*`file.mtime`*:: ++ +-- +Last time the file content was modified. + +type: date + +-- + +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + +*`file.owner`*:: ++ +-- +File owner's username. + +type: keyword + +example: alice + +-- + +*`file.path`*:: ++ +-- +Full path to the file, including the file name. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice/example.png + +-- + +*`file.path.text`*:: ++ +-- +type: text + +-- + +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`file.target_path`*:: ++ +-- +Target path for symlinks. + +type: keyword + +-- + +*`file.target_path.text`*:: ++ +-- +type: text + +-- + +*`file.type`*:: ++ +-- +File type (file, dir, or symlink). + +type: keyword + +example: file + +-- + +*`file.uid`*:: ++ +-- +The user ID (UID) or security identifier (SID) of the file owner. + +type: keyword + +example: 1001 + +-- + +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. + +type: keyword + +-- + +*`host.ip`*:: ++ +-- +Host ip addresses. + +type: ip + +-- + +*`host.mac`*:: ++ +-- +Host mac addresses. + +type: keyword + +-- + +*`host.name`*:: ++ +-- +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + +type: keyword + +-- + +*`host.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`host.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`host.os.full.text`*:: ++ +-- +type: text + +-- + +*`host.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`host.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`host.os.name.text`*:: ++ +-- +type: text + +-- + +*`host.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`host.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`host.type`*:: ++ +-- +Type of host. +For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + +type: keyword + +-- + +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`host.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`host.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`host.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`host.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`host.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`host.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`host.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`host.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== http + +Fields related to HTTP activity. Use the `url` field set to store the url of the request. + + +*`http.request.body.bytes`*:: ++ +-- +Size in bytes of the request body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.request.body.content`*:: ++ +-- +The full HTTP request body. + +type: keyword + +example: Hello world + +-- + +*`http.request.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.request.bytes`*:: ++ +-- +Total size in bytes of the request (body and headers). + +type: long + +example: 1437 + +format: bytes + +-- + +*`http.request.method`*:: ++ +-- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: get, post, put + +-- + +*`http.request.referrer`*:: ++ +-- +Referrer for this HTTP request. + +type: keyword + +example: https://blog.example.com/ + +-- + +*`http.response.body.bytes`*:: ++ +-- +Size in bytes of the response body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.response.body.content`*:: ++ +-- +The full HTTP response body. + +type: keyword + +example: Hello world + +-- + +*`http.response.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.response.bytes`*:: ++ +-- +Total size in bytes of the response (body and headers). + +type: long + +example: 1437 + +format: bytes + +-- + +*`http.response.status_code`*:: ++ +-- +HTTP response status code. + +type: long + +example: 404 + +format: string + +-- + +*`http.version`*:: ++ +-- +HTTP version. + +type: keyword + +example: 1.1 + +-- + +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +[float] +=== log + +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. + + +*`log.level`*:: ++ +-- +Original log level of the log event. +If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). +Some examples are `warn`, `err`, `i`, `informational`. + +type: keyword + +example: error + +-- + +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + +*`log.origin.file.line`*:: ++ +-- +The line number of the file containing the source code which originated the log event. + +type: integer + +example: 42 + +-- + +*`log.origin.file.name`*:: ++ +-- +The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. + +type: keyword + +example: Bootstrap.java + +-- + +*`log.origin.function`*:: ++ +-- +The name of the function or method which originated the log event. + +type: keyword + +example: init + +-- + +*`log.original`*:: ++ +-- +This is the original log message and contains the full log message before splitting it up in multiple parts. +In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. +This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. + +type: keyword + +example: Sep 19 08:26:10 localhost My log + +-- + +*`log.syslog`*:: ++ +-- +The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + +type: object + +-- + +*`log.syslog.facility.code`*:: ++ +-- +The Syslog numeric facility of the log event, if available. +According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + +type: long + +example: 23 + +format: string + +-- + +*`log.syslog.facility.name`*:: ++ +-- +The Syslog text-based facility of the log event, if available. + +type: keyword + +example: local7 + +-- + +*`log.syslog.priority`*:: ++ +-- +Syslog numeric priority of the event, if available. +According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + +type: long + +example: 135 + +format: string + +-- + +*`log.syslog.severity.code`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + +type: long + +example: 3 + +-- + +*`log.syslog.severity.name`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + +type: keyword + +example: Error + +-- + +[float] +=== network + +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. + + +*`network.application`*:: ++ +-- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: aim + +-- + +*`network.bytes`*:: ++ +-- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + +type: long + +example: 368 + +format: bytes + +-- + +*`network.community_id`*:: ++ +-- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + +type: keyword + +example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + +-- + +*`network.direction`*:: ++ +-- +Direction of the network traffic. +Recommended values are: + * inbound + * outbound + * internal + * external + * unknown + +When mapping events from a host-based monitoring context, populate this field from the host's point of view. +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. + +type: keyword + +example: inbound + +-- + +*`network.forwarded_ip`*:: ++ +-- +Host IP address when the source IP address is the proxy. + +type: ip + +example: 192.1.1.2 + +-- + +*`network.iana_number`*:: ++ +-- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + +type: keyword + +example: 6 + +-- + +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`network.name`*:: ++ +-- +Name given by operators to sections of their network. + +type: keyword + +example: Guest Wifi + +-- + +*`network.packets`*:: ++ +-- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + +type: long + +example: 24 + +-- + +*`network.protocol`*:: ++ +-- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: http + +-- + +*`network.transport`*:: ++ +-- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: tcp + +-- + +*`network.type`*:: ++ +-- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: ipv4 + +-- + +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== observer + +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + + +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + +*`observer.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`observer.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`observer.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`observer.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`observer.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`observer.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`observer.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`observer.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`observer.hostname`*:: ++ +-- +Hostname of the observer. + +type: keyword + +-- + +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + +*`observer.ip`*:: ++ +-- +IP addresses of the observer. + +type: ip + +-- + +*`observer.mac`*:: ++ +-- +MAC addresses of the observer + +type: keyword + +-- + +*`observer.name`*:: ++ +-- +Custom name of the observer. +This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. +If no custom name is needed, the field can be left empty. + +type: keyword + +example: 1_proxySG + +-- + +*`observer.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`observer.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`observer.os.full.text`*:: ++ +-- +type: text + +-- + +*`observer.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`observer.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`observer.os.name.text`*:: ++ +-- +type: text + +-- + +*`observer.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`observer.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`observer.product`*:: ++ +-- +The product name of the observer. + +type: keyword + +example: s200 + +-- + +*`observer.serial_number`*:: ++ +-- +Observer serial number. + +type: keyword + +-- + +*`observer.type`*:: ++ +-- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + +type: keyword + +example: firewall + +-- + +*`observer.vendor`*:: ++ +-- +Vendor name of the observer. + +type: keyword + +example: Symantec + +-- + +*`observer.version`*:: ++ +-- +Observer version. + +type: keyword + +-- + +[float] +=== organization + +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. + + +*`organization.id`*:: ++ +-- +Unique identifier for the organization. + +type: keyword + +-- + +*`organization.name`*:: ++ +-- +Organization name. + +type: keyword + +-- + +*`organization.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== os + +The OS fields contain information about the operating system. + + +*`os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`os.full.text`*:: ++ +-- +type: text + +-- + +*`os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`os.name.text`*:: ++ +-- +type: text + +-- + +*`os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +[float] +=== package + +These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. + + +*`package.architecture`*:: ++ +-- +Package architecture. + +type: keyword + +example: x86_64 + +-- + +*`package.build_version`*:: ++ +-- +Additional information about the build version of the installed package. +For example use the commit SHA of a non-released package. + +type: keyword + +example: 36f4f7e89dd61b0988b12ee000b98966867710cd + +-- + +*`package.checksum`*:: ++ +-- +Checksum of the installed package for verification. + +type: keyword + +example: 68b329da9893e34099c7d8ad5cb9c940 + +-- + +*`package.description`*:: ++ +-- +Description of the package. + +type: keyword + +example: Open source programming language to build simple/reliable/efficient software. + +-- + +*`package.install_scope`*:: ++ +-- +Indicating how the package was installed, e.g. user-local, global. + +type: keyword + +example: global + +-- + +*`package.installed`*:: ++ +-- +Time when package was installed. + +type: date + +-- + +*`package.license`*:: ++ +-- +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + +type: keyword + +example: Apache License 2.0 + +-- + +*`package.name`*:: ++ +-- +Package name + +type: keyword + +example: go + +-- + +*`package.path`*:: ++ +-- +Path where the package is installed. + +type: keyword + +example: /usr/local/Cellar/go/1.12.9/ + +-- + +*`package.reference`*:: ++ +-- +Home page or reference URL of the software in this package, if available. + +type: keyword + +example: https://golang.org + +-- + +*`package.size`*:: ++ +-- +Package size in bytes. + +type: long + +example: 62231 + +format: string + +-- + +*`package.type`*:: ++ +-- +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + +type: keyword + +example: rpm + +-- + +*`package.version`*:: ++ +-- +Package version + +type: keyword + +example: 1.12.9 + +-- + +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +[float] +=== process + +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. + + +*`process.args`*:: ++ +-- +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. + +type: keyword + +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] + +-- + +*`process.args_count`*:: ++ +-- +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 + +-- + +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`process.command_line`*:: ++ +-- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + +type: keyword + +example: /usr/bin/ssh -l user 10.0.0.16 + +-- + +*`process.command_line.text`*:: ++ +-- +type: text + +-- + +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + +*`process.executable`*:: ++ +-- +Absolute path to the process executable. + +type: keyword + +example: /usr/bin/ssh + +-- + +*`process.executable.text`*:: ++ +-- +type: text + +-- + +*`process.exit_code`*:: ++ +-- +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 + +-- + +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`process.name`*:: ++ +-- +Process name. +Sometimes called program name or similar. + +type: keyword + +example: ssh + +-- + +*`process.name.text`*:: ++ +-- +type: text + +-- + +*`process.parent.args`*:: ++ +-- +Array of process arguments. +May be filtered to protect sensitive information. + +type: keyword + +example: ['ssh', '-l', 'user', '10.0.0.16'] + +-- + +*`process.parent.args_count`*:: ++ +-- +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 + +-- + +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`process.parent.command_line`*:: ++ +-- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + +type: keyword + +example: /usr/bin/ssh -l user 10.0.0.16 + +-- + +*`process.parent.command_line.text`*:: ++ +-- +type: text + +-- + +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + +*`process.parent.executable`*:: ++ +-- +Absolute path to the process executable. + +type: keyword + +example: /usr/bin/ssh + +-- + +*`process.parent.executable.text`*:: ++ +-- +type: text + +-- + +*`process.parent.exit_code`*:: ++ +-- +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 + +-- + +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`process.parent.name`*:: ++ +-- +Process name. +Sometimes called program name or similar. + +type: keyword + +example: ssh + +-- + +*`process.parent.name.text`*:: ++ +-- +type: text + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.parent.thread.id`*:: ++ +-- +Thread ID. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + +*`process.parent.title`*:: ++ +-- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.parent.title.text`*:: ++ +-- +type: text + +-- + +*`process.parent.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.parent.working_directory`*:: ++ +-- +The working directory of the process. + +type: keyword + +example: /home/alice + +-- + +*`process.parent.working_directory.text`*:: ++ +-- +type: text + +-- + +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.thread.id`*:: ++ +-- +Thread ID. + +type: long + +example: 4242 + +format: string + +-- + +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + +*`process.title`*:: ++ +-- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.title.text`*:: ++ +-- +type: text + +-- + +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.working_directory`*:: ++ +-- +The working directory of the process. + +type: keyword + +example: /home/alice + +-- + +*`process.working_directory.text`*:: ++ +-- +type: text + +-- + +[float] +=== registry + +Fields related to Windows Registry operations. + + +*`registry.data.bytes`*:: ++ +-- +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + +type: keyword + +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + +-- + +*`registry.data.strings`*:: ++ +-- +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + +type: keyword + +example: ["C:\rta\red_ttp\bin\myapp.exe"] + +-- + +*`registry.data.type`*:: ++ +-- +Standard registry type for encoding contents + +type: keyword + +example: REG_SZ + +-- + +*`registry.hive`*:: ++ +-- +Abbreviated name for the hive. + +type: keyword + +example: HKLM + +-- + +*`registry.key`*:: ++ +-- +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + +-- + +*`registry.path`*:: ++ +-- +Full path, including hive, key and value + +type: keyword + +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + +-- + +*`registry.value`*:: ++ +-- +Name of the value written. + +type: keyword + +example: Debugger + +-- + +[float] +=== related + +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword + +-- + +*`related.ip`*:: ++ +-- +All of the IPs seen on your event. + +type: ip + +-- + +*`related.user`*:: ++ +-- +All the user names seen on your event. + +type: keyword + +-- + +[float] +=== rule + +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. + + +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + +*`rule.category`*:: ++ +-- +A categorization value keyword used by the entity using the rule for detection of this event. + +type: keyword + +example: Attempted Information Leak + +-- + +*`rule.description`*:: ++ +-- +The description of the rule generating the event. + +type: keyword + +example: Block requests to public DNS over HTTPS / TLS protocols + +-- + +*`rule.id`*:: ++ +-- +A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + +type: keyword + +example: 101 + +-- + +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + +*`rule.name`*:: ++ +-- +The name of the rule or signature generating the event. + +type: keyword + +example: BLOCK_DNS_over_TLS + +-- + +*`rule.reference`*:: ++ +-- +Reference URL to additional information about the rule used to generate this event. +The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + +type: keyword + +example: https://en.wikipedia.org/wiki/DNS_over_TLS + +-- + +*`rule.ruleset`*:: ++ +-- +Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + +type: keyword + +example: Standard_Protocol_Filters + +-- + +*`rule.uuid`*:: ++ +-- +A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + +type: keyword + +example: 1100110011 + +-- + +*`rule.version`*:: ++ +-- +The version / revision of the rule being used for analysis. + +type: keyword + +example: 1.1 + +-- + +[float] +=== server + +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`server.address`*:: ++ +-- +Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`server.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`server.bytes`*:: ++ +-- +Bytes sent from the server to the client. + +type: long + +example: 184 + +format: bytes + +-- + +*`server.domain`*:: ++ +-- +Server domain. + +type: keyword + +-- + +*`server.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`server.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`server.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`server.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`server.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`server.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`server.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`server.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`server.ip`*:: ++ +-- +IP address of the server. +Can be one or multiple IPv4 or IPv6 addresses. + +type: ip + +-- + +*`server.mac`*:: ++ +-- +MAC address of the server. + +type: keyword + +-- + +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`server.packets`*:: ++ +-- +Packets sent from the server to the client. + +type: long + +example: 12 + +-- + +*`server.port`*:: ++ +-- +Port of the server. + +type: long + +format: string + +-- + +*`server.registered_domain`*:: ++ +-- +The highest registered server domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`server.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`server.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`server.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`server.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`server.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`server.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`server.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`server.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`server.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`server.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`server.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== service + +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. + + +*`service.ephemeral_id`*:: ++ +-- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + +type: keyword + +example: 8a4f500f + +-- + +*`service.id`*:: ++ +-- +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + +-- + +*`service.name`*:: ++ +-- +Name of the service data is collected from. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + +type: keyword + +example: elasticsearch-metrics + +-- + +*`service.node.name`*:: ++ +-- +Name of a service node. +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + +type: keyword + +example: instance-0000000016 + +-- + +*`service.state`*:: ++ +-- +Current state of the service. + +type: keyword + +-- + +*`service.type`*:: ++ +-- +The type of the service data is collected from. +The type can be used to group and correlate logs and metrics from one service type. +Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + +type: keyword + +example: elasticsearch + +-- + +*`service.version`*:: ++ +-- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + +type: keyword + +example: 3.2.4 + +-- + +[float] +=== source + +Source fields describe details about the source of a packet/event. +Source fields are usually populated in conjunction with destination fields. + + +*`source.address`*:: ++ +-- +Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`source.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`source.bytes`*:: ++ +-- +Bytes sent from the source to the destination. + +type: long + +example: 184 + +format: bytes + +-- + +*`source.domain`*:: ++ +-- +Source domain. + +type: keyword + +-- + +*`source.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`source.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`source.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`source.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`source.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`source.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`source.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`source.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`source.ip`*:: ++ +-- +IP address of the source. +Can be one or multiple IPv4 or IPv6 addresses. + +type: ip + +-- + +*`source.mac`*:: ++ +-- +MAC address of the source. + +type: keyword + +-- + +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`source.packets`*:: ++ +-- +Packets sent from the source to the destination. + +type: long + +example: 12 + +-- + +*`source.port`*:: ++ +-- +Port of the source. + +type: long + +format: string + +-- + +*`source.registered_domain`*:: ++ +-- +The highest registered source domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`source.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`source.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`source.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`source.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`source.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`source.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`source.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`source.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`source.user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`source.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`source.user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== threat + +Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). + + +*`threat.framework`*:: ++ +-- +Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + +type: keyword + +example: MITRE ATT&CK + +-- + +*`threat.tactic.id`*:: ++ +-- +The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) + +type: keyword + +example: TA0040 + +-- + +*`threat.tactic.name`*:: ++ +-- +Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) + +type: keyword + +example: impact + +-- + +*`threat.tactic.reference`*:: ++ +-- +The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) + +type: keyword + +example: https://attack.mitre.org/tactics/TA0040/ + +-- + +*`threat.technique.id`*:: ++ +-- +The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) + +type: keyword + +example: T1499 + +-- + +*`threat.technique.name`*:: ++ +-- +The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) + +type: keyword + +example: endpoint denial of service + +-- + +*`threat.technique.name.text`*:: ++ +-- +type: text + +-- + +*`threat.technique.reference`*:: ++ +-- +The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) + +type: keyword + +example: https://attack.mitre.org/techniques/T1499/ + +-- + +[float] +=== tls + +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. + + +*`tls.cipher`*:: ++ +-- +String indicating the cipher used during the current connection. + +type: keyword + +example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + +-- + +*`tls.client.certificate`*:: ++ +-- +PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + +type: keyword + +example: MII... + +-- + +*`tls.client.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.client.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.client.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.client.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.client.issuer`*:: ++ +-- +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + +type: keyword + +example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + +-- + +*`tls.client.ja3`*:: ++ +-- +A hash that identifies clients based on how they perform an SSL/TLS handshake. + +type: keyword + +example: d4e5b18d6b55c71272893221c96ba240 + +-- + +*`tls.client.not_after`*:: ++ +-- +Date/Time indicating when client certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.client.not_before`*:: ++ +-- +Date/Time indicating when client certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.client.server_name`*:: ++ +-- +Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. + +type: keyword + +example: www.elastic.co + +-- + +*`tls.client.subject`*:: ++ +-- +Distinguished name of subject of the x.509 certificate presented by the client. + +type: keyword + +example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com + +-- + +*`tls.client.supported_ciphers`*:: ++ +-- +Array of ciphers offered by the client during the client hello. + +type: keyword + +example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] + +-- + +*`tls.curve`*:: ++ +-- +String indicating the curve used for the given cipher, when applicable. + +type: keyword + +example: secp256r1 + +-- + +*`tls.established`*:: ++ +-- +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean + +-- + +*`tls.next_protocol`*:: ++ +-- +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. + +type: keyword + +example: http/1.1 + +-- + +*`tls.resumed`*:: ++ +-- +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + +type: boolean + +-- + +*`tls.server.certificate`*:: ++ +-- +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. + +type: keyword + +example: MII... + +-- + +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: ++ +-- +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + +type: keyword + +-- + +*`url.registered_domain`*:: ++ +-- +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.google.com" is "google.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: google.com + +-- + +*`url.scheme`*:: ++ +-- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + +type: keyword + +example: https + +-- + +*`url.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`url.username`*:: ++ +-- +Username of the request. + +type: keyword + +-- + +[float] +=== user + +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. + + +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.id`*:: ++ +-- +Unique identifiers of the user. + +type: keyword + +-- + +*`user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== user_agent + +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. + + +*`user_agent.device.name`*:: ++ +-- +Name of the device. + +type: keyword + +example: iPhone + +-- + +*`user_agent.name`*:: ++ +-- +Name of the user agent. + +type: keyword + +example: Safari + +-- + +*`user_agent.original`*:: ++ +-- +Unparsed user_agent string. + +type: keyword + +example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + +-- + +*`user_agent.original.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`user_agent.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`user_agent.os.full.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`user_agent.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`user_agent.os.name.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`user_agent.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`user_agent.version`*:: ++ +-- +Version of the user agent. + +type: keyword + +example: 12.0 + +-- + +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== vulnerability + +The vulnerability fields describe information about a vulnerability that is relevant to an event. + + +*`vulnerability.category`*:: ++ +-- +The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) +This field must be an array. + +type: keyword + +example: ["Firewall"] + +-- + +*`vulnerability.classification`*:: ++ +-- +The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + +type: keyword + +example: CVSS + +-- + +*`vulnerability.description`*:: ++ +-- +The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) + +type: keyword + +example: In macOS before 2.12.6, there is a vulnerability in the RPC... + +-- + +*`vulnerability.description.text`*:: ++ +-- +type: text + +-- + +*`vulnerability.enumeration`*:: ++ +-- +The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + +type: keyword + +example: CVE + +-- + +*`vulnerability.id`*:: ++ +-- +The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + +type: keyword + +example: CVE-2019-00001 + +-- + +*`vulnerability.reference`*:: ++ +-- +A resource that provides additional information, context, and mitigations for the identified vulnerability. + +type: keyword + +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + +-- + +*`vulnerability.report_id`*:: ++ +-- +The report or scan identification number. + +type: keyword + +example: 20191018.0001 + +-- + +*`vulnerability.scanner.vendor`*:: ++ +-- +The name of the vulnerability scanner vendor. + +type: keyword + +example: Tenable + +-- + +*`vulnerability.score.base`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.environmental`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.temporal`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + +type: float + +-- + +*`vulnerability.score.version`*:: ++ +-- +The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: 2.0 + +-- + +*`vulnerability.severity`*:: ++ +-- +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: Critical + +-- + +[[exported-fields-elasticsearch]] +== Elasticsearch fields + +elasticsearch Module + + + +[float] +=== elasticsearch + + + + +*`elasticsearch.component`*:: ++ +-- +Elasticsearch component from where the log event originated + +type: keyword + +example: o.e.c.m.MetaDataCreateIndexService + +-- + +*`elasticsearch.cluster.uuid`*:: ++ +-- +UUID of the cluster + +type: keyword + +example: GmvrbHlNTiSVYiPf8kxg9g + +-- + +*`elasticsearch.cluster.name`*:: ++ +-- +Name of the cluster + +type: keyword + +example: docker-cluster + +-- + +*`elasticsearch.node.id`*:: ++ +-- +ID of the node + +type: keyword + +example: DSiWcTyeThWtUXLB9J0BMw + +-- + +*`elasticsearch.node.name`*:: ++ +-- +Name of the node + +type: keyword + +example: vWNJsZ3 + +-- + +*`elasticsearch.index.name`*:: ++ +-- +Index name + +type: keyword + +example: filebeat-test-input + +-- + +*`elasticsearch.index.id`*:: ++ +-- +Index id + +type: keyword + +example: aOGgDwbURfCV57AScqbCgw + +-- + +*`elasticsearch.shard.id`*:: ++ +-- +Id of the shard + +type: keyword + +example: 0 + +-- + +[float] +=== audit + + + + +*`elasticsearch.audit.layer`*:: ++ +-- +The layer from which this event originated: rest, transport or ip_filter + +type: keyword + +example: rest + +-- + +*`elasticsearch.audit.event_type`*:: ++ +-- +The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied + +type: keyword + +example: access_granted + +-- + +*`elasticsearch.audit.origin.type`*:: ++ +-- +Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) + +type: keyword + +example: local_node + +-- + +*`elasticsearch.audit.realm`*:: ++ +-- +The authentication realm the authentication was validated against + +type: keyword + +-- + +*`elasticsearch.audit.user.realm`*:: ++ +-- +The user's authentication realm, if authenticated + +type: keyword + +-- + +*`elasticsearch.audit.user.roles`*:: ++ +-- +Roles to which the principal belongs + +type: keyword + +example: ['kibana_user', 'beats_admin'] + +-- + +*`elasticsearch.audit.action`*:: ++ +-- +The name of the action that was executed + +type: keyword + +example: cluster:monitor/main + +-- + +*`elasticsearch.audit.url.params`*:: ++ +-- +REST URI parameters + +example: {username=jacknich2} + +-- + +*`elasticsearch.audit.indices`*:: ++ +-- +Indices accessed by action + +type: keyword + +example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] + +-- + +*`elasticsearch.audit.request.id`*:: ++ +-- +Unique ID of request + +type: keyword + +example: WzL_kb6VSvOhAq0twPvHOQ + +-- + +*`elasticsearch.audit.request.name`*:: ++ +-- +The type of request that was executed + +type: keyword + +example: ClearScrollRequest + +-- + +*`elasticsearch.audit.request_body`*:: ++ +-- +type: alias + +alias to: http.request.body.content + +-- + +*`elasticsearch.audit.origin_address`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +*`elasticsearch.audit.uri`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`elasticsearch.audit.principal`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`elasticsearch.audit.message`*:: ++ +-- +type: text + +-- + +[float] +=== deprecation + + + +[float] +=== gc + +GC fileset fields. + + + +[float] +=== phase + +Fields specific to GC phase. + + + +*`elasticsearch.gc.phase.name`*:: ++ +-- +Name of the GC collection phase. + + +type: keyword + +-- + +*`elasticsearch.gc.phase.duration_sec`*:: ++ +-- +Collection phase duration according to the Java virtual machine. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up symbol tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up string tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: ++ +-- +Time spent processing weak references in seconds. + + +type: float + +-- + +*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: ++ +-- +Time spent in seconds marking live objects while application is stopped. + + +type: float + +-- + +*`elasticsearch.gc.phase.class_unload_time_sec`*:: ++ +-- +Time spent unloading unused classes in seconds. + + +type: float + +-- + +[float] +=== cpu_time + +Process CPU time spent performing collections. + + + +*`elasticsearch.gc.phase.cpu_time.user_sec`*:: ++ +-- +CPU time spent outside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: ++ +-- +CPU time spent inside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.real_sec`*:: ++ +-- +Total elapsed CPU time spent to complete the collection from start to finish. + + +type: float + +-- + +*`elasticsearch.gc.jvm_runtime_sec`*:: ++ +-- +The time from JVM start up in seconds, as a floating point number. + + +type: float + +-- + +*`elasticsearch.gc.threads_total_stop_time_sec`*:: ++ +-- +Garbage collection threads total stop time seconds. + + +type: float + +-- + +*`elasticsearch.gc.stopping_threads_time_sec`*:: ++ +-- +Time took to stop threads seconds. + + +type: float + +-- + +*`elasticsearch.gc.tags`*:: ++ +-- +GC logging tags. + + +type: keyword + +-- + +[float] +=== heap + +Heap allocation and total size. + + + +*`elasticsearch.gc.heap.size_kb`*:: ++ +-- +Total heap size in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.heap.used_kb`*:: ++ +-- +Used heap in kilobytes. + + +type: integer + +-- + +[float] +=== old_gen + +Old generation occupancy and total size. + + + +*`elasticsearch.gc.old_gen.size_kb`*:: ++ +-- +Total size of old generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.old_gen.used_kb`*:: ++ +-- +Old generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== young_gen + +Young generation occupancy and total size. + + + +*`elasticsearch.gc.young_gen.size_kb`*:: ++ +-- +Total size of young generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.young_gen.used_kb`*:: ++ +-- +Young generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== server + +Server log file + + +*`elasticsearch.server.stacktrace`*:: ++ +-- +Field is not indexed. + +-- + +[float] +=== gc + +GC log + + +[float] +=== young + +Young GC + + +*`elasticsearch.server.gc.young.one`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.young.two`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.overhead_seq`*:: ++ +-- +Sequence number + +type: long + +example: 3449992 + +-- + +*`elasticsearch.server.gc.collection_duration.ms`*:: ++ +-- +Time spent in GC, in milliseconds + +type: float + +example: 1600 + +-- + +*`elasticsearch.server.gc.observation_duration.ms`*:: ++ +-- +Total time over which collection was observed, in milliseconds + +type: float + +example: 1800 + +-- + +[float] +=== slowlog + +Slowlog events from Elasticsearch + + +*`elasticsearch.slowlog.logger`*:: ++ +-- +Logger name + +type: keyword + +example: index.search.slowlog.fetch + +-- + +*`elasticsearch.slowlog.took`*:: ++ +-- +Time it took to execute the query + +type: keyword + +example: 300ms + +-- + +*`elasticsearch.slowlog.types`*:: ++ +-- +Types + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.stats`*:: ++ +-- +Stats groups + +type: keyword + +example: group1 + +-- + +*`elasticsearch.slowlog.search_type`*:: ++ +-- +Search type + +type: keyword + +example: QUERY_THEN_FETCH + +-- + +*`elasticsearch.slowlog.source_query`*:: ++ +-- +Slow query + +type: keyword + +example: {"query":{"match_all":{"boost":1.0}}} + +-- + +*`elasticsearch.slowlog.extra_source`*:: ++ +-- +Extra source information + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.total_hits`*:: ++ +-- +Total hits + +type: keyword + +example: 42 + +-- + +*`elasticsearch.slowlog.total_shards`*:: ++ +-- +Total queried shards + +type: keyword + +example: 22 + +-- + +*`elasticsearch.slowlog.routing`*:: ++ +-- +Routing + +type: keyword + +example: s01HZ2QBk9jw4gtgaFtn + +-- + +*`elasticsearch.slowlog.id`*:: ++ +-- +Id + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.type`*:: ++ +-- +Type + +type: keyword + +example: doc + +-- + +*`elasticsearch.slowlog.source`*:: ++ +-- +Source of document that was indexed + +type: keyword + +-- + +[[exported-fields-envoyproxy]] +== Envoyproxy fields + +Module for handling logs produced by envoy + + + +[float] +=== envoyproxy + +Fields from envoy proxy logs after normalization + + + +*`envoyproxy.log_type`*:: ++ +-- +Envoy log type, normally ACCESS + + +type: keyword + +-- + +*`envoyproxy.response_flags`*:: ++ +-- +Response flags + + +type: keyword + +-- + +*`envoyproxy.upstream_service_time`*:: ++ +-- +Upstream service time in nanoseconds + + +type: long + +format: duration + +-- + +*`envoyproxy.request_id`*:: ++ +-- +ID of the request + + +type: keyword + +-- + +*`envoyproxy.authority`*:: ++ +-- +Envoy proxy authority field + + +type: keyword + +-- + +*`envoyproxy.proxy_type`*:: ++ +-- +Envoy proxy type, tcp or http + + +type: keyword + +-- + +[[exported-fields-f5]] +== Big-IP Access Policy Manager fields + +f5 fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-fortinet]] +== Fortinet fields + +fortinet Module + + + +[float] +=== fortinet + +Fields from fortinet FortiOS + + + +*`fortinet.file.hash.crc32`*:: ++ +-- +CRC32 Hash of file + + +type: keyword + +-- + +*`fortinet.network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`fortinet.rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`fortinet.rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`fortinet.rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`fortinet.rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`fortinet.rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`fortinet.rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`fortinet.rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`fortinet.rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`fortinet.rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`fortinet.rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`fortinet.rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`fortinet.rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`fortinet.rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`fortinet.rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`fortinet.rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`fortinet.rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`fortinet.rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`fortinet.rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`fortinet.rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`fortinet.rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`fortinet.rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`fortinet.rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`fortinet.rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`fortinet.rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`fortinet.rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`fortinet.rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`fortinet.rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`fortinet.rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`fortinet.rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`fortinet.rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`fortinet.rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`fortinet.rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`fortinet.rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`fortinet.rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`fortinet.rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`fortinet.rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`fortinet.rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`fortinet.rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`fortinet.rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`fortinet.rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`fortinet.rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`fortinet.rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`fortinet.rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`fortinet.rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`fortinet.rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`fortinet.rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`fortinet.rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`fortinet.rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`fortinet.rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`fortinet.rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`fortinet.rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`fortinet.rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`fortinet.rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`fortinet.rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`fortinet.rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`fortinet.rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`fortinet.rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`fortinet.rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`fortinet.rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`fortinet.rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`fortinet.rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`fortinet.rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`fortinet.rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`fortinet.rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`fortinet.rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`fortinet.rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`fortinet.rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`fortinet.rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`fortinet.rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`fortinet.rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`fortinet.rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`fortinet.rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`fortinet.rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`fortinet.rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`fortinet.rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`fortinet.rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`fortinet.rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`fortinet.rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`fortinet.rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`fortinet.rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`fortinet.rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`fortinet.rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`fortinet.rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`fortinet.rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`fortinet.rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`fortinet.rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`fortinet.rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`fortinet.rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`fortinet.rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`fortinet.rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`fortinet.rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`fortinet.rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`fortinet.rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`fortinet.rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`fortinet.rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`fortinet.rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`fortinet.rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`fortinet.rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`fortinet.rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`fortinet.rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`fortinet.rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`fortinet.rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`fortinet.rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`fortinet.rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`fortinet.rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`fortinet.rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`fortinet.rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`fortinet.rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`fortinet.rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`fortinet.rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`fortinet.rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`fortinet.rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`fortinet.rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`fortinet.rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`fortinet.rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`fortinet.rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`fortinet.rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`fortinet.rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`fortinet.rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`fortinet.rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`fortinet.rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`fortinet.rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`fortinet.rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`fortinet.rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`fortinet.rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`fortinet.rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`fortinet.rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`fortinet.rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`fortinet.rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`fortinet.rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`fortinet.rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`fortinet.rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`fortinet.rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`fortinet.rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`fortinet.rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`fortinet.rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`fortinet.rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`fortinet.rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`fortinet.rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`fortinet.rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`fortinet.rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`fortinet.rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`fortinet.rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`fortinet.rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`fortinet.rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`fortinet.rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`fortinet.rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`fortinet.rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`fortinet.rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`fortinet.rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`fortinet.rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`fortinet.rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`fortinet.rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`fortinet.rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`fortinet.rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`fortinet.rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`fortinet.rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`fortinet.rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`fortinet.rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`fortinet.rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`fortinet.rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`fortinet.rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`fortinet.rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`fortinet.rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`fortinet.rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`fortinet.rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`fortinet.rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`fortinet.rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`fortinet.rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`fortinet.rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`fortinet.rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`fortinet.rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`fortinet.rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`fortinet.rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`fortinet.rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`fortinet.rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`fortinet.rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`fortinet.rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`fortinet.rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`fortinet.rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`fortinet.rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`fortinet.rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`fortinet.rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`fortinet.rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`fortinet.rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`fortinet.rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`fortinet.rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`fortinet.rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`fortinet.rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`fortinet.rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`fortinet.rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`fortinet.rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`fortinet.rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`fortinet.rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`fortinet.rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`fortinet.rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`fortinet.rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`fortinet.rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`fortinet.rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`fortinet.rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`fortinet.rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`fortinet.rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`fortinet.rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`fortinet.rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`fortinet.rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`fortinet.rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`fortinet.rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`fortinet.rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`fortinet.rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`fortinet.rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`fortinet.rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`fortinet.rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`fortinet.rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`fortinet.rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`fortinet.rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`fortinet.rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`fortinet.rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`fortinet.rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`fortinet.rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`fortinet.rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`fortinet.rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`fortinet.rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`fortinet.rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`fortinet.rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`fortinet.rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`fortinet.rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`fortinet.rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`fortinet.rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`fortinet.rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`fortinet.rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`fortinet.rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`fortinet.rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`fortinet.rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`fortinet.rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`fortinet.rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`fortinet.rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`fortinet.rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`fortinet.rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`fortinet.rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`fortinet.rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`fortinet.rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`fortinet.rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`fortinet.rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`fortinet.rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`fortinet.rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`fortinet.rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`fortinet.rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`fortinet.rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`fortinet.rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`fortinet.rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`fortinet.rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`fortinet.rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`fortinet.rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`fortinet.rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`fortinet.rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`fortinet.rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`fortinet.rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`fortinet.rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`fortinet.rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`fortinet.rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`fortinet.rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`fortinet.rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`fortinet.rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`fortinet.rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`fortinet.rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`fortinet.rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`fortinet.rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`fortinet.rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`fortinet.rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`fortinet.rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`fortinet.rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`fortinet.rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`fortinet.rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`fortinet.rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`fortinet.rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`fortinet.rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`fortinet.rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`fortinet.rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`fortinet.rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`fortinet.rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`fortinet.rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`fortinet.rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`fortinet.rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`fortinet.rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`fortinet.rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`fortinet.rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`fortinet.rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`fortinet.rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`fortinet.rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`fortinet.rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`fortinet.rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`fortinet.rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`fortinet.rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`fortinet.rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`fortinet.rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`fortinet.rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`fortinet.rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`fortinet.rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`fortinet.rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[float] +=== firewall + +Module for parsing Fortinet syslog. + + + +*`fortinet.firewall.acct_stat`*:: ++ +-- +Accounting state (RADIUS) + + +type: keyword + +-- + +*`fortinet.firewall.acktime`*:: ++ +-- +Alarm Acknowledge Time + + +type: keyword + +-- + +*`fortinet.firewall.act`*:: ++ +-- +Action + + +type: keyword + +-- + +*`fortinet.firewall.action`*:: ++ +-- +Status of the session + + +type: keyword + +-- + +*`fortinet.firewall.activity`*:: ++ +-- +HA activity message + + +type: keyword + +-- + +*`fortinet.firewall.addr`*:: ++ +-- +IP Address + + +type: ip + +-- + +*`fortinet.firewall.addr_type`*:: ++ +-- +Address Type + + +type: keyword + +-- + +*`fortinet.firewall.addrgrp`*:: ++ +-- +Address Group + + +type: keyword + +-- + +*`fortinet.firewall.adgroup`*:: ++ +-- +AD Group Name + + +type: keyword + +-- + +*`fortinet.firewall.admin`*:: ++ +-- +Admin User + + +type: keyword + +-- + +*`fortinet.firewall.age`*:: ++ +-- +Time in seconds - time passed since last seen + + +type: integer + +-- + +*`fortinet.firewall.agent`*:: ++ +-- +User agent - eg. agent="Mozilla/5.0" + + +type: keyword + +-- + +*`fortinet.firewall.alarmid`*:: ++ +-- +Alarm ID + + +type: integer + +-- + +*`fortinet.firewall.alert`*:: ++ +-- +Alert + + +type: keyword + +-- + +*`fortinet.firewall.analyticscksum`*:: ++ +-- +The checksum of the file submitted for analytics + + +type: keyword + +-- + +*`fortinet.firewall.analyticssubmit`*:: ++ +-- +The flag for analytics submission + + +type: keyword + +-- + +*`fortinet.firewall.ap`*:: ++ +-- +Access Point + + +type: keyword + +-- + +*`fortinet.firewall.app-type`*:: ++ +-- +Address Type + + +type: keyword + +-- + +*`fortinet.firewall.appact`*:: ++ +-- +The security action from app control + + +type: keyword + +-- + +*`fortinet.firewall.appid`*:: ++ +-- +Application ID + + +type: integer + +-- + +*`fortinet.firewall.applist`*:: ++ +-- +Application Control profile + + +type: keyword + +-- + +*`fortinet.firewall.apprisk`*:: ++ +-- +Application Risk Level + + +type: keyword + +-- + +*`fortinet.firewall.apscan`*:: ++ +-- +The name of the AP, which scanned and detected the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.apsn`*:: ++ +-- +Access Point + + +type: keyword + +-- + +*`fortinet.firewall.apstatus`*:: ++ +-- +Access Point status + + +type: keyword + +-- + +*`fortinet.firewall.aptype`*:: ++ +-- +Access Point type + + +type: keyword + +-- + +*`fortinet.firewall.assigned`*:: ++ +-- +Assigned IP Address + + +type: ip + +-- + +*`fortinet.firewall.assignip`*:: ++ +-- +Assigned IP Address + + +type: ip + +-- + +*`fortinet.firewall.attachment`*:: ++ +-- +The flag for email attachement + + +type: keyword + +-- + +*`fortinet.firewall.attack`*:: ++ +-- +Attack Name + + +type: keyword + +-- + +*`fortinet.firewall.attackcontext`*:: ++ +-- +The trigger patterns and the packetdata with base64 encoding + + +type: keyword + +-- + +*`fortinet.firewall.attackcontextid`*:: ++ +-- +Attack context id / total + + +type: keyword + +-- + +*`fortinet.firewall.attackid`*:: ++ +-- +Attack ID + + +type: integer + +-- + +*`fortinet.firewall.auditid`*:: ++ +-- +Audit ID + + +type: long + +-- + +*`fortinet.firewall.auditscore`*:: ++ +-- +The Audit Score + + +type: keyword + +-- + +*`fortinet.firewall.audittime`*:: ++ +-- +The time of the audit + + +type: long + +-- + +*`fortinet.firewall.authgrp`*:: ++ +-- +Authorization Group + + +type: keyword + +-- + +*`fortinet.firewall.authid`*:: ++ +-- +Authentication ID + + +type: keyword + +-- + +*`fortinet.firewall.authproto`*:: ++ +-- +The protocol that initiated the authentication + + +type: keyword + +-- + +*`fortinet.firewall.authserver`*:: ++ +-- +Authentication server + + +type: keyword + +-- + +*`fortinet.firewall.bandwidth`*:: ++ +-- +Bandwidth + + +type: keyword + +-- + +*`fortinet.firewall.banned_rule`*:: ++ +-- +NAC quarantine Banned Rule Name + + +type: keyword + +-- + +*`fortinet.firewall.banned_src`*:: ++ +-- +NAC quarantine Banned Source IP + + +type: keyword + +-- + +*`fortinet.firewall.banword`*:: ++ +-- +Banned word + + +type: keyword + +-- + +*`fortinet.firewall.botnetdomain`*:: ++ +-- +Botnet Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.botnetip`*:: ++ +-- +Botnet IP Address + + +type: ip + +-- + +*`fortinet.firewall.bssid`*:: ++ +-- +Service Set ID + + +type: keyword + +-- + +*`fortinet.firewall.call_id`*:: ++ +-- +Caller ID + + +type: keyword + +-- + +*`fortinet.firewall.carrier_ep`*:: ++ +-- +The FortiOS Carrier end-point identification + + +type: keyword + +-- + +*`fortinet.firewall.cat`*:: ++ +-- +DNS category ID + + +type: integer + +-- + +*`fortinet.firewall.category`*:: ++ +-- +Authentication category + + +type: keyword + +-- + +*`fortinet.firewall.cc`*:: ++ +-- +CC Email Address + + +type: keyword + +-- + +*`fortinet.firewall.cdrcontent`*:: ++ +-- +Cdrcontent + + +type: keyword + +-- + +*`fortinet.firewall.centralnatid`*:: ++ +-- +Central NAT ID + + +type: integer + +-- + +*`fortinet.firewall.cert`*:: ++ +-- +Certificate + + +type: keyword + +-- + +*`fortinet.firewall.cert-type`*:: ++ +-- +Certificate type + + +type: keyword + +-- + +*`fortinet.firewall.certhash`*:: ++ +-- +Certificate hash + + +type: keyword + +-- + +*`fortinet.firewall.cfgattr`*:: ++ +-- +Configuration attribute + + +type: keyword + +-- + +*`fortinet.firewall.cfgobj`*:: ++ +-- +Configuration object + + +type: keyword + +-- + +*`fortinet.firewall.cfgpath`*:: ++ +-- +Configuration path + + +type: keyword + +-- + +*`fortinet.firewall.cfgtid`*:: ++ +-- +Configuration transaction ID + + +type: keyword + +-- + +*`fortinet.firewall.cfgtxpower`*:: ++ +-- +Configuration TX power + + +type: integer + +-- + +*`fortinet.firewall.channel`*:: ++ +-- +Wireless Channel + + +type: integer + +-- + +*`fortinet.firewall.channeltype`*:: ++ +-- +SSH channel type + + +type: keyword + +-- + +*`fortinet.firewall.chassisid`*:: ++ +-- +Chassis ID + + +type: integer + +-- + +*`fortinet.firewall.checksum`*:: ++ +-- +The checksum of the scanned file + + +type: keyword + +-- + +*`fortinet.firewall.chgheaders`*:: ++ +-- +HTTP Headers + + +type: keyword + +-- + +*`fortinet.firewall.cldobjid`*:: ++ +-- +Connector object ID + + +type: keyword + +-- + +*`fortinet.firewall.client_addr`*:: ++ +-- +Wifi client address + + +type: keyword + +-- + +*`fortinet.firewall.cloudaction`*:: ++ +-- +Cloud Action + + +type: keyword + +-- + +*`fortinet.firewall.clouduser`*:: ++ +-- +Cloud User + + +type: keyword + +-- + +*`fortinet.firewall.column`*:: ++ +-- +VOIP Column + + +type: integer + +-- + +*`fortinet.firewall.command`*:: ++ +-- +CLI Command + + +type: keyword + +-- + +*`fortinet.firewall.community`*:: ++ +-- +SNMP Community + + +type: keyword + +-- + +*`fortinet.firewall.configcountry`*:: ++ +-- +Configuration country + + +type: keyword + +-- + +*`fortinet.firewall.connection_type`*:: ++ +-- +FortiClient Connection Type + + +type: keyword + +-- + +*`fortinet.firewall.conserve`*:: ++ +-- +Flag for conserve mode + + +type: keyword + +-- + +*`fortinet.firewall.constraint`*:: ++ +-- +WAF http protocol restrictions + + +type: keyword + +-- + +*`fortinet.firewall.contentdisarmed`*:: ++ +-- +Email scanned content + + +type: keyword + +-- + +*`fortinet.firewall.contenttype`*:: ++ +-- +Content Type from HTTP header + + +type: keyword + +-- + +*`fortinet.firewall.cookies`*:: ++ +-- +VPN Cookie + + +type: keyword + +-- + +*`fortinet.firewall.count`*:: ++ +-- +Counts of action type + + +type: integer + +-- + +*`fortinet.firewall.countapp`*:: ++ +-- +Number of App Ctrl logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countav`*:: ++ +-- +Number of AV logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countcifs`*:: ++ +-- +Number of CIFS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countdlp`*:: ++ +-- +Number of DLP logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countdns`*:: ++ +-- +Number of DNS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countemail`*:: ++ +-- +Number of email logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countff`*:: ++ +-- +Number of ff logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countips`*:: ++ +-- +Number of IPS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countssh`*:: ++ +-- +Number of SSH logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countssl`*:: ++ +-- +Number of SSL logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countwaf`*:: ++ +-- +Number of WAF logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countweb`*:: ++ +-- +Number of Web filter logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.cpu`*:: ++ +-- +CPU Usage + + +type: integer + +-- + +*`fortinet.firewall.craction`*:: ++ +-- +Client Reputation Action + + +type: integer + +-- + +*`fortinet.firewall.criticalcount`*:: ++ +-- +Number of critical ratings + + +type: integer + +-- + +*`fortinet.firewall.crl`*:: ++ +-- +Client Reputation Level + + +type: keyword + +-- + +*`fortinet.firewall.crlevel`*:: ++ +-- +Client Reputation Level + + +type: keyword + +-- + +*`fortinet.firewall.crscore`*:: ++ +-- +Some description + + +type: integer + +-- + +*`fortinet.firewall.cveid`*:: ++ +-- +CVE ID + + +type: keyword + +-- + +*`fortinet.firewall.daemon`*:: ++ +-- +Daemon name + + +type: keyword + +-- + +*`fortinet.firewall.datarange`*:: ++ +-- +Data range for reports + + +type: keyword + +-- + +*`fortinet.firewall.date`*:: ++ +-- +Date + + +type: keyword + +-- + +*`fortinet.firewall.ddnsserver`*:: ++ +-- +DDNS server + + +type: ip + +-- + +*`fortinet.firewall.desc`*:: ++ +-- +Description + + +type: keyword + +-- + +*`fortinet.firewall.detectionmethod`*:: ++ +-- +Detection method + + +type: keyword + +-- + +*`fortinet.firewall.devcategory`*:: ++ +-- +Device category + + +type: keyword + +-- + +*`fortinet.firewall.devintfname`*:: ++ +-- +HA device Interface Name + + +type: keyword + +-- + +*`fortinet.firewall.devtype`*:: ++ +-- +Device type + + +type: keyword + +-- + +*`fortinet.firewall.dhcp_msg`*:: ++ +-- +DHCP Message + + +type: keyword + +-- + +*`fortinet.firewall.dintf`*:: ++ +-- +Destination interface + + +type: keyword + +-- + +*`fortinet.firewall.disk`*:: ++ +-- +Assosciated disk + + +type: keyword + +-- + +*`fortinet.firewall.disklograte`*:: ++ +-- +Disk logging rate + + +type: long + +-- + +*`fortinet.firewall.dlpextra`*:: ++ +-- +DLP extra information + + +type: keyword + +-- + +*`fortinet.firewall.docsource`*:: ++ +-- +DLP fingerprint document source + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlauthstate`*:: ++ +-- +CIFS domain auth state + + +type: integer + +-- + +*`fortinet.firewall.domainctrlauthtype`*:: ++ +-- +CIFS domain auth type + + +type: integer + +-- + +*`fortinet.firewall.domainctrldomain`*:: ++ +-- +CIFS domain auth domain + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlip`*:: ++ +-- +CIFS Domain IP + + +type: ip + +-- + +*`fortinet.firewall.domainctrlname`*:: ++ +-- +CIFS Domain name + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlprotocoltype`*:: ++ +-- +CIFS Domain connection protocol + + +type: integer + +-- + +*`fortinet.firewall.domainctrlusername`*:: ++ +-- +CIFS Domain username + + +type: keyword + +-- + +*`fortinet.firewall.domainfilteridx`*:: ++ +-- +Domain filter ID + + +type: integer + +-- + +*`fortinet.firewall.domainfilterlist`*:: ++ +-- +Domain filter name + + +type: keyword + +-- + +*`fortinet.firewall.ds`*:: ++ +-- +Direction with distribution system + + +type: keyword + +-- + +*`fortinet.firewall.dst_int`*:: ++ +-- +Destination interface + + +type: keyword + +-- + +*`fortinet.firewall.dstintfrole`*:: ++ +-- +Destination interface role + + +type: keyword + +-- + +*`fortinet.firewall.dstcountry`*:: ++ +-- +Destination country + + +type: keyword + +-- + +*`fortinet.firewall.dstdevcategory`*:: ++ +-- +Destination device category + + +type: keyword + +-- + +*`fortinet.firewall.dstdevtype`*:: ++ +-- +Destination device type + + +type: keyword + +-- + +*`fortinet.firewall.dstfamily`*:: ++ +-- +Destination OS family + + +type: keyword + +-- + +*`fortinet.firewall.dsthwvendor`*:: ++ +-- +Destination HW vendor + + +type: keyword + +-- + +*`fortinet.firewall.dsthwversion`*:: ++ +-- +Destination HW version + + +type: keyword + +-- + +*`fortinet.firewall.dstinetsvc`*:: ++ +-- +Destination interface service + + +type: keyword + +-- + +*`fortinet.firewall.dstosname`*:: ++ +-- +Destination OS name + + +type: keyword + +-- + +*`fortinet.firewall.dstosversion`*:: ++ +-- +Destination OS version + + +type: keyword + +-- + +*`fortinet.firewall.dstserver`*:: ++ +-- +Destination server + + +type: integer + +-- + +*`fortinet.firewall.dstssid`*:: ++ +-- +Destination SSID + + +type: keyword + +-- + +*`fortinet.firewall.dstswversion`*:: ++ +-- +Destination software version + + +type: keyword + +-- + +*`fortinet.firewall.dstunauthusersource`*:: ++ +-- +Destination unauthenticated source + + +type: keyword + +-- + +*`fortinet.firewall.dstuuid`*:: ++ +-- +UUID of the Destination IP address + + +type: keyword + +-- + +*`fortinet.firewall.duid`*:: ++ +-- +DHCP UID + + +type: keyword + +-- + +*`fortinet.firewall.eapolcnt`*:: ++ +-- +EAPOL packet count + + +type: integer + +-- + +*`fortinet.firewall.eapoltype`*:: ++ +-- +EAPOL packet type + + +type: keyword + +-- + +*`fortinet.firewall.encrypt`*:: ++ +-- +Whether the packet is encrypted or not + + +type: integer + +-- + +*`fortinet.firewall.encryption`*:: ++ +-- +Encryption method + + +type: keyword + +-- + +*`fortinet.firewall.epoch`*:: ++ +-- +Epoch used for locating file + + +type: integer + +-- + +*`fortinet.firewall.espauth`*:: ++ +-- +ESP Authentication + + +type: keyword + +-- + +*`fortinet.firewall.esptransform`*:: ++ +-- +ESP Transform + + +type: keyword + +-- + +*`fortinet.firewall.exch`*:: ++ +-- +Mail Exchanges from DNS response answer section + + +type: keyword + +-- + +*`fortinet.firewall.exchange`*:: ++ +-- +Mail Exchanges from DNS response answer section + + +type: keyword + +-- + +*`fortinet.firewall.expectedsignature`*:: ++ +-- +Expected SSL signature + + +type: keyword + +-- + +*`fortinet.firewall.expiry`*:: ++ +-- +FortiGuard override expiry timestamp + + +type: keyword + +-- + +*`fortinet.firewall.fams_pause`*:: ++ +-- +Fortinet Analysis and Management Service Pause + + +type: integer + +-- + +*`fortinet.firewall.fazlograte`*:: ++ +-- +FortiAnalyzer Logging Rate + + +type: long + +-- + +*`fortinet.firewall.fctemssn`*:: ++ +-- +FortiClient Endpoint SSN + + +type: keyword + +-- + +*`fortinet.firewall.fctuid`*:: ++ +-- +FortiClient UID + + +type: keyword + +-- + +*`fortinet.firewall.field`*:: ++ +-- +NTP status field + + +type: keyword + +-- + +*`fortinet.firewall.filefilter`*:: ++ +-- +The filter used to identify the affected file + + +type: keyword + +-- + +*`fortinet.firewall.filehashsrc`*:: ++ +-- +Filehash source + + +type: keyword + +-- + +*`fortinet.firewall.filtercat`*:: ++ +-- +DLP filter category + + +type: keyword + +-- + +*`fortinet.firewall.filteridx`*:: ++ +-- +DLP filter ID + + +type: integer + +-- + +*`fortinet.firewall.filtername`*:: ++ +-- +DLP rule name + + +type: keyword + +-- + +*`fortinet.firewall.filtertype`*:: ++ +-- +DLP filter type + + +type: keyword + +-- + +*`fortinet.firewall.fortiguardresp`*:: ++ +-- +Antispam ESP value + + +type: keyword + +-- + +*`fortinet.firewall.forwardedfor`*:: ++ +-- +Email address forwarded + + +type: keyword + +-- + +*`fortinet.firewall.fqdn`*:: ++ +-- +FQDN + + +type: keyword + +-- + +*`fortinet.firewall.frametype`*:: ++ +-- +Wireless frametype + + +type: keyword + +-- + +*`fortinet.firewall.freediskstorage`*:: ++ +-- +Free disk integer + + +type: integer + +-- + +*`fortinet.firewall.from`*:: ++ +-- +From email address + + +type: keyword + +-- + +*`fortinet.firewall.from_vcluster`*:: ++ +-- +Source virtual cluster number + + +type: integer + +-- + +*`fortinet.firewall.fsaverdict`*:: ++ +-- +FSA verdict + + +type: keyword + +-- + +*`fortinet.firewall.fwserver_name`*:: ++ +-- +Web proxy server name + + +type: keyword + +-- + +*`fortinet.firewall.gateway`*:: ++ +-- +Gateway ip address for PPPoE status report + + +type: ip + +-- + +*`fortinet.firewall.green`*:: ++ +-- +Memory status + + +type: keyword + +-- + +*`fortinet.firewall.groupid`*:: ++ +-- +User Group ID + + +type: integer + +-- + +*`fortinet.firewall.ha-prio`*:: ++ +-- +HA Priority + + +type: integer + +-- + +*`fortinet.firewall.ha_group`*:: ++ +-- +HA Group + + +type: keyword + +-- + +*`fortinet.firewall.ha_role`*:: ++ +-- +HA Role + + +type: keyword + +-- + +*`fortinet.firewall.handshake`*:: ++ +-- +SSL Handshake + + +type: keyword + +-- + +*`fortinet.firewall.hash`*:: ++ +-- +Hash value of downloaded file + + +type: keyword + +-- + +*`fortinet.firewall.hbdn_reason`*:: ++ +-- +Heartbeat down reason + + +type: keyword + +-- + +*`fortinet.firewall.highcount`*:: ++ +-- +Highcount fabric summary + + +type: integer + +-- + +*`fortinet.firewall.host`*:: ++ +-- +Hostname + + +type: keyword + +-- + +*`fortinet.firewall.iaid`*:: ++ +-- +DHCPv6 id + + +type: keyword + +-- + +*`fortinet.firewall.icmpcode`*:: ++ +-- +Destination Port of the ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.icmpid`*:: ++ +-- +Source port of the ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.icmptype`*:: ++ +-- +The type of ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.identifier`*:: ++ +-- +Network traffic identifier + + +type: integer + +-- + +*`fortinet.firewall.in_spi`*:: ++ +-- +IPSEC inbound SPI + + +type: keyword + +-- + +*`fortinet.firewall.incidentserialno`*:: ++ +-- +Incident serial number + + +type: integer + +-- + +*`fortinet.firewall.infected`*:: ++ +-- +Infected MMS + + +type: integer + +-- + +*`fortinet.firewall.infectedfilelevel`*:: ++ +-- +DLP infected file level + + +type: integer + +-- + +*`fortinet.firewall.informationsource`*:: ++ +-- +Information source + + +type: keyword + +-- + +*`fortinet.firewall.init`*:: ++ +-- +IPSEC init stage + + +type: keyword + +-- + +*`fortinet.firewall.initiator`*:: ++ +-- +Original login user name for Fortiguard override + + +type: keyword + +-- + +*`fortinet.firewall.interface`*:: ++ +-- +Related interface + + +type: keyword + +-- + +*`fortinet.firewall.intf`*:: ++ +-- +Related interface + + +type: keyword + +-- + +*`fortinet.firewall.invalidmac`*:: ++ +-- +The MAC address with invalid OUI + + +type: keyword + +-- + +*`fortinet.firewall.ip`*:: ++ +-- +Related IP + + +type: ip + +-- + +*`fortinet.firewall.iptype`*:: ++ +-- +Related IP type + + +type: keyword + +-- + +*`fortinet.firewall.keyword`*:: ++ +-- +Keyword used for search + + +type: keyword + +-- + +*`fortinet.firewall.kind`*:: ++ +-- +VOIP kind + + +type: keyword + +-- + +*`fortinet.firewall.lanin`*:: ++ +-- +LAN incoming traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.lanout`*:: ++ +-- +LAN outbound traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.lease`*:: ++ +-- +DHCP lease + + +type: integer + +-- + +*`fortinet.firewall.license_limit`*:: ++ +-- +Maximum Number of FortiClients for the License + + +type: keyword + +-- + +*`fortinet.firewall.limit`*:: ++ +-- +Virtual Domain Resource Limit + + +type: integer + +-- + +*`fortinet.firewall.line`*:: ++ +-- +VOIP line + + +type: keyword + +-- + +*`fortinet.firewall.live`*:: ++ +-- +Time in seconds + + +type: integer + +-- + +*`fortinet.firewall.local`*:: ++ +-- +Local IP for a PPPD Connection + + +type: ip + +-- + +*`fortinet.firewall.log`*:: ++ +-- +Log message + + +type: keyword + +-- + +*`fortinet.firewall.login`*:: ++ +-- +SSH login + + +type: keyword + +-- + +*`fortinet.firewall.lowcount`*:: ++ +-- +Fabric lowcount + + +type: integer + +-- + +*`fortinet.firewall.mac`*:: ++ +-- +DHCP mac address + + +type: keyword + +-- + +*`fortinet.firewall.malform_data`*:: ++ +-- +VOIP malformed data + + +type: integer + +-- + +*`fortinet.firewall.malform_desc`*:: ++ +-- +VOIP malformed data description + + +type: keyword + +-- + +*`fortinet.firewall.manuf`*:: ++ +-- +Manufacturer name + + +type: keyword + +-- + +*`fortinet.firewall.masterdstmac`*:: ++ +-- +Master mac address for a host with multiple network interfaces + + +type: keyword + +-- + +*`fortinet.firewall.mastersrcmac`*:: ++ +-- +The master MAC address for a host that has multiple network interfaces + + +type: keyword + +-- + +*`fortinet.firewall.mediumcount`*:: ++ +-- +Fabric medium count + + +type: integer + +-- + +*`fortinet.firewall.mem`*:: ++ +-- +Memory usage system statistics + + +type: keyword + +-- + +*`fortinet.firewall.meshmode`*:: ++ +-- +Wireless mesh mode + + +type: keyword + +-- + +*`fortinet.firewall.message_type`*:: ++ +-- +VOIP message type + + +type: keyword + +-- + +*`fortinet.firewall.method`*:: ++ +-- +HTTP method + + +type: keyword + +-- + +*`fortinet.firewall.mgmtcnt`*:: ++ +-- +The number of unauthorized client flooding managemet frames + + +type: integer + +-- + +*`fortinet.firewall.mode`*:: ++ +-- +IPSEC mode + + +type: keyword + +-- + +*`fortinet.firewall.module`*:: ++ +-- +PCI-DSS module + + +type: keyword + +-- + +*`fortinet.firewall.monitor-name`*:: ++ +-- +Health Monitor Name + + +type: keyword + +-- + +*`fortinet.firewall.monitor-type`*:: ++ +-- +Health Monitor Type + + +type: keyword + +-- + +*`fortinet.firewall.mpsk`*:: ++ +-- +Wireless MPSK + + +type: keyword + +-- + +*`fortinet.firewall.msgproto`*:: ++ +-- +Message Protocol Number + + +type: keyword + +-- + +*`fortinet.firewall.mtu`*:: ++ +-- +Max Transmission Unit Value + + +type: integer + +-- + +*`fortinet.firewall.name`*:: ++ +-- +Name + + +type: keyword + +-- + +*`fortinet.firewall.nat`*:: ++ +-- +NAT IP Address + + +type: keyword + +-- + +*`fortinet.firewall.netid`*:: ++ +-- +Connector NetID + + +type: keyword + +-- + +*`fortinet.firewall.new_status`*:: ++ +-- +New status on user change + + +type: keyword + +-- + +*`fortinet.firewall.new_value`*:: ++ +-- +New Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.newchannel`*:: ++ +-- +New Channel Number + + +type: integer + +-- + +*`fortinet.firewall.newchassisid`*:: ++ +-- +New Chassis ID + + +type: integer + +-- + +*`fortinet.firewall.newslot`*:: ++ +-- +New Slot Number + + +type: integer + +-- + +*`fortinet.firewall.nextstat`*:: ++ +-- +Time interval in seconds for the next statistics. + + +type: integer + +-- + +*`fortinet.firewall.nf_type`*:: ++ +-- +Notification Type + + +type: keyword + +-- + +*`fortinet.firewall.noise`*:: ++ +-- +Wifi Noise + + +type: integer + +-- + +*`fortinet.firewall.old_status`*:: ++ +-- +Original Status + + +type: keyword + +-- + +*`fortinet.firewall.old_value`*:: ++ +-- +Original Virtual Domain name + + +type: keyword + +-- + +*`fortinet.firewall.oldchannel`*:: ++ +-- +Original channel + + +type: integer + +-- + +*`fortinet.firewall.oldchassisid`*:: ++ +-- +Original Chassis Number + + +type: integer + +-- + +*`fortinet.firewall.oldslot`*:: ++ +-- +Original Slot Number + + +type: integer + +-- + +*`fortinet.firewall.oldsn`*:: ++ +-- +Old Serial number + + +type: keyword + +-- + +*`fortinet.firewall.oldwprof`*:: ++ +-- +Old Web Filter Profile + + +type: keyword + +-- + +*`fortinet.firewall.onwire`*:: ++ +-- +A flag to indicate if the AP is onwire or not + + +type: keyword + +-- + +*`fortinet.firewall.opercountry`*:: ++ +-- +Operating Country + + +type: keyword + +-- + +*`fortinet.firewall.opertxpower`*:: ++ +-- +Operating TX power + + +type: integer + +-- + +*`fortinet.firewall.osname`*:: ++ +-- +Operating System name + + +type: keyword + +-- + +*`fortinet.firewall.osversion`*:: ++ +-- +Operating System version + + +type: keyword + +-- + +*`fortinet.firewall.out_spi`*:: ++ +-- +Out SPI + + +type: keyword + +-- + +*`fortinet.firewall.outintf`*:: ++ +-- +Out interface + + +type: keyword + +-- + +*`fortinet.firewall.passedcount`*:: ++ +-- +Fabric passed count + + +type: integer + +-- + +*`fortinet.firewall.passwd`*:: ++ +-- +Changed user password information + + +type: keyword + +-- + +*`fortinet.firewall.path`*:: ++ +-- +Path of looped configuration for security fabric + + +type: keyword + +-- + +*`fortinet.firewall.peer`*:: ++ +-- +WAN optimization peer + + +type: keyword + +-- + +*`fortinet.firewall.peer_notif`*:: ++ +-- +VPN peer notification + + +type: keyword + +-- + +*`fortinet.firewall.phase2_name`*:: ++ +-- +VPN phase2 name + + +type: keyword + +-- + +*`fortinet.firewall.phone`*:: ++ +-- +VOIP Phone + + +type: keyword + +-- + +*`fortinet.firewall.pid`*:: ++ +-- +Process ID + + +type: integer + +-- + +*`fortinet.firewall.policytype`*:: ++ +-- +Policy Type + + +type: keyword + +-- + +*`fortinet.firewall.poolname`*:: ++ +-- +IP Pool name + + +type: keyword + +-- + +*`fortinet.firewall.port`*:: ++ +-- +Log upload error port + + +type: integer + +-- + +*`fortinet.firewall.portbegin`*:: ++ +-- +IP Pool port number to begin + + +type: integer + +-- + +*`fortinet.firewall.portend`*:: ++ +-- +IP Pool port number to end + + +type: integer + +-- + +*`fortinet.firewall.probeproto`*:: ++ +-- +Link Monitor Probe Protocol + + +type: keyword + +-- + +*`fortinet.firewall.process`*:: ++ +-- +URL Filter process + + +type: keyword + +-- + +*`fortinet.firewall.processtime`*:: ++ +-- +Process time for reports + + +type: integer + +-- + +*`fortinet.firewall.profile`*:: ++ +-- +Profile Name + + +type: keyword + +-- + +*`fortinet.firewall.profile_vd`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.profilegroup`*:: ++ +-- +Profile Group Name + + +type: keyword + +-- + +*`fortinet.firewall.profiletype`*:: ++ +-- +Profile Type + + +type: keyword + +-- + +*`fortinet.firewall.qtypeval`*:: ++ +-- +DNS question type value + + +type: integer + +-- + +*`fortinet.firewall.quarskip`*:: ++ +-- +Quarantine skip explanation + + +type: keyword + +-- + +*`fortinet.firewall.quotaexceeded`*:: ++ +-- +If quota has been exceeded + + +type: keyword + +-- + +*`fortinet.firewall.quotamax`*:: ++ +-- +Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + + +type: long + +-- + +*`fortinet.firewall.quotatype`*:: ++ +-- +Quota type + + +type: keyword + +-- + +*`fortinet.firewall.quotaused`*:: ++ +-- +Quota used - in seconds if time-based - in bytes if trafficbased) + + +type: long + +-- + +*`fortinet.firewall.radioband`*:: ++ +-- +Radio band + + +type: keyword + +-- + +*`fortinet.firewall.radioid`*:: ++ +-- +Radio ID + + +type: integer + +-- + +*`fortinet.firewall.radioidclosest`*:: ++ +-- +Radio ID on the AP closest the rogue AP + + +type: integer + +-- + +*`fortinet.firewall.radioiddetected`*:: ++ +-- +Radio ID on the AP which detected the rogue AP + + +type: integer + +-- + +*`fortinet.firewall.rate`*:: ++ +-- +Wireless rogue rate value + + +type: keyword + +-- + +*`fortinet.firewall.rawdata`*:: ++ +-- +Raw data value + + +type: keyword + +-- + +*`fortinet.firewall.rawdataid`*:: ++ +-- +Raw data ID + + +type: keyword + +-- + +*`fortinet.firewall.rcvddelta`*:: ++ +-- +Received bytes delta + + +type: keyword + +-- + +*`fortinet.firewall.reason`*:: ++ +-- +Alert reason + + +type: keyword + +-- + +*`fortinet.firewall.received`*:: ++ +-- +Server key exchange received + + +type: integer + +-- + +*`fortinet.firewall.receivedsignature`*:: ++ +-- +Server key exchange received signature + + +type: keyword + +-- + +*`fortinet.firewall.red`*:: ++ +-- +Memory information in red + + +type: keyword + +-- + +*`fortinet.firewall.referralurl`*:: ++ +-- +Web filter referralurl + + +type: keyword + +-- + +*`fortinet.firewall.remote`*:: ++ +-- +Remote PPP IP address + + +type: ip + +-- + +*`fortinet.firewall.remotewtptime`*:: ++ +-- +Remote Wifi Radius authentication time + + +type: keyword + +-- + +*`fortinet.firewall.reporttype`*:: ++ +-- +Report type + + +type: keyword + +-- + +*`fortinet.firewall.reqtype`*:: ++ +-- +Request type + + +type: keyword + +-- + +*`fortinet.firewall.request_name`*:: ++ +-- +VOIP request name + + +type: keyword + +-- + +*`fortinet.firewall.result`*:: ++ +-- +VPN phase result + + +type: keyword + +-- + +*`fortinet.firewall.role`*:: ++ +-- +VPN Phase 2 role + + +type: keyword + +-- + +*`fortinet.firewall.rssi`*:: ++ +-- +Received signal strength indicator + + +type: integer + +-- + +*`fortinet.firewall.rsso_key`*:: ++ +-- +RADIUS SSO attribute value + + +type: keyword + +-- + +*`fortinet.firewall.ruledata`*:: ++ +-- +Rule data + + +type: keyword + +-- + +*`fortinet.firewall.ruletype`*:: ++ +-- +Rule type + + +type: keyword + +-- + +*`fortinet.firewall.scanned`*:: ++ +-- +Number of Scanned MMSs + + +type: integer + +-- + +*`fortinet.firewall.scantime`*:: ++ +-- +Scanned time + + +type: long + +-- + +*`fortinet.firewall.scope`*:: ++ +-- +FortiGuard Override Scope + + +type: keyword + +-- + +*`fortinet.firewall.security`*:: ++ +-- +Wireless rogue security + + +type: keyword + +-- + +*`fortinet.firewall.sensitivity`*:: ++ +-- +Sensitivity for document fingerprint + + +type: keyword + +-- + +*`fortinet.firewall.sensor`*:: ++ +-- +NAC Sensor Name + + +type: keyword + +-- + +*`fortinet.firewall.sentdelta`*:: ++ +-- +Sent bytes delta + + +type: keyword + +-- + +*`fortinet.firewall.seq`*:: ++ +-- +Sequence number + + +type: keyword + +-- + +*`fortinet.firewall.serial`*:: ++ +-- +WAN optimisation serial + + +type: keyword + +-- + +*`fortinet.firewall.serialno`*:: ++ +-- +Serial number + + +type: keyword + +-- + +*`fortinet.firewall.server`*:: ++ +-- +AD server FQDN or IP + + +type: keyword + +-- + +*`fortinet.firewall.session_id`*:: ++ +-- +Session ID + + +type: keyword + +-- + +*`fortinet.firewall.sessionid`*:: ++ +-- +WAD Session ID + + +type: integer + +-- + +*`fortinet.firewall.setuprate`*:: ++ +-- +Session Setup Rate + + +type: long + +-- + +*`fortinet.firewall.severity`*:: ++ +-- +Severity + + +type: keyword + +-- + +*`fortinet.firewall.shaperdroprcvdbyte`*:: ++ +-- +Received bytes dropped by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperdropsentbyte`*:: ++ +-- +Sent bytes dropped by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperperipdropbyte`*:: ++ +-- +Dropped bytes per IP by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperperipname`*:: ++ +-- +Traffic shaper name (per IP) + + +type: keyword + +-- + +*`fortinet.firewall.shaperrcvdname`*:: ++ +-- +Traffic shaper name for received traffic + + +type: keyword + +-- + +*`fortinet.firewall.shapersentname`*:: ++ +-- +Traffic shaper name for sent traffic + + +type: keyword + +-- + +*`fortinet.firewall.shapingpolicyid`*:: ++ +-- +Traffic shaper policy ID + + +type: integer + +-- + +*`fortinet.firewall.signal`*:: ++ +-- +Wireless rogue API signal + + +type: integer + +-- + +*`fortinet.firewall.size`*:: ++ +-- +Email size in bytes + + +type: long + +-- + +*`fortinet.firewall.slot`*:: ++ +-- +Slot number + + +type: integer + +-- + +*`fortinet.firewall.sn`*:: ++ +-- +Security fabric serial number + + +type: keyword + +-- + +*`fortinet.firewall.snclosest`*:: ++ +-- +SN of the AP closest to the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.sndetected`*:: ++ +-- +SN of the AP which detected the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.snmeshparent`*:: ++ +-- +SN of the mesh parent + + +type: keyword + +-- + +*`fortinet.firewall.spi`*:: ++ +-- +IPSEC SPI + + +type: keyword + +-- + +*`fortinet.firewall.src_int`*:: ++ +-- +Source interface + + +type: keyword + +-- + +*`fortinet.firewall.srcintfrole`*:: ++ +-- +Source interface role + + +type: keyword + +-- + +*`fortinet.firewall.srccountry`*:: ++ +-- +Source country + + +type: keyword + +-- + +*`fortinet.firewall.srcfamily`*:: ++ +-- +Source family + + +type: keyword + +-- + +*`fortinet.firewall.srchwvendor`*:: ++ +-- +Source hardware vendor + + +type: keyword + +-- + +*`fortinet.firewall.srchwversion`*:: ++ +-- +Source hardware version + + +type: keyword + +-- + +*`fortinet.firewall.srcinetsvc`*:: ++ +-- +Source interface service + + +type: keyword + +-- + +*`fortinet.firewall.srcname`*:: ++ +-- +Source name + + +type: keyword + +-- + +*`fortinet.firewall.srcserver`*:: ++ +-- +Source server + + +type: integer + +-- + +*`fortinet.firewall.srcssid`*:: ++ +-- +Source SSID + + +type: keyword + +-- + +*`fortinet.firewall.srcswversion`*:: ++ +-- +Source software version + + +type: keyword + +-- + +*`fortinet.firewall.srcuuid`*:: ++ +-- +Source UUID + + +type: keyword + +-- + +*`fortinet.firewall.sscname`*:: ++ +-- +SSC name + + +type: keyword + +-- + +*`fortinet.firewall.ssid`*:: ++ +-- +Base Service Set ID + + +type: keyword + +-- + +*`fortinet.firewall.sslaction`*:: ++ +-- +SSL Action + + +type: keyword + +-- + +*`fortinet.firewall.ssllocal`*:: ++ +-- +WAD SSL local + + +type: keyword + +-- + +*`fortinet.firewall.sslremote`*:: ++ +-- +WAD SSL remote + + +type: keyword + +-- + +*`fortinet.firewall.stacount`*:: ++ +-- +Number of stations/clients + + +type: integer + +-- + +*`fortinet.firewall.stage`*:: ++ +-- +IPSEC stage + + +type: keyword + +-- + +*`fortinet.firewall.stamac`*:: ++ +-- +802.1x station mac + + +type: keyword + +-- + +*`fortinet.firewall.state`*:: ++ +-- +Admin login state + + +type: keyword + +-- + +*`fortinet.firewall.status`*:: ++ +-- +Status + + +type: keyword + +-- + +*`fortinet.firewall.stitch`*:: ++ +-- +Automation stitch triggered + + +type: keyword + +-- + +*`fortinet.firewall.subject`*:: ++ +-- +Email subject + + +type: keyword + +-- + +*`fortinet.firewall.submodule`*:: ++ +-- +Configuration Sub-Module Name + + +type: keyword + +-- + +*`fortinet.firewall.subservice`*:: ++ +-- +AV subservice + + +type: keyword + +-- + +*`fortinet.firewall.subtype`*:: ++ +-- +Log subtype + + +type: keyword + +-- + +*`fortinet.firewall.suspicious`*:: ++ +-- +Number of Suspicious MMSs + + +type: integer + +-- + +*`fortinet.firewall.switchproto`*:: ++ +-- +Protocol change information + + +type: keyword + +-- + +*`fortinet.firewall.sync_status`*:: ++ +-- +The sync status with the master + + +type: keyword + +-- + +*`fortinet.firewall.sync_type`*:: ++ +-- +The sync type with the master + + +type: keyword + +-- + +*`fortinet.firewall.sysuptime`*:: ++ +-- +System uptime + + +type: keyword + +-- + +*`fortinet.firewall.tamac`*:: ++ +-- +the MAC address of Transmitter, if none, then Receiver + + +type: keyword + +-- + +*`fortinet.firewall.threattype`*:: ++ +-- +WIDS threat type + + +type: keyword + +-- + +*`fortinet.firewall.time`*:: ++ +-- +Time of the event + + +type: keyword + +-- + +*`fortinet.firewall.to`*:: ++ +-- +Email to field + + +type: keyword + +-- + +*`fortinet.firewall.to_vcluster`*:: ++ +-- +destination virtual cluster number + + +type: integer + +-- + +*`fortinet.firewall.total`*:: ++ +-- +Total memory + + +type: integer + +-- + +*`fortinet.firewall.totalsession`*:: ++ +-- +Total Number of Sessions + + +type: integer + +-- + +*`fortinet.firewall.trace_id`*:: ++ +-- +Session clash trace ID + + +type: keyword + +-- + +*`fortinet.firewall.trandisp`*:: ++ +-- +NAT translation type + + +type: keyword + +-- + +*`fortinet.firewall.transid`*:: ++ +-- +HTTP transaction ID + + +type: integer + +-- + +*`fortinet.firewall.translationid`*:: ++ +-- +DNS filter transaltion ID + + +type: keyword + +-- + +*`fortinet.firewall.trigger`*:: ++ +-- +Automation stitch trigger + + +type: keyword + +-- + +*`fortinet.firewall.trueclntip`*:: ++ +-- +File filter true client IP + + +type: ip + +-- + +*`fortinet.firewall.tunnelid`*:: ++ +-- +IPSEC tunnel ID + + +type: integer + +-- + +*`fortinet.firewall.tunnelip`*:: ++ +-- +IPSEC tunnel IP + + +type: ip + +-- + +*`fortinet.firewall.tunneltype`*:: ++ +-- +IPSEC tunnel type + + +type: keyword + +-- + +*`fortinet.firewall.type`*:: ++ +-- +Module type + + +type: keyword + +-- + +*`fortinet.firewall.ui`*:: ++ +-- +Admin authentication UI type + + +type: keyword + +-- + +*`fortinet.firewall.unauthusersource`*:: ++ +-- +Unauthenticated user source + + +type: keyword + +-- + +*`fortinet.firewall.unit`*:: ++ +-- +Power supply unit + + +type: integer + +-- + +*`fortinet.firewall.urlfilteridx`*:: ++ +-- +URL filter ID + + +type: integer + +-- + +*`fortinet.firewall.urlfilterlist`*:: ++ +-- +URL filter list + + +type: keyword + +-- + +*`fortinet.firewall.urlsource`*:: ++ +-- +URL filter source + + +type: keyword + +-- + +*`fortinet.firewall.urltype`*:: ++ +-- +URL filter type + + +type: keyword + +-- + +*`fortinet.firewall.used`*:: ++ +-- +Number of Used IPs + + +type: integer + +-- + +*`fortinet.firewall.used_for_type`*:: ++ +-- +Connection for the type + + +type: integer + +-- + +*`fortinet.firewall.utmaction`*:: ++ +-- +Security action performed by UTM + + +type: keyword + +-- + +*`fortinet.firewall.vap`*:: ++ +-- +Virtual AP + + +type: keyword + +-- + +*`fortinet.firewall.vapmode`*:: ++ +-- +Virtual AP mode + + +type: keyword + +-- + +*`fortinet.firewall.vcluster`*:: ++ +-- +virtual cluster id + + +type: integer + +-- + +*`fortinet.firewall.vcluster_member`*:: ++ +-- +Virtual cluster member + + +type: integer + +-- + +*`fortinet.firewall.vcluster_state`*:: ++ +-- +Virtual cluster state + + +type: keyword + +-- + +*`fortinet.firewall.vd`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.vdname`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.vendorurl`*:: ++ +-- +Vulnerability scan vendor name + + +type: keyword + +-- + +*`fortinet.firewall.version`*:: ++ +-- +Version + + +type: keyword + +-- + +*`fortinet.firewall.vip`*:: ++ +-- +Virtual IP + + +type: keyword + +-- + +*`fortinet.firewall.virus`*:: ++ +-- +Virus name + + +type: keyword + +-- + +*`fortinet.firewall.virusid`*:: ++ +-- +Virus ID (unique virus identifier) + + +type: integer + +-- + +*`fortinet.firewall.voip_proto`*:: ++ +-- +VOIP protocol + + +type: keyword + +-- + +*`fortinet.firewall.vpn`*:: ++ +-- +VPN description + + +type: keyword + +-- + +*`fortinet.firewall.vpntunnel`*:: ++ +-- +IPsec Vpn Tunnel Name + + +type: keyword + +-- + +*`fortinet.firewall.vpntype`*:: ++ +-- +The type of the VPN tunnel + + +type: keyword + +-- + +*`fortinet.firewall.vrf`*:: ++ +-- +VRF number + + +type: integer + +-- + +*`fortinet.firewall.vulncat`*:: ++ +-- +Vulnerability Category + + +type: keyword + +-- + +*`fortinet.firewall.vulnid`*:: ++ +-- +Vulnerability ID + + +type: integer + +-- + +*`fortinet.firewall.vulnname`*:: ++ +-- +Vulnerability name + + +type: keyword + +-- + +*`fortinet.firewall.vwlid`*:: ++ +-- +VWL ID + + +type: integer + +-- + +*`fortinet.firewall.vwlquality`*:: ++ +-- +VWL quality + + +type: keyword + +-- + +*`fortinet.firewall.vwlservice`*:: ++ +-- +VWL service + + +type: keyword + +-- + +*`fortinet.firewall.vwpvlanid`*:: ++ +-- +VWP VLAN ID + + +type: integer + +-- + +*`fortinet.firewall.wanin`*:: ++ +-- +WAN incoming traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.wanoptapptype`*:: ++ +-- +WAN Optimization Application type + + +type: keyword + +-- + +*`fortinet.firewall.wanout`*:: ++ +-- +WAN outgoing traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.weakwepiv`*:: ++ +-- +Weak Wep Initiation Vector + + +type: keyword + +-- + +*`fortinet.firewall.xauthgroup`*:: ++ +-- +XAuth Group Name + + +type: keyword + +-- + +*`fortinet.firewall.xauthuser`*:: ++ +-- +XAuth User Name + + +type: keyword + +-- + +*`fortinet.firewall.xid`*:: ++ +-- +Wireless X ID + + +type: integer + +-- + +[[exported-fields-googlecloud]] +== Google Cloud fields + +Module for handling logs from Google Cloud. + + + +[float] +=== googlecloud + +Fields from Google Cloud logs. + + + +[float] +=== destination.instance + +If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. + + + +*`googlecloud.destination.instance.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.destination.instance.region`*:: ++ +-- +Region of the VM. + + +type: keyword + +-- + +*`googlecloud.destination.instance.zone`*:: ++ +-- +Zone of the VM. + + +type: keyword + +-- + +[float] +=== destination.vpc + +If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. + + + +*`googlecloud.destination.vpc.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.destination.vpc.vpc_name`*:: ++ +-- +VPC on which the VM is operating. + + +type: keyword + +-- + +*`googlecloud.destination.vpc.subnetwork_name`*:: ++ +-- +Subnetwork on which the VM is operating. + + +type: keyword + +-- + +[float] +=== source.instance + +If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. + + + +*`googlecloud.source.instance.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.source.instance.region`*:: ++ +-- +Region of the VM. + + +type: keyword + +-- + +*`googlecloud.source.instance.zone`*:: ++ +-- +Zone of the VM. + + +type: keyword + +-- + +[float] +=== source.vpc + +If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. + + + +*`googlecloud.source.vpc.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.source.vpc.vpc_name`*:: ++ +-- +VPC on which the VM is operating. + + +type: keyword + +-- + +*`googlecloud.source.vpc.subnetwork_name`*:: ++ +-- +Subnetwork on which the VM is operating. + + +type: keyword + +-- + +[float] +=== audit + +Fields for Google Cloud audit logs. + + + +*`googlecloud.audit.type`*:: ++ +-- +Type property. + + +type: keyword + +-- + +[float] +=== authentication_info + +Authentication information. + + + +*`googlecloud.audit.authentication_info.principal_email`*:: ++ +-- +The email address of the authenticated user making the request. + + +type: keyword + +-- + +*`googlecloud.audit.authentication_info.authority_selector`*:: ++ +-- +The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. + + +type: keyword + +-- + +*`googlecloud.audit.authorization_info`*:: ++ +-- +Authorization information for the operation. + + +type: array + +-- + +*`googlecloud.audit.method_name`*:: ++ +-- +The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. + + +type: keyword + +-- + +*`googlecloud.audit.num_response_items`*:: ++ +-- +The number of items returned from a List or Query API method, if applicable. + + +type: long + +-- + +[float] +=== request + +The operation request. + + + +*`googlecloud.audit.request.proto_name`*:: ++ +-- +Type property of the request. + + +type: keyword + +-- + +*`googlecloud.audit.request.filter`*:: ++ +-- +Filter of the request. + + +type: keyword + +-- + +*`googlecloud.audit.request.name`*:: ++ +-- +Name of the request. + + +type: keyword + +-- + +*`googlecloud.audit.request.resource_name`*:: ++ +-- +Name of the request resource. + + +type: keyword + +-- + +[float] +=== request_metadata + +Metadata about the request. + + + +*`googlecloud.audit.request_metadata.caller_ip`*:: ++ +-- +The IP address of the caller. + + +type: ip + +-- + +*`googlecloud.audit.request_metadata.caller_supplied_user_agent`*:: ++ +-- +The user agent of the caller. This information is not authenticated and should be treated accordingly. + + +type: keyword + +-- + +[float] +=== response + +The operation response. + + + +*`googlecloud.audit.response.proto_name`*:: ++ +-- +Type property of the response. + + +type: keyword + +-- + +[float] +=== details + +The details of the response. + + + +*`googlecloud.audit.response.details.group`*:: ++ +-- +The name of the group. + + +type: keyword + +-- + +*`googlecloud.audit.response.details.kind`*:: ++ +-- +The kind of the response details. + + +type: keyword + +-- + +*`googlecloud.audit.response.details.name`*:: ++ +-- +The name of the response details. + + +type: keyword + +-- + +*`googlecloud.audit.response.details.uid`*:: ++ +-- +The uid of the response details. + + +type: keyword + +-- + +*`googlecloud.audit.response.status`*:: ++ +-- +Status of the response. + + +type: keyword + +-- + +*`googlecloud.audit.resource_name`*:: ++ +-- +The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. + + +type: keyword + +-- + +[float] +=== resource_location + +The location of the resource. + + + +*`googlecloud.audit.resource_location.current_locations`*:: ++ +-- +Current locations of the resource. + + +type: keyword + +-- + +*`googlecloud.audit.service_name`*:: ++ +-- +The name of the API service performing the operation. For example, datastore.googleapis.com. + + +type: keyword + +-- + +[float] +=== status + +The status of the overall operation. + + + +*`googlecloud.audit.status.code`*:: ++ +-- +The status code, which should be an enum value of google.rpc.Code. + + +type: integer + +-- + +*`googlecloud.audit.status.message`*:: ++ +-- +A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + +type: keyword + +-- + +[float] +=== firewall + +Fields for Google Cloud Firewall logs. + + + +[float] +=== rule_details + +Description of the firewall rule that matched this connection. + + + +*`googlecloud.firewall.rule_details.priority`*:: ++ +-- +The priority for the firewall rule. + +type: long + +-- + +*`googlecloud.firewall.rule_details.action`*:: ++ +-- +Action that the rule performs on match. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.direction`*:: ++ +-- +Direction of traffic that matches this rule. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.reference`*:: ++ +-- +Reference to the firewall rule. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.source_range`*:: ++ +-- +List of source ranges that the firewall rule applies to. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.destination_range`*:: ++ +-- +List of destination ranges that the firewall applies to. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.source_tag`*:: ++ +-- +List of all the source tags that the firewall rule applies to. + + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.target_tag`*:: ++ +-- +List of all the target tags that the firewall rule applies to. + + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.ip_port_info`*:: ++ +-- +List of ip protocols and applicable port ranges for rules. + + +type: array + +-- + +*`googlecloud.firewall.rule_details.source_service_account`*:: ++ +-- +List of all the source service accounts that the firewall rule applies to. + + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.target_service_account`*:: ++ +-- +List of all the target service accounts that the firewall rule applies to. + + +type: keyword + +-- + +[float] +=== vpcflow + +Fields for Google Cloud VPC flow logs. + + + +*`googlecloud.vpcflow.reporter`*:: ++ +-- +The side which reported the flow. Can be either 'SRC' or 'DEST'. + + +type: keyword + +-- + +*`googlecloud.vpcflow.rtt.ms`*:: ++ +-- +Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. + + +type: long + +-- + +[[exported-fields-gsuite]] +== gsuite fields + +gsuite Module + + + +[float] +=== gsuite + +Gsuite specific fields. +More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + + +*`gsuite.actor.type`*:: ++ +-- +The type of actor. +Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + + +type: keyword + +-- + +*`gsuite.actor.key`*:: ++ +-- +Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + + +type: keyword + +-- + +*`gsuite.event.type`*:: ++ +-- +The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + +type: keyword + +example: audit#activity + +-- + +*`gsuite.kind`*:: ++ +-- +The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + +type: keyword + +example: audit#activity + +-- + +*`gsuite.organization.domain`*:: ++ +-- +The domain that is affected by the report's event. + + +type: keyword + +-- + + +*`gsuite.saml.application_name`*:: ++ +-- +Saml SP application name. + + +type: keyword + +-- + +*`gsuite.saml.failure_type`*:: ++ +-- +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. + + +type: keyword + +-- + +*`gsuite.saml.initiated_by`*:: ++ +-- +Requester of SAML authentication. + + +type: keyword + +-- + +*`gsuite.saml.orgunit_path`*:: ++ +-- +User orgunit. + + +type: keyword + +-- + +*`gsuite.saml.status_code`*:: ++ +-- +SAML status code. + + +type: long + +-- + +*`gsuite.saml.second_level_status_code`*:: ++ +-- +SAML second level status code. + + +type: long + +-- + +[[exported-fields-haproxy]] +== HAProxy fields + +haproxy Module + + + +[float] +=== haproxy + + + + +*`haproxy.frontend_name`*:: ++ +-- +Name of the frontend (or listener) which received and processed the connection. + +-- + +*`haproxy.backend_name`*:: ++ +-- +Name of the backend (or listener) which was selected to manage the connection to the server. + +-- + +*`haproxy.server_name`*:: ++ +-- +Name of the last server to which the connection was sent. + +-- + +*`haproxy.total_waiting_time_ms`*:: ++ +-- +Total time in milliseconds spent waiting in the various queues + +type: long + +-- + +*`haproxy.connection_wait_time_ms`*:: ++ +-- +Total time in milliseconds spent waiting for the connection to establish to the final server + +type: long + +-- + +*`haproxy.bytes_read`*:: ++ +-- +Total number of bytes transmitted to the client when the log is emitted. + +type: long + +-- + +*`haproxy.time_queue`*:: ++ +-- +Total time in milliseconds spent waiting in the various queues. + +type: long + +-- + +*`haproxy.time_backend_connect`*:: ++ +-- +Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. + +type: long + +-- + +*`haproxy.server_queue`*:: ++ +-- +Total number of requests which were processed before this one in the server queue. + +type: long + +-- + +*`haproxy.backend_queue`*:: ++ +-- +Total number of requests which were processed before this one in the backend's global queue. + +type: long + +-- + +*`haproxy.bind_name`*:: ++ +-- +Name of the listening address which received the connection. + +-- + +*`haproxy.error_message`*:: ++ +-- +Error message logged by HAProxy in case of error. + +type: text + +-- + +*`haproxy.source`*:: ++ +-- +The HAProxy source of the log + +type: keyword + +-- + +*`haproxy.termination_state`*:: ++ +-- +Condition the session was in when the session ended. + +-- + +*`haproxy.mode`*:: ++ +-- +mode that the frontend is operating (TCP or HTTP) + +type: keyword + +-- + +[float] +=== connections + +Contains various counts of connections active in the process. + + +*`haproxy.connections.active`*:: ++ +-- +Total number of concurrent connections on the process when the session was logged. + +type: long + +-- + +*`haproxy.connections.frontend`*:: ++ +-- +Total number of concurrent connections on the frontend when the session was logged. + +type: long + +-- + +*`haproxy.connections.backend`*:: ++ +-- +Total number of concurrent connections handled by the backend when the session was logged. + +type: long + +-- + +*`haproxy.connections.server`*:: ++ +-- +Total number of concurrent connections still active on the server when the session was logged. + +type: long + +-- + +*`haproxy.connections.retries`*:: ++ +-- +Number of connection retries experienced by this session when trying to connect to the server. + +type: long + +-- + +[float] +=== client + +Information about the client doing the request + + +*`haproxy.client.ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`haproxy.client.port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + +*`haproxy.process_name`*:: ++ +-- +type: alias + +alias to: process.name + +-- + +*`haproxy.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +[float] +=== destination + +Destination information + + +*`haproxy.destination.port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`haproxy.destination.ip`*:: ++ +-- +type: alias + +alias to: destination.ip + +-- + +[float] +=== geoip + +Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. + + + +*`haproxy.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`haproxy.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`haproxy.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`haproxy.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`haproxy.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`haproxy.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== http + +Please add description + + +[float] +=== response + +Fields related to the HTTP response + + +*`haproxy.http.response.captured_cookie`*:: ++ +-- +Optional "name=value" entry indicating that the client had this cookie in the response. + + +-- + +*`haproxy.http.response.captured_headers`*:: ++ +-- +List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. + + +type: keyword + +-- + +*`haproxy.http.response.status_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +[float] +=== request + +Fields related to the HTTP request + + +*`haproxy.http.request.captured_cookie`*:: ++ +-- +Optional "name=value" entry indicating that the server has returned a cookie with its request. + + +-- + +*`haproxy.http.request.captured_headers`*:: ++ +-- +List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. + + +type: keyword + +-- + +*`haproxy.http.request.raw_request_line`*:: ++ +-- +Complete HTTP request line, including the method, request and HTTP version string. + +type: keyword + +-- + +*`haproxy.http.request.time_wait_without_data_ms`*:: ++ +-- +Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. + +type: long + +-- + +*`haproxy.http.request.time_wait_ms`*:: ++ +-- +Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. + +type: long + +-- + +[float] +=== tcp + +TCP log format + + +*`haproxy.tcp.connection_waiting_time_ms`*:: ++ +-- +Total time in milliseconds elapsed between the accept and the last close + +type: long + +-- + +[[exported-fields-host-processor]] +== Host fields + +Info collected for the host machine. + + + + +*`host.containerized`*:: ++ +-- +If the host is a container. + + +type: boolean + +-- + +*`host.os.build`*:: ++ +-- +OS build information. + + +type: keyword + +example: 18D109 + +-- + +*`host.os.codename`*:: ++ +-- +OS codename, if any. + + +type: keyword + +example: stretch + +-- + +[[exported-fields-ibmmq]] +== ibmmq fields + +ibmmq Module + + + +[float] +=== ibmmq + + + + +[float] +=== errorlog + +IBM MQ error logs + + +*`ibmmq.errorlog.installation`*:: ++ +-- +This is the installation name which can be given at installation time. +Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation. + + +type: keyword + +-- + +*`ibmmq.errorlog.qmgr`*:: ++ +-- +Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them. + + +type: keyword + +-- + +*`ibmmq.errorlog.arithinsert`*:: ++ +-- +Changing content based on error.id + +type: keyword + +-- + +*`ibmmq.errorlog.commentinsert`*:: ++ +-- +Changing content based on error.id + +type: keyword + +-- + +*`ibmmq.errorlog.errordescription`*:: ++ +-- +Please add description + +type: text + +example: Please add example + +-- + +*`ibmmq.errorlog.explanation`*:: ++ +-- +Explaines the error in more detail + +type: keyword + +-- + +*`ibmmq.errorlog.action`*:: ++ +-- +Defines what to do when the error occurs + +type: keyword + +-- + +*`ibmmq.errorlog.code`*:: ++ +-- +Error code. + +type: keyword + +-- + +[[exported-fields-icinga]] +== Icinga fields + +Icinga Module + + + +[float] +=== icinga + + + + +[float] +=== debug + +Contains fields for the Icinga debug logs. + + + +*`icinga.debug.facility`*:: ++ +-- +Specifies what component of Icinga logged the message. + + +type: keyword + +-- + +*`icinga.debug.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`icinga.debug.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== main + +Contains fields for the Icinga main logs. + + + +*`icinga.main.facility`*:: ++ +-- +Specifies what component of Icinga logged the message. + + +type: keyword + +-- + +*`icinga.main.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`icinga.main.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== startup + +Contains fields for the Icinga startup logs. + + + +*`icinga.startup.facility`*:: ++ +-- +Specifies what component of Icinga logged the message. + + +type: keyword + +-- + +*`icinga.startup.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`icinga.startup.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-iis]] +== IIS fields + +Module for parsing IIS log files. + + + +[float] +=== iis + +Fields from IIS log files. + + + +[float] +=== access + +Contains fields for IIS access logs. + + + +*`iis.access.sub_status`*:: ++ +-- +The HTTP substatus code. + + +type: long + +-- + +*`iis.access.win32_status`*:: ++ +-- +The Windows status code. + + +type: long + +-- + +*`iis.access.site_name`*:: ++ +-- +The site name and instance number. + + +type: keyword + +-- + +*`iis.access.server_name`*:: ++ +-- +The name of the server on which the log file entry was generated. + + +type: keyword + +-- + +*`iis.access.cookie`*:: ++ +-- +The content of the cookie sent or received, if any. + + +type: keyword + +-- + +*`iis.access.body_received.bytes`*:: ++ +-- +type: alias + +alias to: http.request.body.bytes + +-- + +*`iis.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`iis.access.server_ip`*:: ++ +-- +type: alias + +alias to: destination.address + +-- + +*`iis.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`iis.access.url`*:: ++ +-- +type: alias + +alias to: url.path + +-- + +*`iis.access.query_string`*:: ++ +-- +type: alias + +alias to: url.query + +-- + +*`iis.access.port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`iis.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`iis.access.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`iis.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`iis.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`iis.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`iis.access.hostname`*:: ++ +-- +type: alias + +alias to: host.hostname + +-- + + +*`iis.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`iis.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`iis.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`iis.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`iis.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`iis.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`iis.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`iis.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`iis.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`iis.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`iis.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== error + +Contains fields for IIS error logs. + + + +*`iis.error.reason_phrase`*:: ++ +-- +The HTTP reason phrase. + + +type: keyword + +-- + +*`iis.error.queue_name`*:: ++ +-- +The IIS application pool name. + + +type: keyword + +-- + +*`iis.error.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`iis.error.remote_port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + +*`iis.error.server_ip`*:: ++ +-- +type: alias + +alias to: destination.address + +-- + +*`iis.error.server_port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`iis.error.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`iis.error.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`iis.error.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`iis.error.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + + +*`iis.error.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`iis.error.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`iis.error.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`iis.error.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`iis.error.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`iis.error.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-imperva]] +== Imperva SecureSphere fields + +imperva fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-infoblox]] +== Infoblox NIOS fields + +infoblox fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-iptables]] +== iptables fields + +Module for handling the iptables logs. + + + +[float] +=== iptables + +Fields from the iptables logs. + + + +*`iptables.ether_type`*:: ++ +-- +Value of the ethernet type field identifying the network layer protocol. + + +type: long + +-- + +*`iptables.flow_label`*:: ++ +-- +IPv6 flow label. + + +type: integer + +-- + +*`iptables.fragment_flags`*:: ++ +-- +IP fragment flags. A combination of CE, DF and MF. + + +type: keyword + +-- + +*`iptables.fragment_offset`*:: ++ +-- +Offset of the current IP fragment. + + +type: long + +-- + +[float] +=== icmp + +ICMP fields. + + + +*`iptables.icmp.code`*:: ++ +-- +ICMP code. + + +type: long + +-- + +*`iptables.icmp.id`*:: ++ +-- +ICMP ID. + + +type: long + +-- + +*`iptables.icmp.parameter`*:: ++ +-- +ICMP parameter. + + +type: long + +-- + +*`iptables.icmp.redirect`*:: ++ +-- +ICMP redirect address. + + +type: ip + +-- + +*`iptables.icmp.seq`*:: ++ +-- +ICMP sequence number. + + +type: long + +-- + +*`iptables.icmp.type`*:: ++ +-- +ICMP type. + + +type: long + +-- + +*`iptables.id`*:: ++ +-- +Packet identifier. + + +type: long + +-- + +*`iptables.incomplete_bytes`*:: ++ +-- +Number of incomplete bytes. + + +type: long + +-- + +*`iptables.input_device`*:: ++ +-- +Device that received the packet. + + +type: keyword + +-- + +*`iptables.precedence_bits`*:: ++ +-- +IP precedence bits. + + +type: short + +-- + +*`iptables.tos`*:: ++ +-- +IP Type of Service field. + + +type: long + +-- + +*`iptables.length`*:: ++ +-- +Packet length. + + +type: long + +-- + +*`iptables.output_device`*:: ++ +-- +Device that output the packet. + + +type: keyword + +-- + +[float] +=== tcp + +TCP fields. + + + +*`iptables.tcp.flags`*:: ++ +-- +TCP flags. + + +type: keyword + +-- + +*`iptables.tcp.reserved_bits`*:: ++ +-- +TCP reserved bits. + + +type: short + +-- + +*`iptables.tcp.seq`*:: ++ +-- +TCP sequence number. + + +type: long + +-- + +*`iptables.tcp.ack`*:: ++ +-- +TCP Acknowledgment number. + + +type: long + +-- + +*`iptables.tcp.window`*:: ++ +-- +Advertised TCP window size. + + +type: long + +-- + +*`iptables.ttl`*:: ++ +-- +Time To Live field. + + +type: integer + +-- + +[float] +=== udp + +UDP fields. + + + +*`iptables.udp.length`*:: ++ +-- +Length of the UDP header and payload. + + +type: long + +-- + +[float] +=== ubiquiti + +Fields for Ubiquiti network devices. + + + +*`iptables.ubiquiti.input_zone`*:: ++ +-- +Input zone. + + +type: keyword + +-- + +*`iptables.ubiquiti.output_zone`*:: ++ +-- +Output zone. + + +type: keyword + +-- + +*`iptables.ubiquiti.rule_number`*:: ++ +-- +The rule number within the rule set. + +type: keyword + +-- + +*`iptables.ubiquiti.rule_set`*:: ++ +-- +The rule set name. + +type: keyword + +-- + +[[exported-fields-jolokia-autodiscover]] +== Jolokia Discovery autodiscover provider fields + +Metadata from Jolokia Discovery added by the jolokia provider. + + + +*`jolokia.agent.version`*:: ++ +-- +Version number of jolokia agent. + + +type: keyword + +-- + +*`jolokia.agent.id`*:: ++ +-- +Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. + + +type: keyword + +-- + +*`jolokia.server.product`*:: ++ +-- +The container product if detected. + + +type: keyword + +-- + +*`jolokia.server.version`*:: ++ +-- +The container's version (if detected). + + +type: keyword + +-- + +*`jolokia.server.vendor`*:: ++ +-- +The vendor of the container the agent is running in. + + +type: keyword + +-- + +*`jolokia.url`*:: ++ +-- +The URL how this agent can be contacted. + + +type: keyword + +-- + +*`jolokia.secured`*:: ++ +-- +Whether the agent was configured for authentication or not. + + +type: boolean + +-- + +[[exported-fields-juniper]] +== Juniper JUNOS fields + +juniper fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-kafka]] +== Kafka fields + +Kafka module + + + +[float] +=== kafka + + + + +[float] +=== log + +Kafka log lines. + + + +*`kafka.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`kafka.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`kafka.log.component`*:: ++ +-- +Component the log is coming from. + + +type: keyword + +-- + +*`kafka.log.class`*:: ++ +-- +Java class the log is coming from. + + +type: keyword + +-- + +*`kafka.log.thread`*:: ++ +-- +Thread name the log is coming from. + + +type: keyword + +-- + +[float] +=== trace + +Trace in the log line. + + + +*`kafka.log.trace.class`*:: ++ +-- +Java class the trace is coming from. + + +type: keyword + +-- + +*`kafka.log.trace.message`*:: ++ +-- +Message part of the trace. + + +type: text + +-- + +[[exported-fields-kaspersky]] +== Kaspersky Anti-Virus fields + +kaspersky fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-kibana]] +== kibana fields + +kibana Module + + + +[float] +=== kibana + + + + +[float] +=== log + +Kafka log lines. + + + +*`kibana.log.tags`*:: ++ +-- +Kibana logging tags. + + +type: keyword + +-- + +*`kibana.log.state`*:: ++ +-- +Current state of Kibana. + + +type: keyword + +-- + +*`kibana.log.meta`*:: ++ +-- +type: object + +-- + +*`kibana.log.kibana.log.meta.req.headers.referer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`kibana.log.kibana.log.meta.req.referer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`kibana.log.kibana.log.meta.req.headers.user-agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + +*`kibana.log.kibana.log.meta.req.remoteAddress`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`kibana.log.kibana.log.meta.req.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`kibana.log.kibana.log.meta.statusCode`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`kibana.log.kibana.log.meta.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +[[exported-fields-kubernetes-processor]] +== Kubernetes fields + +Kubernetes metadata added by the kubernetes processor + + + + +*`kubernetes.pod.name`*:: ++ +-- +Kubernetes pod name + + +type: keyword + +-- + +*`kubernetes.pod.uid`*:: ++ +-- +Kubernetes Pod UID + + +type: keyword + +-- + +*`kubernetes.namespace`*:: ++ +-- +Kubernetes namespace + + +type: keyword + +-- + +*`kubernetes.node.name`*:: ++ +-- +Kubernetes node name + + +type: keyword + +-- + +*`kubernetes.labels.*`*:: ++ +-- +Kubernetes labels map + + +type: object + +-- + +*`kubernetes.annotations.*`*:: ++ +-- +Kubernetes annotations map + + +type: object + +-- + +*`kubernetes.replicaset.name`*:: ++ +-- +Kubernetes replicaset name + + +type: keyword + +-- + +*`kubernetes.deployment.name`*:: ++ +-- +Kubernetes deployment name + + +type: keyword + +-- + +*`kubernetes.statefulset.name`*:: ++ +-- +Kubernetes statefulset name + + +type: keyword + +-- + +*`kubernetes.container.name`*:: ++ +-- +Kubernetes container name + + +type: keyword + +-- + +*`kubernetes.container.image`*:: ++ +-- +Kubernetes container image + + +type: keyword + +-- + +[[exported-fields-log]] +== Log file content fields + +Contains log file lines. + + + +*`log.file.path`*:: ++ +-- +The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. + + +type: keyword + +required: False + +-- + +*`log.source.address`*:: ++ +-- +Source address from which the log event was read / sent from. + + +type: keyword + +required: False + +-- + +*`log.offset`*:: ++ +-- +The file offset the reported line starts at. + + +type: long + +required: False + +-- + +*`stream`*:: ++ +-- +Log stream when reading container logs, can be 'stdout' or 'stderr' + + +type: keyword + +required: False + +-- + +*`input.type`*:: ++ +-- +The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file. + + +required: True + +-- + +*`syslog.facility`*:: ++ +-- +The facility extracted from the priority. + + +type: long + +required: False + +-- + +*`syslog.priority`*:: ++ +-- +The priority of the syslog event. + + +type: long + +required: False + +-- + +*`syslog.severity_label`*:: ++ +-- +The human readable severity. + + +type: keyword + +required: False + +-- + +*`syslog.facility_label`*:: ++ +-- +The human readable facility. + + +type: keyword + +required: False + +-- + +*`process.program`*:: ++ +-- +The name of the program. + + +type: keyword + +required: False + +-- + +*`log.flags`*:: ++ +-- +This field contains the flags of the event. + + +-- + +*`http.response.content_length`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + + + +*`user_agent.os.full_name`*:: ++ +-- +type: keyword + +-- + +*`fileset.name`*:: ++ +-- +The Filebeat fileset that generated this event. + + +type: keyword + +-- + +*`fileset.module`*:: ++ +-- +type: alias + +alias to: event.module + +-- + +*`read_timestamp`*:: ++ +-- +type: alias + +alias to: event.created + +-- + +*`docker.attrs`*:: ++ +-- +docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options. + + +type: object + +-- + +*`icmp.code`*:: ++ +-- +ICMP code. + + +type: keyword + +-- + +*`icmp.type`*:: ++ +-- +ICMP type. + + +type: keyword + +-- + +*`igmp.type`*:: ++ +-- +IGMP type. + + +type: keyword + +-- + + +*`azure.eventhub`*:: ++ +-- +Name of the eventhub. + + +type: keyword + +-- + +*`azure.offset`*:: ++ +-- +The offset. + + +type: long + +-- + +*`azure.enqueued_time`*:: ++ +-- +The enqueued time. + + +type: date + +-- + +*`azure.partition_id`*:: ++ +-- +The partition id. + + +type: long + +-- + +*`azure.consumer_group`*:: ++ +-- +The consumer group. + + +type: keyword + +-- + +*`azure.sequence_number`*:: ++ +-- +The sequence number. + + +type: long + +-- + + +*`kafka.topic`*:: ++ +-- +Kafka topic + + +type: keyword + +-- + +*`kafka.partition`*:: ++ +-- +Kafka partition number + + +type: long + +-- + +*`kafka.offset`*:: ++ +-- +Kafka offset of this message + + +type: long + +-- + +*`kafka.key`*:: ++ +-- +Kafka key, corresponding to the Kafka value stored in the message + + +type: keyword + +-- + +*`kafka.block_timestamp`*:: ++ +-- +Kafka outer (compressed) block timestamp + + +type: date + +-- + +*`kafka.headers`*:: ++ +-- +An array of Kafka header strings for this message, in the form ": ". + + +type: array + +-- + +[[exported-fields-logstash]] +== logstash fields + +logstash Module + + + +[float] +=== logstash + + + + +[float] +=== log + +Fields from the Logstash logs. + + + +*`logstash.log.module`*:: ++ +-- +The module or class where the event originate. + + +type: keyword + +-- + +*`logstash.log.thread`*:: ++ +-- +Information about the running thread where the log originate. + + +type: keyword + +-- + +*`logstash.log.thread.text`*:: ++ +-- +type: text + +-- + +*`logstash.log.log_event`*:: ++ +-- +key and value debugging information. + + +type: object + +-- + +*`logstash.log.pipeline_id`*:: ++ +-- +The ID of the pipeline. + + +type: keyword + +example: main + +-- + +*`logstash.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`logstash.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +[float] +=== slowlog + +slowlog + + + +*`logstash.slowlog.module`*:: ++ +-- +The module or class where the event originate. + + +type: keyword + +-- + +*`logstash.slowlog.thread`*:: ++ +-- +Information about the running thread where the log originate. + + +type: keyword + +-- + +*`logstash.slowlog.thread.text`*:: ++ +-- +type: text + +-- + +*`logstash.slowlog.event`*:: ++ +-- +Raw dump of the original event + + +type: keyword + +-- + +*`logstash.slowlog.event.text`*:: ++ +-- +type: text + +-- + +*`logstash.slowlog.plugin_name`*:: ++ +-- +Name of the plugin + + +type: keyword + +-- + +*`logstash.slowlog.plugin_type`*:: ++ +-- +Type of the plugin: Inputs, Filters, Outputs or Codecs. + + +type: keyword + +-- + +*`logstash.slowlog.took_in_millis`*:: ++ +-- +Execution time for the plugin in milliseconds. + + +type: long + +-- + +*`logstash.slowlog.plugin_params`*:: ++ +-- +String value of the plugin configuration + + +type: keyword + +-- + +*`logstash.slowlog.plugin_params.text`*:: ++ +-- +type: text + +-- + +*`logstash.slowlog.plugin_params_object`*:: ++ +-- +key -> value of the configuration used by the plugin. + + +type: object + +-- + +*`logstash.slowlog.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`logstash.slowlog.took_in_nanos`*:: ++ +-- +type: alias + +alias to: event.duration + +-- + +[[exported-fields-microsoft]] +== Microsoft DHCP fields + +microsoft fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-misp]] +== MISP fields + +Module for handling threat information from MISP. + + + +[float] +=== misp + +Fields from MISP threat information. + + + +[float] +=== attack_pattern + +Fields provide support for specifying information about attack patterns. + + + +*`misp.attack_pattern.id`*:: ++ +-- +Identifier of the threat indicator. + + +type: keyword + +-- + +*`misp.attack_pattern.name`*:: ++ +-- +Name of the attack pattern. + + +type: keyword + +-- + +*`misp.attack_pattern.description`*:: ++ +-- +Description of the attack pattern. + + +type: text + +-- + +*`misp.attack_pattern.kill_chain_phases`*:: ++ +-- +The kill chain phase(s) to which this attack pattern corresponds. + + +type: keyword + +-- + +[float] +=== campaign + +Fields provide support for specifying information about campaigns. + + + +*`misp.campaign.id`*:: ++ +-- +Identifier of the campaign. + + +type: keyword + +-- + +*`misp.campaign.name`*:: ++ +-- +Name of the campaign. + + +type: keyword + +-- + +*`misp.campaign.description`*:: ++ +-- +Description of the campaign. + + +type: text + +-- + +*`misp.campaign.aliases`*:: ++ +-- +Alternative names used to identify this campaign. + + +type: text + +-- + +*`misp.campaign.first_seen`*:: ++ +-- +The time that this Campaign was first seen, in RFC3339 format. + + +type: date + +-- + +*`misp.campaign.last_seen`*:: ++ +-- +The time that this Campaign was last seen, in RFC3339 format. + + +type: date + +-- + +*`misp.campaign.objective`*:: ++ +-- +This field defines the Campaign's primary goal, objective, desired outcome, or intended effect. + + +type: keyword + +-- + +[float] +=== course_of_action + +A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. + + + +*`misp.course_of_action.id`*:: ++ +-- +Identifier of the Course of Action. + + +type: keyword + +-- + +*`misp.course_of_action.name`*:: ++ +-- +The name used to identify the Course of Action. + + +type: keyword + +-- + +*`misp.course_of_action.description`*:: ++ +-- +Description of the Course of Action. + + +type: text + +-- + +[float] +=== identity + +Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups. + + + +*`misp.identity.id`*:: ++ +-- +Identifier of the Identity. + + +type: keyword + +-- + +*`misp.identity.name`*:: ++ +-- +The name used to identify the Identity. + + +type: keyword + +-- + +*`misp.identity.description`*:: ++ +-- +Description of the Identity. + + +type: text + +-- + +*`misp.identity.identity_class`*:: ++ +-- +The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov + + +type: keyword + +-- + +*`misp.identity.labels`*:: ++ +-- +The list of roles that this Identity performs. + + +type: keyword + +example: CEO + + +-- + +*`misp.identity.sectors`*:: ++ +-- +The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov + + +type: keyword + +-- + +*`misp.identity.contact_information`*:: ++ +-- +The contact information (e-mail, phone number, etc.) for this Identity. + + +type: text + +-- + +[float] +=== intrusion_set + +An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization. + + + +*`misp.intrusion_set.id`*:: ++ +-- +Identifier of the Intrusion Set. + + +type: keyword + +-- + +*`misp.intrusion_set.name`*:: ++ +-- +The name used to identify the Intrusion Set. + + +type: keyword + +-- + +*`misp.intrusion_set.description`*:: ++ +-- +Description of the Intrusion Set. + + +type: text + +-- + +*`misp.intrusion_set.aliases`*:: ++ +-- +Alternative names used to identify the Intrusion Set. + + +type: text + +-- + +*`misp.intrusion_set.first_seen`*:: ++ +-- +The time that this Intrusion Set was first seen, in RFC3339 format. + + +type: date + +-- + +*`misp.intrusion_set.last_seen`*:: ++ +-- +The time that this Intrusion Set was last seen, in RFC3339 format. + + +type: date + +-- + +*`misp.intrusion_set.goals`*:: ++ +-- +The high level goals of this Intrusion Set, namely, what are they trying to do. + + +type: text + +-- + +*`misp.intrusion_set.resource_level`*:: ++ +-- +This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov + + +type: text + +-- + +*`misp.intrusion_set.primary_motivation`*:: ++ +-- +The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov + + +type: text + +-- + +*`misp.intrusion_set.secondary_motivations`*:: ++ +-- +The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov + + +type: text + +-- + +[float] +=== malware + +Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. + + + +*`misp.malware.id`*:: ++ +-- +Identifier of the Malware. + + +type: keyword + +-- + +*`misp.malware.name`*:: ++ +-- +The name used to identify the Malware. + + +type: keyword + +-- + +*`misp.malware.description`*:: ++ +-- +Description of the Malware. + + +type: text + +-- + +*`misp.malware.labels`*:: ++ +-- +The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm + + +type: keyword + +-- + +*`misp.malware.kill_chain_phases`*:: ++ +-- +The list of kill chain phases for which this Malware instance can be used. + + +type: keyword + +format: string + +-- + +[float] +=== note + +A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object. + + + +*`misp.note.id`*:: ++ +-- +Identifier of the Note. + + +type: keyword + +-- + +*`misp.note.summary`*:: ++ +-- +A brief description used as a summary of the Note. + + +type: keyword + +-- + +*`misp.note.description`*:: ++ +-- +The content of the Note. + + +type: text + +-- + +*`misp.note.authors`*:: ++ +-- +The name of the author(s) of this Note. + + +type: keyword + +-- + +*`misp.note.object_refs`*:: ++ +-- +The STIX Objects (SDOs and SROs) that the note is being applied to. + + +type: keyword + +-- + +[float] +=== threat_indicator + +Fields provide support for specifying information about threat indicators, and related matching patterns. + + + +*`misp.threat_indicator.labels`*:: ++ +-- +list of type open-vocab that specifies the type of indicator. + + +type: keyword + +example: Domain Watchlist + + +-- + +*`misp.threat_indicator.id`*:: ++ +-- +Identifier of the threat indicator. + + +type: keyword + +-- + +*`misp.threat_indicator.version`*:: ++ +-- +Version of the threat indicator. + + +type: keyword + +-- + +*`misp.threat_indicator.type`*:: ++ +-- +Type of the threat indicator. + + +type: keyword + +-- + +*`misp.threat_indicator.description`*:: ++ +-- +Description of the threat indicator. + + +type: text + +-- + +*`misp.threat_indicator.feed`*:: ++ +-- +Name of the threat feed. + + +type: text + +-- + +*`misp.threat_indicator.valid_from`*:: ++ +-- +The time from which this Indicator should be considered valuable intelligence, in RFC3339 format. + + +type: date + +-- + +*`misp.threat_indicator.valid_until`*:: ++ +-- +The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format. + + +type: date + +-- + +*`misp.threat_indicator.severity`*:: ++ +-- +Threat severity to which this indicator corresponds. + + +type: keyword + +example: high + +format: string + +-- + +*`misp.threat_indicator.confidence`*:: ++ +-- +Confidence level to which this indicator corresponds. + + +type: keyword + +example: high + +-- + +*`misp.threat_indicator.kill_chain_phases`*:: ++ +-- +The kill chain phase(s) to which this indicator corresponds. + + +type: keyword + +format: string + +-- + +*`misp.threat_indicator.mitre_tactic`*:: ++ +-- +MITRE tactics to which this indicator corresponds. + + +type: keyword + +example: Initial Access + +format: string + +-- + +*`misp.threat_indicator.mitre_technique`*:: ++ +-- +MITRE techniques to which this indicator corresponds. + + +type: keyword + +example: Drive-by Compromise + +format: string + +-- + +*`misp.threat_indicator.attack_pattern`*:: ++ +-- +The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. + + +type: keyword + +example: [destination:ip = '91.219.29.188/32'] + + +-- + +*`misp.threat_indicator.attack_pattern_kql`*:: ++ +-- +The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. + + +type: keyword + +example: destination.ip: "91.219.29.188/32" + + +-- + +*`misp.threat_indicator.negate`*:: ++ +-- +When set to true, it specifies the absence of the attack_pattern. + + +type: boolean + +-- + +*`misp.threat_indicator.intrusion_set`*:: ++ +-- +Name of the intrusion set if known. + + +type: keyword + +-- + +*`misp.threat_indicator.campaign`*:: ++ +-- +Name of the attack campaign if known. + + +type: keyword + +-- + +*`misp.threat_indicator.threat_actor`*:: ++ +-- +Name of the threat actor if known. + + +type: keyword + +-- + +[float] +=== observed_data + +Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification. + + + +*`misp.observed_data.id`*:: ++ +-- +Identifier of the Observed Data. + + +type: keyword + +-- + +*`misp.observed_data.first_observed`*:: ++ +-- +The beginning of the time window that the data was observed, in RFC3339 format. + + +type: date + +-- + +*`misp.observed_data.last_observed`*:: ++ +-- +The end of the time window that the data was observed, in RFC3339 format. + + +type: date + +-- + +*`misp.observed_data.number_observed`*:: ++ +-- +The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive. + + +type: integer + +-- + +*`misp.observed_data.objects`*:: ++ +-- +A dictionary of Cyber Observable Objects that describes the single fact that was observed. + + +type: keyword + +-- + +[float] +=== report + +Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. + + + +*`misp.report.id`*:: ++ +-- +Identifier of the Report. + + +type: keyword + +-- + +*`misp.report.labels`*:: ++ +-- +This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability + + +type: keyword + +-- + +*`misp.report.name`*:: ++ +-- +The name used to identify the Report. + + +type: keyword + +-- + +*`misp.report.description`*:: ++ +-- +A description that provides more details and context about Report. + + +type: text + +-- + +*`misp.report.published`*:: ++ +-- +The date that this report object was officially published by the creator of this report, in RFC3339 format. + + +type: date + +-- + +*`misp.report.object_refs`*:: ++ +-- +Specifies the STIX Objects that are referred to by this Report. + + +type: text + +-- + +[float] +=== threat_actor + +Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. + + + +*`misp.threat_actor.id`*:: ++ +-- +Identifier of the Threat Actor. + + +type: keyword + +-- + +*`misp.threat_actor.labels`*:: ++ +-- +This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist + + +type: keyword + +-- + +*`misp.threat_actor.name`*:: ++ +-- +The name used to identify this Threat Actor or Threat Actor group. + + +type: keyword + +-- + +*`misp.threat_actor.description`*:: ++ +-- +A description that provides more details and context about the Threat Actor. + + +type: text + +-- + +*`misp.threat_actor.aliases`*:: ++ +-- +A list of other names that this Threat Actor is believed to use. + + +type: text + +-- + +*`misp.threat_actor.roles`*:: ++ +-- +This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author + + +type: text + +-- + +*`misp.threat_actor.goals`*:: ++ +-- +The high level goals of this Threat Actor, namely, what are they trying to do. + + +type: text + +-- + +*`misp.threat_actor.sophistication`*:: ++ +-- +The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator + + +type: text + +-- + +*`misp.threat_actor.resource_level`*:: ++ +-- +This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government + + +type: text + +-- + +*`misp.threat_actor.primary_motivation`*:: ++ +-- +The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable + + +type: text + +-- + +*`misp.threat_actor.secondary_motivations`*:: ++ +-- +The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable + + +type: text + +-- + +*`misp.threat_actor.personal_motivations`*:: ++ +-- +The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable + + +type: text + +-- + +[float] +=== tool + +Tools are legitimate software that can be used by threat actors to perform attacks. + + + +*`misp.tool.id`*:: ++ +-- +Identifier of the Tool. + + +type: keyword + +-- + +*`misp.tool.labels`*:: ++ +-- +The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning + + +type: keyword + +-- + +*`misp.tool.name`*:: ++ +-- +The name used to identify the Tool. + + +type: keyword + +-- + +*`misp.tool.description`*:: ++ +-- +A description that provides more details and context about the Tool. + + +type: text + +-- + +*`misp.tool.tool_version`*:: ++ +-- +The version identifier associated with the Tool. + + +type: keyword + +-- + +*`misp.tool.kill_chain_phases`*:: ++ +-- +The list of kill chain phases for which this Tool instance can be used. + + +type: text + +-- + +[float] +=== vulnerability + +A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. + + + +*`misp.vulnerability.id`*:: ++ +-- +Identifier of the Vulnerability. + + +type: keyword + +-- + +*`misp.vulnerability.name`*:: ++ +-- +The name used to identify the Vulnerability. + + +type: keyword + +-- + +*`misp.vulnerability.description`*:: ++ +-- +A description that provides more details and context about the Vulnerability. + + +type: text + +-- + +[[exported-fields-mongodb]] +== mongodb fields + +Module for parsing MongoDB log files. + + + +[float] +=== mongodb + +Fields from MongoDB logs. + + + +[float] +=== log + +Contains fields from MongoDB logs. + + + +*`mongodb.log.component`*:: ++ +-- +Functional categorization of message + + +type: keyword + +example: COMMAND + +-- + +*`mongodb.log.context`*:: ++ +-- +Context of message + + +type: keyword + +example: initandlisten + +-- + +*`mongodb.log.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`mongodb.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-mssql]] +== mssql fields + +MS SQL Filebeat Module + + +[float] +=== mssql + +Fields from the MSSQL log files + + +[float] +=== log + +Common log fields + + +*`mssql.log.origin`*:: ++ +-- +Origin of the message, usually the server but it can also be a recovery process + +type: keyword + +-- + +[[exported-fields-mysql]] +== MySQL fields + +Module for parsing the MySQL log files. + + + +[float] +=== mysql + +Fields from the MySQL log files. + + + +*`mysql.thread_id`*:: ++ +-- +The connection or thread ID for the query. + + +type: long + +-- + +[float] +=== error + +Contains fields from the MySQL error logs. + + + +*`mysql.error.thread_id`*:: ++ +-- +type: alias + +alias to: mysql.thread_id + +-- + +*`mysql.error.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`mysql.error.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== slowlog + +Contains fields from the MySQL slow logs. + + + +*`mysql.slowlog.lock_time.sec`*:: ++ +-- +The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number. + + +type: float + +-- + +*`mysql.slowlog.rows_sent`*:: ++ +-- +The number of rows returned by the query. + + +type: long + +-- + +*`mysql.slowlog.rows_examined`*:: ++ +-- +The number of rows scanned by the query. + + +type: long + +-- + +*`mysql.slowlog.rows_affected`*:: ++ +-- +The number of rows modified by the query. + + +type: long + +-- + +*`mysql.slowlog.bytes_sent`*:: ++ +-- +The number of bytes sent to client. + + +type: long + +format: bytes + +-- + +*`mysql.slowlog.bytes_received`*:: ++ +-- +The number of bytes received from client. + + +type: long + +format: bytes + +-- + +*`mysql.slowlog.query`*:: ++ +-- +The slow query. + + +-- + +*`mysql.slowlog.id`*:: ++ +-- +type: alias + +alias to: mysql.thread_id + +-- + +*`mysql.slowlog.schema`*:: ++ +-- +The schema where the slow query was executed. + + +type: keyword + +-- + +*`mysql.slowlog.current_user`*:: ++ +-- +Current authenticated user, used to determine access privileges. Can differ from the value for user. + + +type: keyword + +-- + +*`mysql.slowlog.last_errno`*:: ++ +-- +Last SQL error seen. + + +type: keyword + +-- + +*`mysql.slowlog.killed`*:: ++ +-- +Code of the reason if the query was killed. + + +type: keyword + +-- + +*`mysql.slowlog.query_cache_hit`*:: ++ +-- +Whether the query cache was hit. + + +type: boolean + +-- + +*`mysql.slowlog.tmp_table`*:: ++ +-- +Whether a temporary table was used to resolve the query. + + +type: boolean + +-- + +*`mysql.slowlog.tmp_table_on_disk`*:: ++ +-- +Whether the query needed temporary tables on disk. + + +type: boolean + +-- + +*`mysql.slowlog.tmp_tables`*:: ++ +-- +Number of temporary tables created for this query + + +type: long + +-- + +*`mysql.slowlog.tmp_disk_tables`*:: ++ +-- +Number of temporary tables created on disk for this query. + + +type: long + +-- + +*`mysql.slowlog.tmp_table_sizes`*:: ++ +-- +Size of temporary tables created for this query. + +type: long + +format: bytes + +-- + +*`mysql.slowlog.filesort`*:: ++ +-- +Whether filesort optimization was used. + + +type: boolean + +-- + +*`mysql.slowlog.filesort_on_disk`*:: ++ +-- +Whether filesort optimization was used and it needed temporary tables on disk. + + +type: boolean + +-- + +*`mysql.slowlog.priority_queue`*:: ++ +-- +Whether a priority queue was used for filesort. + + +type: boolean + +-- + +*`mysql.slowlog.full_scan`*:: ++ +-- +Whether a full table scan was needed for the slow query. + + +type: boolean + +-- + +*`mysql.slowlog.full_join`*:: ++ +-- +Whether a full join was needed for the slow query (no indexes were used for joins). + + +type: boolean + +-- + +*`mysql.slowlog.merge_passes`*:: ++ +-- +Number of merge passes executed for the query. + + +type: long + +-- + +*`mysql.slowlog.sort_merge_passes`*:: ++ +-- +Number of merge passes that the sort algorithm has had to do. + + +type: long + +-- + +*`mysql.slowlog.sort_range_count`*:: ++ +-- +Number of sorts that were done using ranges. + + +type: long + +-- + +*`mysql.slowlog.sort_rows`*:: ++ +-- +Number of sorted rows. + + +type: long + +-- + +*`mysql.slowlog.sort_scan_count`*:: ++ +-- +Number of sorts that were done by scanning the table. + + +type: long + +-- + +*`mysql.slowlog.log_slow_rate_type`*:: ++ +-- +Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query. + + +type: keyword + +-- + +*`mysql.slowlog.log_slow_rate_limit`*:: ++ +-- +Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged. + + +type: keyword + +-- + +*`mysql.slowlog.read_first`*:: ++ +-- +The number of times the first entry in an index was read. + + +type: long + +-- + +*`mysql.slowlog.read_last`*:: ++ +-- +The number of times the last key in an index was read. + + +type: long + +-- + +*`mysql.slowlog.read_key`*:: ++ +-- +The number of requests to read a row based on a key. + + +type: long + +-- + +*`mysql.slowlog.read_next`*:: ++ +-- +The number of requests to read the next row in key order. + + +type: long + +-- + +*`mysql.slowlog.read_prev`*:: ++ +-- +The number of requests to read the previous row in key order. + + +type: long + +-- + +*`mysql.slowlog.read_rnd`*:: ++ +-- +The number of requests to read a row based on a fixed position. + + +type: long + +-- + +*`mysql.slowlog.read_rnd_next`*:: ++ +-- +The number of requests to read the next row in the data file. + + +type: long + +-- + +[float] +=== innodb + +Contains fields relative to InnoDB engine + + + +*`mysql.slowlog.innodb.trx_id`*:: ++ +-- +Transaction ID + + +type: keyword + +-- + +*`mysql.slowlog.innodb.io_r_ops`*:: ++ +-- +Number of page read operations. + + +type: long + +-- + +*`mysql.slowlog.innodb.io_r_bytes`*:: ++ +-- +Bytes read during page read operations. + + +type: long + +format: bytes + +-- + +*`mysql.slowlog.innodb.io_r_wait.sec`*:: ++ +-- +How long it took to read all needed data from storage. + + +type: long + +-- + +*`mysql.slowlog.innodb.rec_lock_wait.sec`*:: ++ +-- +How long the query waited for locks. + + +type: long + +-- + +*`mysql.slowlog.innodb.queue_wait.sec`*:: ++ +-- +How long the query waited to enter the InnoDB queue and to be executed once in the queue. + + +type: long + +-- + +*`mysql.slowlog.innodb.pages_distinct`*:: ++ +-- +Approximated count of pages accessed to execute the query. + + +type: long + +-- + +*`mysql.slowlog.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`mysql.slowlog.host`*:: ++ +-- +type: alias + +alias to: source.domain + +-- + +*`mysql.slowlog.ip`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +[[exported-fields-nats]] +== NATS fields + +Module for parsing NATS log files. + + + +[float] +=== nats + +Fields from NATS logs. + + + +[float] +=== log + +Nats log files + + + +[float] +=== client + +Fields from NATS logs client. + + + +*`nats.log.client.id`*:: ++ +-- +The id of the client + + +type: integer + +-- + +[float] +=== msg + +Fields from NATS logs message. + + + +*`nats.log.msg.bytes`*:: ++ +-- +Size of the payload in bytes + + +type: long + +format: bytes + +-- + +*`nats.log.msg.type`*:: ++ +-- +The protocol message type + + +type: keyword + +-- + +*`nats.log.msg.subject`*:: ++ +-- +Subject name this message was received on + + +type: keyword + +-- + +*`nats.log.msg.sid`*:: ++ +-- +The unique alphanumeric subscription ID of the subject + + +type: integer + +-- + +*`nats.log.msg.reply_to`*:: ++ +-- +The inbox subject on which the publisher is listening for responses + + +type: keyword + +-- + +*`nats.log.msg.max_messages`*:: ++ +-- +An optional number of messages to wait for before automatically unsubscribing + + +type: integer + +-- + +*`nats.log.msg.error.message`*:: ++ +-- +Details about the error occurred + + +type: text + +-- + +*`nats.log.msg.queue_group`*:: ++ +-- +The queue group which subscriber will join + + +type: text + +-- + +[[exported-fields-netflow]] +== NetFlow fields + +Fields from NetFlow and IPFIX flows. + + + +[float] +=== netflow + +Fields from NetFlow and IPFIX. + + + +*`netflow.type`*:: ++ +-- +The type of NetFlow record described by this event. + + +type: keyword + +-- + +[float] +=== exporter + +Metadata related to the exporter device that generated this record. + + + +*`netflow.exporter.address`*:: ++ +-- +Exporter's network address in IP:port format. + + +type: keyword + +-- + +*`netflow.exporter.source_id`*:: ++ +-- +Observation domain ID to which this record belongs. + + +type: long + +-- + +*`netflow.exporter.timestamp`*:: ++ +-- +Time and date of export. + + +type: date + +-- + +*`netflow.exporter.uptime_millis`*:: ++ +-- +How long the exporter process has been running, in milliseconds. + + +type: long + +-- + +*`netflow.exporter.version`*:: ++ +-- +NetFlow version used. + + +type: integer + +-- + +*`netflow.octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.delta_flow_count`*:: ++ +-- +type: long + +-- + +*`netflow.protocol_identifier`*:: ++ +-- +type: short + +-- + +*`netflow.ip_class_of_service`*:: ++ +-- +type: short + +-- + +*`netflow.tcp_control_bits`*:: ++ +-- +type: integer + +-- + +*`netflow.source_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.source_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv4_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.ingress_interface`*:: ++ +-- +type: long + +-- + +*`netflow.destination_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv4_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.egress_interface`*:: ++ +-- +type: long + +-- + +*`netflow.ip_next_hop_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.bgp_source_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_destination_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_next_hop_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_mcast_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_sys_up_time`*:: ++ +-- +type: long + +-- + +*`netflow.flow_start_sys_up_time`*:: ++ +-- +type: long + +-- + +*`netflow.post_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.maximum_ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.source_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv6_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.destination_ipv6_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.flow_label_ipv6`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_code_ipv4`*:: ++ +-- +type: integer + +-- + +*`netflow.igmp_type`*:: ++ +-- +type: short + +-- + +*`netflow.sampling_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_algorithm`*:: ++ +-- +type: short + +-- + +*`netflow.flow_active_timeout`*:: ++ +-- +type: integer + +-- + +*`netflow.flow_idle_timeout`*:: ++ +-- +type: integer + +-- + +*`netflow.engine_type`*:: ++ +-- +type: short + +-- + +*`netflow.engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.exported_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.exported_message_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.exported_flow_record_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ipv4_router_sc`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv4_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv4_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.mpls_top_label_type`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_top_label_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.sampler_id`*:: ++ +-- +type: short + +-- + +*`netflow.sampler_mode`*:: ++ +-- +type: short + +-- + +*`netflow.sampler_random_interval`*:: ++ +-- +type: long + +-- + +*`netflow.class_id`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.maximum_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.fragment_identification`*:: ++ +-- +type: long + +-- + +*`netflow.post_ip_class_of_service`*:: ++ +-- +type: short + +-- + +*`netflow.source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.post_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_version`*:: ++ +-- +type: short + +-- + +*`netflow.flow_direction`*:: ++ +-- +type: short + +-- + +*`netflow.ip_next_hop_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.bgp_next_hop_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.ipv6_extension_headers`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_stack_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section2`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section3`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section4`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section5`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section6`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section7`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section8`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section9`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section10`*:: ++ +-- +type: short + +-- + +*`netflow.destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.interface_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.interface_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.sampler_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flags_and_sampler_id`*:: ++ +-- +type: long + +-- + +*`netflow.fragment_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.forwarding_status`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_vpn_route_distinguisher`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_top_label_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.src_traffic_index`*:: ++ +-- +type: long + +-- + +*`netflow.dst_traffic_index`*:: ++ +-- +type: long + +-- + +*`netflow.application_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_id`*:: ++ +-- +type: short + +-- + +*`netflow.application_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_ip_diff_serv_code_point`*:: ++ +-- +type: short + +-- + +*`netflow.multicast_replication_factor`*:: ++ +-- +type: long + +-- + +*`netflow.class_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.classification_engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.layer2packet_section_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.layer2packet_section_size`*:: ++ +-- +type: integer + +-- + +*`netflow.layer2packet_section_data`*:: ++ +-- +type: short + +-- + +*`netflow.bgp_next_adjacent_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_prev_adjacent_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.exporter_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.exporter_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.dropped_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_reason`*:: ++ +-- +type: short + +-- + +*`netflow.common_properties_id`*:: ++ +-- +type: long + +-- + +*`netflow.observation_point_id`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_code_ipv6`*:: ++ +-- +type: integer + +-- + +*`netflow.mpls_top_label_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.line_card_id`*:: ++ +-- +type: long + +-- + +*`netflow.port_id`*:: ++ +-- +type: long + +-- + +*`netflow.metering_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.exporting_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.template_id`*:: ++ +-- +type: integer + +-- + +*`netflow.wlan_channel_id`*:: ++ +-- +type: short + +-- + +*`netflow.wlan_ssid`*:: ++ +-- +type: keyword + +-- + +*`netflow.flow_id`*:: ++ +-- +type: long + +-- + +*`netflow.observation_domain_id`*:: ++ +-- +type: long + +-- + +*`netflow.flow_start_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_delta_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_delta_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.system_init_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_duration_milliseconds`*:: ++ +-- +type: long + +-- + +*`netflow.flow_duration_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.observed_flow_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_flow_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.destination_ipv6_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv6_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.post_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_key_indicator`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_ipv4`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_code_ipv4`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_type_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_code_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.udp_source_port`*:: ++ +-- +type: integer + +-- + +*`netflow.udp_destination_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_source_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_destination_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_sequence_number`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_acknowledgement_number`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_window_size`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_urgent_pointer`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.ip_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.total_length_ipv4`*:: ++ +-- +type: integer + +-- + +*`netflow.payload_length_ipv6`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.next_header_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_payload_length`*:: ++ +-- +type: long + +-- + +*`netflow.ip_diff_serv_code_point`*:: ++ +-- +type: short + +-- + +*`netflow.ip_precedence`*:: ++ +-- +type: short + +-- + +*`netflow.fragment_flags`*:: ++ +-- +type: short + +-- + +*`netflow.octet_delta_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.octet_total_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_length`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_label_stack_depth`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_exp`*:: ++ +-- +type: short + +-- + +*`netflow.ip_payload_length`*:: ++ +-- +type: long + +-- + +*`netflow.udp_message_length`*:: ++ +-- +type: integer + +-- + +*`netflow.is_multicast`*:: ++ +-- +type: short + +-- + +*`netflow.ipv4_ihl`*:: ++ +-- +type: short + +-- + +*`netflow.ipv4_options`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_options`*:: ++ +-- +type: long + +-- + +*`netflow.padding_octets`*:: ++ +-- +type: short + +-- + +*`netflow.collector_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.collector_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.export_interface`*:: ++ +-- +type: long + +-- + +*`netflow.export_protocol_version`*:: ++ +-- +type: short + +-- + +*`netflow.export_transport_protocol`*:: ++ +-- +type: short + +-- + +*`netflow.collector_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.exporter_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_syn_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_fin_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_rst_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_psh_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_ack_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_urg_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.post_nat_source_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_nat_destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_napt_source_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.post_napt_destination_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.nat_originating_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.nat_event`*:: ++ +-- +type: short + +-- + +*`netflow.initiator_octets`*:: ++ +-- +type: long + +-- + +*`netflow.responder_octets`*:: ++ +-- +type: long + +-- + +*`netflow.firewall_event`*:: ++ +-- +type: short + +-- + +*`netflow.ingress_vrfid`*:: ++ +-- +type: long + +-- + +*`netflow.egress_vrfid`*:: ++ +-- +type: long + +-- + +*`netflow.vr_fname`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_mpls_top_label_exp`*:: ++ +-- +type: short + +-- + +*`netflow.tcp_window_scale`*:: ++ +-- +type: integer + +-- + +*`netflow.biflow_direction`*:: ++ +-- +type: short + +-- + +*`netflow.ethernet_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.ethernet_payload_length`*:: ++ +-- +type: integer + +-- + +*`netflow.ethernet_total_length`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_priority`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_customer_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_customer_priority`*:: ++ +-- +type: short + +-- + +*`netflow.metro_evc_id`*:: ++ +-- +type: keyword + +-- + +*`netflow.metro_evc_type`*:: ++ +-- +type: short + +-- + +*`netflow.pseudo_wire_id`*:: ++ +-- +type: long + +-- + +*`netflow.pseudo_wire_type`*:: ++ +-- +type: integer + +-- + +*`netflow.pseudo_wire_control_word`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_physical_interface`*:: ++ +-- +type: long + +-- + +*`netflow.egress_physical_interface`*:: ++ +-- +type: long + +-- + +*`netflow.post_dot1q_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.post_dot1q_customer_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.ethernet_type`*:: ++ +-- +type: integer + +-- + +*`netflow.post_ip_precedence`*:: ++ +-- +type: short + +-- + +*`netflow.collection_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.export_sctp_stream_id`*:: ++ +-- +type: integer + +-- + +*`netflow.max_export_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.message_md5_checksum`*:: ++ +-- +type: short + +-- + +*`netflow.message_scope`*:: ++ +-- +type: short + +-- + +*`netflow.min_export_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.opaque_octets`*:: ++ +-- +type: short + +-- + +*`netflow.session_scope`*:: ++ +-- +type: short + +-- + +*`netflow.max_flow_end_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.collector_certificate`*:: ++ +-- +type: short + +-- + +*`netflow.exporter_certificate`*:: ++ +-- +type: short + +-- + +*`netflow.data_records_reliability`*:: ++ +-- +type: boolean + +-- + +*`netflow.observation_point_type`*:: ++ +-- +type: short + +-- + +*`netflow.new_connection_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.connection_sum_duration_seconds`*:: ++ +-- +type: long + +-- + +*`netflow.connection_transaction_id`*:: ++ +-- +type: long + +-- + +*`netflow.post_nat_source_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_nat_destination_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.nat_pool_id`*:: ++ +-- +type: long + +-- + +*`netflow.nat_pool_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.anonymization_flags`*:: ++ +-- +type: integer + +-- + +*`netflow.anonymization_technique`*:: ++ +-- +type: integer + +-- + +*`netflow.information_element_index`*:: ++ +-- +type: integer + +-- + +*`netflow.p2p_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.tunnel_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.encrypted_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.bgp_validity_state`*:: ++ +-- +type: short + +-- + +*`netflow.ip_sec_spi`*:: ++ +-- +type: long + +-- + +*`netflow.gre_key`*:: ++ +-- +type: long + +-- + +*`netflow.nat_type`*:: ++ +-- +type: short + +-- + +*`netflow.initiator_packets`*:: ++ +-- +type: long + +-- + +*`netflow.responder_packets`*:: ++ +-- +type: long + +-- + +*`netflow.observation_domain_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.selection_sequence_id`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_id`*:: ++ +-- +type: integer + +-- + +*`netflow.selector_algorithm`*:: ++ +-- +type: integer + +-- + +*`netflow.sampling_packet_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_packet_space`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_time_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_time_space`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_size`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_population`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_probability`*:: ++ +-- +type: double + +-- + +*`netflow.data_link_frame_size`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_header_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.ip_payload_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.data_link_frame_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_payload_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.selector_id_total_pkts_observed`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_pkts_selected`*:: ++ +-- +type: long + +-- + +*`netflow.absolute_error`*:: ++ +-- +type: double + +-- + +*`netflow.relative_error`*:: ++ +-- +type: double + +-- + +*`netflow.observation_time_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.digest_hash_value`*:: ++ +-- +type: long + +-- + +*`netflow.hash_ip_payload_offset`*:: ++ +-- +type: long + +-- + +*`netflow.hash_ip_payload_size`*:: ++ +-- +type: long + +-- + +*`netflow.hash_output_range_min`*:: ++ +-- +type: long + +-- + +*`netflow.hash_output_range_max`*:: ++ +-- +type: long + +-- + +*`netflow.hash_selected_range_min`*:: ++ +-- +type: long + +-- + +*`netflow.hash_selected_range_max`*:: ++ +-- +type: long + +-- + +*`netflow.hash_digest_output`*:: ++ +-- +type: boolean + +-- + +*`netflow.hash_initialiser_value`*:: ++ +-- +type: long + +-- + +*`netflow.selector_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.upper_ci_limit`*:: ++ +-- +type: double + +-- + +*`netflow.lower_ci_limit`*:: ++ +-- +type: double + +-- + +*`netflow.confidence_level`*:: ++ +-- +type: double + +-- + +*`netflow.information_element_data_type`*:: ++ +-- +type: short + +-- + +*`netflow.information_element_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.information_element_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.information_element_range_begin`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_range_end`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_semantics`*:: ++ +-- +type: short + +-- + +*`netflow.information_element_units`*:: ++ +-- +type: integer + +-- + +*`netflow.private_enterprise_number`*:: ++ +-- +type: long + +-- + +*`netflow.virtual_station_interface_id`*:: ++ +-- +type: short + +-- + +*`netflow.virtual_station_interface_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.virtual_station_uuid`*:: ++ +-- +type: short + +-- + +*`netflow.virtual_station_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.layer2_segment_id`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_unicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_multicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_broadcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.egress_unicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.egress_broadcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.monitoring_interval_start_milli_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.monitoring_interval_end_milli_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.port_range_start`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_end`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_step_size`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_num_ports`*:: ++ +-- +type: integer + +-- + +*`netflow.sta_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.sta_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.wtp_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.ingress_interface_type`*:: ++ +-- +type: long + +-- + +*`netflow.egress_interface_type`*:: ++ +-- +type: long + +-- + +*`netflow.rtp_sequence_number`*:: ++ +-- +type: integer + +-- + +*`netflow.user_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_category_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_sub_category_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_group_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.original_flows_present`*:: ++ +-- +type: long + +-- + +*`netflow.original_flows_initiated`*:: ++ +-- +type: long + +-- + +*`netflow.original_flows_completed`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ip_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ip_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ipv4_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ipv4_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ipv6_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ipv6_address`*:: ++ +-- +type: long + +-- + +*`netflow.value_distribution_method`*:: ++ +-- +type: short + +-- + +*`netflow.rfc3550_jitter_milliseconds`*:: ++ +-- +type: long + +-- + +*`netflow.rfc3550_jitter_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.rfc3550_jitter_nanoseconds`*:: ++ +-- +type: long + +-- + +*`netflow.dot1q_dei`*:: ++ +-- +type: boolean + +-- + +*`netflow.dot1q_customer_dei`*:: ++ +-- +type: boolean + +-- + +*`netflow.flow_selector_algorithm`*:: ++ +-- +type: integer + +-- + +*`netflow.flow_selected_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_selected_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_selected_flow_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_flows_observed`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_flows_selected`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_flow_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_flow_spacing`*:: ++ +-- +type: long + +-- + +*`netflow.flow_sampling_time_interval`*:: ++ +-- +type: long + +-- + +*`netflow.flow_sampling_time_spacing`*:: ++ +-- +type: long + +-- + +*`netflow.hash_flow_domain`*:: ++ +-- +type: integer + +-- + +*`netflow.transport_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.transport_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.original_exporter_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.original_exporter_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.original_observation_domain_id`*:: ++ +-- +type: long + +-- + +*`netflow.intermediate_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_data_record_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.data_link_frame_type`*:: ++ +-- +type: integer + +-- + +*`netflow.section_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.section_exported_octets`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_service_instance_tag`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_service_instance_id`*:: ++ +-- +type: long + +-- + +*`netflow.dot1q_service_instance_priority`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_customer_source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.dot1q_customer_destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_layer2_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.maximum_layer2_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_delta_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_total_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_frame_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_frame_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.pseudo_wire_destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.ignored_layer2_frame_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_integer`*:: ++ +-- +type: integer + +-- + +*`netflow.mib_object_value_octet_string`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_oid`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_bits`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_ip_address`*:: ++ +-- +type: ip + +-- + +*`netflow.mib_object_value_counter`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_gauge`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_time_ticks`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_unsigned`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_identifier`*:: ++ +-- +type: short + +-- + +*`netflow.mib_sub_identifier`*:: ++ +-- +type: long + +-- + +*`netflow.mib_index_indicator`*:: ++ +-- +type: long + +-- + +*`netflow.mib_capture_time_semantics`*:: ++ +-- +type: short + +-- + +*`netflow.mib_context_engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.mib_context_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_syntax`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_module_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mobile_imsi`*:: ++ +-- +type: keyword + +-- + +*`netflow.mobile_msisdn`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_status_code`*:: ++ +-- +type: integer + +-- + +*`netflow.source_transport_ports_limit`*:: ++ +-- +type: integer + +-- + +*`netflow.http_request_method`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_request_host`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_request_target`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_message_version`*:: ++ +-- +type: keyword + +-- + +*`netflow.nat_instance_id`*:: ++ +-- +type: long + +-- + +*`netflow.internal_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.external_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.nat_quota_exceeded_event`*:: ++ +-- +type: long + +-- + +*`netflow.nat_threshold_event`*:: ++ +-- +type: long + +-- + +*`netflow.http_user_agent`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_content_type`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_reason_phrase`*:: ++ +-- +type: keyword + +-- + +*`netflow.max_session_entries`*:: ++ +-- +type: long + +-- + +*`netflow.max_bib_entries`*:: ++ +-- +type: long + +-- + +*`netflow.max_entries_per_user`*:: ++ +-- +type: long + +-- + +*`netflow.max_subscribers`*:: ++ +-- +type: long + +-- + +*`netflow.max_fragments_pending_reassembly`*:: ++ +-- +type: long + +-- + +*`netflow.address_pool_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_pool_low_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_low_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_per_user_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.global_address_mapping_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.vpn_identifier`*:: ++ +-- +type: short + +-- + +[[exported-fields-netscout]] +== Arbor Peakflow SP fields + +netscout fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-nginx]] +== Nginx fields + +Module for parsing the Nginx log files. + + + +[float] +=== nginx + +Fields from the Nginx log files. + + + +[float] +=== access + +Contains fields for the Nginx access logs. + + + +*`nginx.access.remote_ip_list`*:: ++ +-- +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. + + +type: array + +-- + +*`nginx.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`nginx.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`nginx.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`nginx.access.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`nginx.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`nginx.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`nginx.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`nginx.access.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`nginx.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`nginx.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`nginx.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`nginx.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`nginx.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`nginx.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`nginx.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`nginx.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`nginx.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== error + +Contains fields for the Nginx error logs. + + + +*`nginx.error.connection_id`*:: ++ +-- +Connection identifier. + + +type: long + +-- + +*`nginx.error.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`nginx.error.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`nginx.error.tid`*:: ++ +-- +type: alias + +alias to: process.thread.id + +-- + +*`nginx.error.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== ingress_controller + +Contains fields for the Ingress Nginx controller access logs. + + + +*`nginx.ingress_controller.remote_ip_list`*:: ++ +-- +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. + + +type: array + +-- + +*`nginx.ingress_controller.http.request.length`*:: ++ +-- +The request length (including request line, header, and request body) + + +type: long + +format: bytes + +-- + +*`nginx.ingress_controller.http.request.time`*:: ++ +-- +Time elapsed since the first bytes were read from the client + + +type: double + +format: duration + +-- + +*`nginx.ingress_controller.upstream.name`*:: ++ +-- +The name of the upstream. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.alternative_name`*:: ++ +-- +The name of the alternative upstream. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.length`*:: ++ +-- +The length of the response obtained from the upstream server + + +type: long + +format: bytes + +-- + +*`nginx.ingress_controller.upstream.response.time`*:: ++ +-- +The time spent on receiving the response from the upstream server as seconds with millisecond resolution + + +type: double + +format: duration + +-- + +*`nginx.ingress_controller.upstream.response.status_code`*:: ++ +-- +The status code of the response obtained from the upstream server + + +type: long + +-- + +*`nginx.ingress_controller.http.request.id`*:: ++ +-- +The randomly generated ID of the request + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.ip`*:: ++ +-- +The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. + + +type: ip + +-- + +*`nginx.ingress_controller.upstream.port`*:: ++ +-- +The port of the upstream server. + + +type: long + +-- + +*`nginx.ingress_controller.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`nginx.ingress_controller.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`nginx.ingress_controller.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`nginx.ingress_controller.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`nginx.ingress_controller.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`nginx.ingress_controller.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`nginx.ingress_controller.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`nginx.ingress_controller.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.ingress_controller.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`nginx.ingress_controller.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`nginx.ingress_controller.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`nginx.ingress_controller.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`nginx.ingress_controller.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.ingress_controller.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`nginx.ingress_controller.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`nginx.ingress_controller.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`nginx.ingress_controller.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`nginx.ingress_controller.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`nginx.ingress_controller.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-o365]] +== Office 365 fields + +Module for handling logs from Office 365. + + + +[float] +=== o365.audit + +Fields from Office 365 Management API audit logs. + + + +*`o365.audit.Actor`*:: ++ +-- +type: array + +-- + +*`o365.audit.ActorContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorIpAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorYammerUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertEntityId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertLinks`*:: ++ +-- +type: array + +-- + +*`o365.audit.AlertType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationDisplayName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AzureActiveDirectoryEventType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExchangeMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Category`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientAppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientInfoString`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIP`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIPAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Comments`*:: ++ +-- +type: text + +-- + +*`o365.audit.CorrelationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CreationTime`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CustomUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Data`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.DataType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EntityType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventData`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventSource`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExceptionInfo.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExtendedProperties.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExternalAccess`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.GroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Id`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ImplicitShare`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IncidentId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InternalLogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InterSystemsId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IntraSystemId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Item.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Item.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ItemName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ItemType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListItemUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonError`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonUserSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerMasterAccountSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerUPN`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Members`*:: ++ +-- +type: array + +-- + +*`o365.audit.Members.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ModifiedProperties.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Name`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ObjectId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Operation`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OriginatingServer`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Parameters.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.PolicyDetails`*:: ++ +-- +type: array + +-- + +*`o365.audit.PolicyId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.RecordType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ResultStatus`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SharePointMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.SessionId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Severity`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Site`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SiteUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Source`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileExtension`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceRelativeUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Status`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SupportTicketId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Target`*:: ++ +-- +type: array + +-- + +*`o365.audit.TargetContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UniqueSharingId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserAgent`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserKey`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Version`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.WebId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Workload`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.YammerNetworkId`*:: ++ +-- +type: keyword + +-- + +[[exported-fields-okta]] +== Okta fields + +Module for handling system logs from Okta. + + + +[float] +=== okta + +Fields from Okta. + + + +*`okta.uuid`*:: ++ +-- +The unique identifier of the Okta LogEvent. + + +type: keyword + +-- + +*`okta.event_type`*:: ++ +-- +The type of the LogEvent. + + +type: keyword + +-- + +*`okta.version`*:: ++ +-- +The version of the LogEvent. + + +type: keyword + +-- + +*`okta.severity`*:: ++ +-- +The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. + + +type: keyword + +-- + +*`okta.display_message`*:: ++ +-- +The display message of the LogEvent. + + +type: keyword + +-- + +[float] +=== actor + +Fields that let you store information of the actor for the LogEvent. + + + +*`okta.actor.id`*:: ++ +-- +Identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.type`*:: ++ +-- +Type of the actor. + + +type: keyword + +-- + +*`okta.actor.alternate_id`*:: ++ +-- +Alternate identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.display_name`*:: ++ +-- +Display name of the actor. + + +type: keyword + +-- + +[float] +=== client + +Fields that let you store information about the client of the actor. + + + +*`okta.client.ip`*:: ++ +-- +The IP address of the client. + + +type: ip + +-- + +[float] +=== user_agent + +Fields about the user agent information of the client. + + + +*`okta.client.user_agent.raw_user_agent`*:: ++ +-- +The raw informaton of the user agent. + + +type: keyword + +-- + +*`okta.client.user_agent.os`*:: ++ +-- +The OS informaton. + + +type: keyword + +-- + +*`okta.client.user_agent.browser`*:: ++ +-- +The browser informaton of the client. + + +type: keyword + +-- + +*`okta.client.zone`*:: ++ +-- +The zone information of the client. + + +type: keyword + +-- + +*`okta.client.device`*:: ++ +-- +The information of the client device. + + +type: keyword + +-- + +*`okta.client.id`*:: ++ +-- +The identifier of the client. + + +type: keyword + +-- + +[float] +=== outcome + +Fields that let you store information about the outcome. + + + +*`okta.outcome.reason`*:: ++ +-- +The reason of the outcome. + + +type: keyword + +-- + +*`okta.outcome.result`*:: ++ +-- +The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. + + +type: keyword + +-- + +*`okta.target`*:: ++ +-- +The list of targets. + + +type: array + +-- + +[float] +=== transaction + +Fields that let you store information about related transaction. + + + +*`okta.transaction.id`*:: ++ +-- +Identifier of the transaction. + + +type: keyword + +-- + +*`okta.transaction.type`*:: ++ +-- +The type of transaction. Must be one of "WEB", "JOB". + + +type: keyword + +-- + +[float] +=== debug_context + +Fields that let you store information about the debug context. + + + +[float] +=== debug_data + +The debug data. + + + +*`okta.debug_context.debug_data.device_fingerprint`*:: ++ +-- +The fingerprint of the device. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_id`*:: ++ +-- +The identifier of the request. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_uri`*:: ++ +-- +The request URI. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.threat_suspected`*:: ++ +-- +Threat suspected. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.url`*:: ++ +-- +The URL. + + +type: keyword + +-- + +[float] +=== authentication_context + +Fields that let you store information about authentication context. + + + +*`okta.authentication_context.authentication_provider`*:: ++ +-- +The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. + + +type: keyword + +-- + +*`okta.authentication_context.authentication_step`*:: ++ +-- +The authentication step. + + +type: integer + +-- + +*`okta.authentication_context.credential_provider`*:: ++ +-- +The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. + + +type: keyword + +-- + +*`okta.authentication_context.credential_type`*:: ++ +-- +The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. + + +type: keyword + +-- + +*`okta.authentication_context.issuer`*:: ++ +-- +The information about the issuer. + + +type: array + +-- + +*`okta.authentication_context.external_session_id`*:: ++ +-- +The session identifer of the external session if any. + + +type: keyword + +-- + +*`okta.authentication_context.interface`*:: ++ +-- +The interface used. e.g., Outlook, Office365, wsTrust + + +type: keyword + +-- + +[float] +=== security_context + +Fields that let you store information about security context. + + + +[float] +=== as + +The autonomous system. + + + +*`okta.security_context.as.number`*:: ++ +-- +The AS number. + + +type: integer + +-- + +[float] +=== organization + +The organization that owns the AS number. + + + +*`okta.security_context.as.organization.name`*:: ++ +-- +The organization name. + + +type: keyword + +-- + +*`okta.security_context.isp`*:: ++ +-- +The Internet Service Provider. + + +type: keyword + +-- + +*`okta.security_context.domain`*:: ++ +-- +The domain name. + + +type: keyword + +-- + +*`okta.security_context.is_proxy`*:: ++ +-- +Whether it is a proxy or not. + + +type: boolean + +-- + +[float] +=== request + +Fields that let you store information about the request, in the form of list of ip_chain. + + + +[float] +=== ip_chain + +List of ip_chain objects. + + + +*`okta.request.ip_chain.ip`*:: ++ +-- +IP address. + + +type: ip + +-- + +*`okta.request.ip_chain.version`*:: ++ +-- +IP version. Must be one of V4, V6. + + +type: keyword + +-- + +*`okta.request.ip_chain.source`*:: ++ +-- +Source information. + + +type: keyword + +-- + +[float] +=== geographical_context + +Geographical information. + + + +*`okta.request.ip_chain.geographical_context.city`*:: ++ +-- +The city. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.state`*:: ++ +-- +The state. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.postal_code`*:: ++ +-- +The postal code. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.country`*:: ++ +-- +The country. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.geolocation`*:: ++ +-- +Geolocation information. + + +type: geo_point + +-- + +[[exported-fields-osquery]] +== Osquery fields + +Fields exported by the `osquery` module + + + +[float] +=== osquery + + + + +[float] +=== result + +Common fields exported by the result metricset. + + + +*`osquery.result.name`*:: ++ +-- +The name of the query that generated this event. + + +type: keyword + +-- + +*`osquery.result.action`*:: ++ +-- +For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". + + +type: keyword + +-- + +*`osquery.result.host_identifier`*:: ++ +-- +The identifier for the host on which the osquery agent is running. Normally the hostname. + + +type: keyword + +-- + +*`osquery.result.unix_time`*:: ++ +-- +Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. + + +type: long + +-- + +*`osquery.result.calendar_time`*:: ++ +-- +String representation of the collection time, as formatted by osquery. + + +type: keyword + +-- + +[[exported-fields-panw]] +== panw fields + +Module for Palo Alto Networks (PAN-OS) + + + +[float] +=== panw + +Fields from the panw module. + + + +[float] +=== panos + +Fields for the Palo Alto Networks PAN-OS logs. + + + +*`panw.panos.ruleset`*:: ++ +-- +Name of the rule that matched this session. + + +type: keyword + +-- + +[float] +=== source + +Fields to extend the top-level source object. + + + +*`panw.panos.source.zone`*:: ++ +-- +Source zone for this session. + + +type: keyword + +-- + +*`panw.panos.source.interface`*:: ++ +-- +Source interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT source address, if source NAT is performed. + + + +*`panw.panos.source.nat.ip`*:: ++ +-- +Post-NAT source IP. + + +type: ip + +-- + +*`panw.panos.source.nat.port`*:: ++ +-- +Post-NAT source port. + + +type: long + +-- + +[float] +=== destination + +Fields to extend the top-level destination object. + + + +*`panw.panos.destination.zone`*:: ++ +-- +Destination zone for this session. + + +type: keyword + +-- + +*`panw.panos.destination.interface`*:: ++ +-- +Destination interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT destination address, if destination NAT is performed. + + + +*`panw.panos.destination.nat.ip`*:: ++ +-- +Post-NAT destination IP. + + +type: ip + +-- + +*`panw.panos.destination.nat.port`*:: ++ +-- +Post-NAT destination port. + + +type: long + +-- + +[float] +=== network + +Fields to extend the top-level network object. + + + +*`panw.panos.network.pcap_id`*:: ++ +-- +Packet capture ID for a threat. + + +type: keyword + +-- + + +*`panw.panos.network.nat.community_id`*:: ++ +-- +Community ID flow-hash for the NAT 5-tuple. + + +type: keyword + +-- + +[float] +=== file + +Fields to extend the top-level file object. + + + +*`panw.panos.file.hash`*:: ++ +-- +Binary hash for a threat file sent to be analyzed by the WildFire service. + + +type: keyword + +-- + +[float] +=== url + +Fields to extend the top-level url object. + + + +*`panw.panos.url.category`*:: ++ +-- +For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. + + +type: keyword + +-- + +*`panw.panos.flow_id`*:: ++ +-- +Internal numeric identifier for each session. + + +type: keyword + +-- + +*`panw.panos.sequence_number`*:: ++ +-- +Log entry identifier that is incremented sequentially. Unique for each log type. + + +type: long + +-- + +*`panw.panos.threat.resource`*:: ++ +-- +URL or file name for a threat. + + +type: keyword + +-- + +*`panw.panos.threat.id`*:: ++ +-- +Palo Alto Networks identifier for the threat. + + +type: keyword + +-- + +*`panw.panos.threat.name`*:: ++ +-- +Palo Alto Networks name for the threat. + + +type: keyword + +-- + +*`panw.panos.action`*:: ++ +-- +Action taken for the session. + +type: keyword + +-- + +[[exported-fields-postgresql]] +== PostgreSQL fields + +Module for parsing the PostgreSQL log files. + + + +[float] +=== postgresql + +Fields from PostgreSQL logs. + + + +[float] +=== log + +Fields from the PostgreSQL log files. + + + +*`postgresql.log.timestamp`*:: ++ +-- + +deprecated:[7.3.0] + +The timestamp from the log line. + + +-- + +*`postgresql.log.core_id`*:: ++ +-- +Core id + + +type: long + +-- + +*`postgresql.log.database`*:: ++ +-- +Name of database + + +example: mydb + +-- + +*`postgresql.log.query`*:: ++ +-- +Query statement. + + +example: SELECT * FROM users; + +-- + +*`postgresql.log.query_step`*:: ++ +-- +Statement step when using extended query protocol (one of statement, parse, bind or execute) + + +example: parse + +-- + +*`postgresql.log.query_name`*:: ++ +-- +Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. + + +example: pdo_stmt_00000001 + +-- + +*`postgresql.log.error.code`*:: ++ +-- +Error code returned by Postgres (if any) + +type: long + +-- + +*`postgresql.log.timezone`*:: ++ +-- +type: alias + +alias to: event.timezone + +-- + +*`postgresql.log.thread_id`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`postgresql.log.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`postgresql.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`postgresql.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-process]] +== Process fields + +Process metadata fields + + + + +*`process.exe`*:: ++ +-- +type: alias + +alias to: process.executable + +-- + +[[exported-fields-rabbitmq]] +== RabbitMQ fields + +RabbitMQ Module + + + +[float] +=== rabbitmq + + + + +[float] +=== log + +RabbitMQ log files + + + +*`rabbitmq.log.pid`*:: ++ +-- +The Erlang process id + +type: keyword + +example: <0.222.0> + +-- + +[[exported-fields-radware]] +== Radware DefensePro fields + +radware fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-rapid7]] +== Rapid7 NeXpose fields + +rapid7 fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-redis]] +== Redis fields + +Redis Module + + + +[float] +=== redis + + + + +[float] +=== log + +Redis log files + + + +*`redis.log.role`*:: ++ +-- +The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. + + +type: keyword + +-- + +*`redis.log.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`redis.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`redis.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== slowlog + +Slow logs are retrieved from Redis via a network connection. + + + +*`redis.slowlog.cmd`*:: ++ +-- +The command executed. + + +type: keyword + +-- + +*`redis.slowlog.duration.us`*:: ++ +-- +How long it took to execute the command in microseconds. + + +type: long + +-- + +*`redis.slowlog.id`*:: ++ +-- +The ID of the query. + + +type: long + +-- + +*`redis.slowlog.key`*:: ++ +-- +The key on which the command was executed. + + +type: keyword + +-- + +*`redis.slowlog.args`*:: ++ +-- +The arguments with which the command was called. + + +type: keyword + +-- + +[[exported-fields-s3]] +== s3 fields + +S3 fields from s3 input. + + + +*`bucket_name`*:: ++ +-- +Name of the S3 bucket that this log retrieved from. + + +type: keyword + +-- + +*`object_key`*:: ++ +-- +Name of the S3 object that this log retrieved from. + + +type: keyword + +-- + +[[exported-fields-santa]] +== Google Santa fields + +Santa Module + + + +[float] +=== santa + + + + +*`santa.action`*:: ++ +-- +Action + +type: keyword + +example: EXEC + +-- + +*`santa.decision`*:: ++ +-- +Decision that santad took. + +type: keyword + +example: ALLOW + +-- + +*`santa.reason`*:: ++ +-- +Reason for the decsision. + +type: keyword + +example: CERT + +-- + +*`santa.mode`*:: ++ +-- +Operating mode of Santa. + +type: keyword + +example: M + +-- + +[float] +=== disk + +Fields for DISKAPPEAR actions. + + +*`santa.disk.volume`*:: ++ +-- +The volume name. + +-- + +*`santa.disk.bus`*:: ++ +-- +The disk bus protocol. + +-- + +*`santa.disk.serial`*:: ++ +-- +The disk serial number. + +-- + +*`santa.disk.bsdname`*:: ++ +-- +The disk BSD name. + +example: disk1s3 + +-- + +*`santa.disk.model`*:: ++ +-- +The disk model. + +example: APPLE SSD SM0512L + +-- + +*`santa.disk.fs`*:: ++ +-- +The disk volume kind (filesystem type). + +example: apfs + +-- + +*`santa.disk.mount`*:: ++ +-- +The disk volume path. + +-- + +*`santa.certificate.common_name`*:: ++ +-- +Common name from code signing certificate. + +type: keyword + +-- + +*`santa.certificate.sha256`*:: ++ +-- +SHA256 hash of code signing certificate. + +type: keyword + +-- + +[[exported-fields-sonicwall]] +== Sonicwall-FW fields + +sonicwall fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-squid]] +== Squid fields + +squid fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-suricata]] +== Suricata fields + +Module for handling the EVE JSON logs produced by Suricata. + + + +[float] +=== suricata + +Fields from the Suricata EVE log file. + + + +[float] +=== eve + +Fields exported by the EVE JSON logs + + + +*`suricata.eve.event_type`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.app_proto_orig`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tcp.tcp_flags`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.psh`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.tcp_flags_tc`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.ack`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.syn`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.state`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.tcp_flags_ts`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.rst`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.fin`*:: ++ +-- +type: boolean + +-- + + +*`suricata.eve.fileinfo.sha1`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.filename`*:: ++ +-- +type: alias + +alias to: file.path + +-- + +*`suricata.eve.fileinfo.tx_id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.fileinfo.state`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.stored`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.fileinfo.gaps`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.fileinfo.sha256`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.md5`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.size`*:: ++ +-- +type: alias + +alias to: file.size + +-- + +*`suricata.eve.icmp_type`*:: ++ +-- +type: long + +-- + +*`suricata.eve.dest_port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`suricata.eve.src_port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + +*`suricata.eve.proto`*:: ++ +-- +type: alias + +alias to: network.transport + +-- + +*`suricata.eve.pcap_cnt`*:: ++ +-- +type: long + +-- + +*`suricata.eve.src_ip`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + + +*`suricata.eve.dns.type`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.rrtype`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.rrname`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.rdata`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.tx_id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.dns.ttl`*:: ++ +-- +type: long + +-- + +*`suricata.eve.dns.rcode`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.flow_id`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.email.status`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dest_ip`*:: ++ +-- +type: alias + +alias to: destination.ip + +-- + +*`suricata.eve.icmp_code`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.http.status`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`suricata.eve.http.redirect`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.http.http_user_agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + +*`suricata.eve.http.protocol`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.http.http_refer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`suricata.eve.http.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`suricata.eve.http.hostname`*:: ++ +-- +type: alias + +alias to: url.domain + +-- + +*`suricata.eve.http.length`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`suricata.eve.http.http_method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`suricata.eve.http.http_content_type`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.timestamp`*:: ++ +-- +type: alias + +alias to: @timestamp + +-- + +*`suricata.eve.in_iface`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.alert.category`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.alert.severity`*:: ++ +-- +type: alias + +alias to: event.severity + +-- + +*`suricata.eve.alert.rev`*:: ++ +-- +type: long + +-- + +*`suricata.eve.alert.gid`*:: ++ +-- +type: long + +-- + +*`suricata.eve.alert.signature`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.alert.action`*:: ++ +-- +type: alias + +alias to: event.outcome + +-- + +*`suricata.eve.alert.signature_id`*:: ++ +-- +type: long + +-- + + + +*`suricata.eve.ssh.client.proto_version`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.ssh.client.software_version`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.ssh.server.proto_version`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.ssh.server.software_version`*:: ++ +-- +type: keyword + +-- + + + +*`suricata.eve.stats.capture.kernel_packets`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.capture.kernel_drops`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.capture.kernel_ifdrops`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.uptime`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.detect.alert`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.http.memcap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.http.memuse`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.file_store.open_files`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.defrag.max_frag_hits`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.defrag.ipv4.timeouts`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv4.fragments`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv4.reassembled`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.defrag.ipv6.timeouts`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv6.fragments`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv6.reassembled`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.flow.tcp_reuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.memcap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.emerg_mode_entered`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.emerg_mode_over`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.icmpv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.icmpv4`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.spare`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.memuse`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.tcp.pseudo_failed`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.sessions`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.pseudo`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.synack`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.syn`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.memuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.invalid_checksum`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.segment_memcap_drop`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.overlap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.insert_list_fail`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.rst`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.stream_depth_reached`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.reassembly_memuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.reassembly_gap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.overlap_diff_data`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.no_flow`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.avg_pkt_size`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.bytes`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.raw`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ppp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.vlan_qinq`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.null`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.invalid`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.gre`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv4`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.pkts`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.pppoe`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.udp`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.vlan`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.sctp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.max_pkt_size`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.teredo`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.mpls`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.sll`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.icmpv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.icmpv4`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.erspan`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ethernet`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ieee8021ah`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.dns.memcap_global`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.dns.memcap_state`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.dns.memuse`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.flow_mgr.rows_busy`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_timeout`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_skipped`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.closed_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.new_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_removed`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.est_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_checked`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_checked`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_empty`*:: ++ +-- +type: long + +-- + + + +*`suricata.eve.stats.app_layer.flow.tls`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.ftp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.http`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.failed_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dns_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.smtp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.msn`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.ssh`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.imap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.smb`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.app_layer.tx.tls`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.ftp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.http`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dns_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.smtp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.ssh`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.smb`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.tls.notbefore`*:: ++ +-- +type: date + +-- + +*`suricata.eve.tls.issuerdn`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.sni`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.version`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.session_resumed`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tls.fingerprint`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.serial`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.notafter`*:: ++ +-- +type: date + +-- + +*`suricata.eve.tls.subject`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tls.ja3s.string`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.ja3s.hash`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tls.ja3.string`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.ja3.hash`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.app_proto_ts`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.flow.bytes_toclient`*:: ++ +-- +type: alias + +alias to: destination.bytes + +-- + +*`suricata.eve.flow.start`*:: ++ +-- +type: alias + +alias to: event.start + +-- + +*`suricata.eve.flow.pkts_toclient`*:: ++ +-- +type: alias + +alias to: destination.packets + +-- + +*`suricata.eve.flow.age`*:: ++ +-- +type: long + +-- + +*`suricata.eve.flow.state`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.flow.bytes_toserver`*:: ++ +-- +type: alias + +alias to: source.bytes + +-- + +*`suricata.eve.flow.reason`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.flow.pkts_toserver`*:: ++ +-- +type: alias + +alias to: source.packets + +-- + +*`suricata.eve.flow.end`*:: ++ +-- +type: date + +-- + +*`suricata.eve.flow.alerted`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.app_proto`*:: ++ +-- +type: alias + +alias to: network.protocol + +-- + +*`suricata.eve.tx_id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.app_proto_tc`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.smtp.rcpt_to`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.smtp.mail_from`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.smtp.helo`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.app_proto_expected`*:: ++ +-- +type: keyword + +-- + +[[exported-fields-system]] +== System fields + +Module for parsing system log files. + + + +[float] +=== system + +Fields from the system log files. + + + +[float] +=== auth + +Fields from the Linux authorization logs. + + + +*`system.auth.timestamp`*:: ++ +-- +type: alias + +alias to: @timestamp + +-- + +*`system.auth.hostname`*:: ++ +-- +type: alias + +alias to: host.hostname + +-- + +*`system.auth.program`*:: ++ +-- +type: alias + +alias to: process.name + +-- + +*`system.auth.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`system.auth.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`system.auth.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + + +*`system.auth.ssh.method`*:: ++ +-- +The SSH authentication method. Can be one of "password" or "publickey". + + +-- + +*`system.auth.ssh.signature`*:: ++ +-- +The signature of the client public key. + + +-- + +*`system.auth.ssh.dropped_ip`*:: ++ +-- +The client IP from SSH connections that are open and immediately dropped. + + +type: ip + +-- + +*`system.auth.ssh.event`*:: ++ +-- +The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) + + +example: Accepted + +-- + +*`system.auth.ssh.ip`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +*`system.auth.ssh.port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + + +*`system.auth.ssh.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`system.auth.ssh.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`system.auth.ssh.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`system.auth.ssh.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`system.auth.ssh.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`system.auth.ssh.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== sudo + +Fields specific to events created by the `sudo` command. + + + +*`system.auth.sudo.error`*:: ++ +-- +The error message in case the sudo command failed. + + +example: user NOT in sudoers + +-- + +*`system.auth.sudo.tty`*:: ++ +-- +The TTY where the sudo command is executed. + + +-- + +*`system.auth.sudo.pwd`*:: ++ +-- +The current directory where the sudo command is executed. + + +-- + +*`system.auth.sudo.user`*:: + -- The target user to which the sudo command is switching. -example: root +example: root + +-- + +*`system.auth.sudo.command`*:: ++ +-- +The command executed via sudo. + + +-- + +[float] +=== useradd + +Fields specific to events created by the `useradd` command. + + + +*`system.auth.useradd.home`*:: ++ +-- +The home folder for the new user. + +-- + +*`system.auth.useradd.shell`*:: ++ +-- +The default shell for the new user. + +-- + +*`system.auth.useradd.name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`system.auth.useradd.uid`*:: ++ +-- +type: alias + +alias to: user.id + +-- + +*`system.auth.useradd.gid`*:: ++ +-- +type: alias + +alias to: group.id + +-- + +[float] +=== groupadd + +Fields specific to events created by the `groupadd` command. + + + +*`system.auth.groupadd.name`*:: ++ +-- +type: alias + +alias to: group.name + +-- + +*`system.auth.groupadd.gid`*:: ++ +-- +type: alias + +alias to: group.id + +-- + +[float] +=== syslog + +Contains fields from the syslog system logs. + + + +*`system.syslog.timestamp`*:: ++ +-- +type: alias + +alias to: @timestamp + +-- + +*`system.syslog.hostname`*:: ++ +-- +type: alias + +alias to: host.hostname + +-- + +*`system.syslog.program`*:: ++ +-- +type: alias + +alias to: process.name + +-- + +*`system.syslog.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`system.syslog.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-tenable]] +== Tenable Network Security Nessus fields + +tenable fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-tomcat]] +== Apache Tomcat fields + +tomcat fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-traefik]] +== Traefik fields + +Module for parsing the Traefik log files. + + + +[float] +=== traefik + +Fields from the Traefik log files. + + + +[float] +=== access + +Contains fields for the Traefik access logs. + + + +*`traefik.access.user_identifier`*:: ++ +-- +Is the RFC 1413 identity of the client + + +type: keyword + +-- + +*`traefik.access.request_count`*:: ++ +-- +The number of requests + + +type: long + +-- + +*`traefik.access.frontend_name`*:: ++ +-- +The name of the frontend used + + +type: keyword + +-- + +*`traefik.access.backend_url`*:: ++ +-- +The url of the backend where request is forwarded + +type: keyword + +-- + +*`traefik.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`traefik.access.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`traefik.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`traefik.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`traefik.access.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`traefik.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`traefik.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`traefik.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`traefik.access.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`traefik.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`traefik.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`traefik.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`traefik.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`traefik.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`traefik.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`traefik.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`traefik.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`traefik.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`traefik.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`traefik.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-zeek]] +== Zeek fields + +Module for handling logs produced by Zeek/Bro + + + +[float] +=== zeek + +Fields from Zeek/Bro logs after normalization + + + +*`zeek.session_id`*:: ++ +-- +A unique identifier of the session + + +type: keyword + +-- + +[float] +=== capture_loss + +Fields exported by the Zeek capture_loss log + + + +*`zeek.capture_loss.ts_delta`*:: ++ +-- +The time delay between this measurement and the last. + + +type: integer + +-- + +*`zeek.capture_loss.peer`*:: ++ +-- +In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. + + +type: keyword + +-- + +*`zeek.capture_loss.gaps`*:: ++ +-- +Number of missed ACKs from the previous measurement interval. + + +type: integer + +-- + +*`zeek.capture_loss.acks`*:: ++ +-- +Total number of ACKs seen in the previous measurement interval. + + +type: integer + +-- + +*`zeek.capture_loss.percent_lost`*:: ++ +-- +Percentage of ACKs seen where the data being ACKed wasn't seen. + + +type: double + +-- + +[float] +=== connection + +Fields exported by the Zeek Connection log + + + +*`zeek.connection.local_orig`*:: ++ +-- +Indicates whether the session is originated locally. + + +type: boolean + +-- + +*`zeek.connection.local_resp`*:: ++ +-- +Indicates whether the session is responded locally. + + +type: boolean + +-- + +*`zeek.connection.missed_bytes`*:: ++ +-- +Missed bytes for the session. + + +type: long + +-- + +*`zeek.connection.state`*:: ++ +-- +Code indicating the state of the session. + + +type: keyword + +-- + +*`zeek.connection.state_message`*:: ++ +-- +The state of the session. + + +type: keyword + +-- + + +*`zeek.connection.icmp.type`*:: ++ +-- +ICMP message type. + + +type: integer + +-- + +*`zeek.connection.icmp.code`*:: ++ +-- +ICMP message code. + + +type: integer + +-- + +*`zeek.connection.history`*:: ++ +-- +Flags indicating the history of the session. + + +type: keyword + +-- + +*`zeek.connection.vlan`*:: ++ +-- +VLAN identifier. + + +type: integer + +-- + +*`zeek.connection.inner_vlan`*:: ++ +-- +VLAN identifier. + + +type: integer + +-- + +[float] +=== dce_rpc + +Fields exported by the Zeek DCE_RPC log + + + +*`zeek.dce_rpc.rtt`*:: ++ +-- +Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. + + +type: integer + +-- + +*`zeek.dce_rpc.named_pipe`*:: ++ +-- +Remote pipe name. + + +type: keyword + +-- + +*`zeek.dce_rpc.endpoint`*:: ++ +-- +Endpoint name looked up from the uuid. + + +type: keyword + +-- + +*`zeek.dce_rpc.operation`*:: ++ +-- +Operation seen in the call. + + +type: keyword + +-- + +[float] +=== dhcp + +Fields exported by the Zeek DHCP log + + + +*`zeek.dhcp.domain`*:: ++ +-- +Domain given by the server in option 15. + + +type: keyword + +-- + +*`zeek.dhcp.duration`*:: ++ +-- +Duration of the DHCP session representing the time from the first +message to the last, in seconds. + + +type: double + +-- + +*`zeek.dhcp.hostname`*:: ++ +-- +Name given by client in Hostname option 12. + + +type: keyword + +-- + +*`zeek.dhcp.client_fqdn`*:: ++ +-- +FQDN given by client in Client FQDN option 81. + + +type: keyword + +-- + +*`zeek.dhcp.lease_time`*:: ++ +-- +IP address lease interval in seconds. + + +type: integer + +-- + +[float] +=== address + +Addresses seen in this DHCP exchange. + + + +*`zeek.dhcp.address.assigned`*:: ++ +-- +IP address assigned by the server. + + +type: ip + +-- + +*`zeek.dhcp.address.client`*:: ++ +-- +IP address of the client. If a transaction is only a client sending +INFORM messages then there is no lease information exchanged so this +is helpful to know who sent the messages. Getting an address in this +field does require that the client sources at least one DHCP message +using a non-broadcast address. + + +type: ip + +-- + +*`zeek.dhcp.address.mac`*:: ++ +-- +Client's hardware address. + + +type: keyword + +-- + +*`zeek.dhcp.address.requested`*:: ++ +-- +IP address requested by the client. + + +type: ip + +-- + +*`zeek.dhcp.address.server`*:: ++ +-- +IP address of the DHCP server. + + +type: ip + +-- + + +*`zeek.dhcp.msg.types`*:: ++ +-- +List of DHCP message types seen in this exchange. + + +type: keyword + +-- + +*`zeek.dhcp.msg.origin`*:: ++ +-- +(present if policy/protocols/dhcp/msg-orig.bro is loaded) +The address that originated each message from the msg.types field. + + +type: ip + +-- + +*`zeek.dhcp.msg.client`*:: ++ +-- +Message typically accompanied with a DHCP_DECLINE so the client can +tell the server why it rejected an address. + + +type: keyword + +-- + +*`zeek.dhcp.msg.server`*:: ++ +-- +Message typically accompanied with a DHCP_NAK to let the client know +why it rejected the request. + + +type: keyword + +-- + + +*`zeek.dhcp.software.client`*:: ++ +-- +(present if policy/protocols/dhcp/software.bro is loaded) +Software reported by the client in the vendor_class option. + + +type: keyword + +-- + +*`zeek.dhcp.software.server`*:: ++ +-- +(present if policy/protocols/dhcp/software.bro is loaded) +Software reported by the client in the vendor_class option. + + +type: keyword + +-- + + +*`zeek.dhcp.id.circuit`*:: ++ +-- +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +Added by DHCP relay agents which terminate switched or permanent +circuits. It encodes an agent-local identifier of the circuit from +which a DHCP client-to-server packet was received. Typically it +should represent a router or switch interface number. + + +type: keyword + +-- + +*`zeek.dhcp.id.remote_agent`*:: ++ +-- +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +A globally unique identifier added by relay agents to identify the +remote host end of the circuit. + + +type: keyword + +-- + +*`zeek.dhcp.id.subscriber`*:: ++ +-- +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +The subscriber ID is a value independent of the physical network +configuration so that a customer's DHCP configuration can be given +to them correctly no matter where they are physically connected. + + +type: keyword + +-- + +[float] +=== dnp3 + +Fields exported by the Zeek DNP3 log + + + + +*`zeek.dnp3.function.request`*:: ++ +-- +The name of the function message in the request. + + +type: keyword + +-- + +*`zeek.dnp3.function.reply`*:: ++ +-- +The name of the function message in the reply. + + +type: keyword + +-- + +*`zeek.dnp3.id`*:: ++ +-- +The response's internal indication number. + + +type: integer + +-- + +[float] +=== dns + +Fields exported by the Zeek DNS log + + + +*`zeek.dns.trans_id`*:: ++ +-- +DNS transaction identifier. + + +type: keyword + +-- + +*`zeek.dns.rtt`*:: ++ +-- +Round trip time for the query and response. + + +type: double + +-- + +*`zeek.dns.query`*:: ++ +-- +The domain name that is the subject of the DNS query. + + +type: keyword + +-- + +*`zeek.dns.qclass`*:: ++ +-- +The QCLASS value specifying the class of the query. + + +type: long + +-- + +*`zeek.dns.qclass_name`*:: ++ +-- +A descriptive name for the class of the query. + + +type: keyword + +-- + +*`zeek.dns.qtype`*:: ++ +-- +A QTYPE value specifying the type of the query. + + +type: long + +-- + +*`zeek.dns.qtype_name`*:: ++ +-- +A descriptive name for the type of the query. + + +type: keyword + +-- + +*`zeek.dns.rcode`*:: ++ +-- +The response code value in DNS response messages. + + +type: long + +-- + +*`zeek.dns.rcode_name`*:: ++ +-- +A descriptive name for the response code value. + + +type: keyword + +-- + +*`zeek.dns.AA`*:: ++ +-- +The Authoritative Answer bit for response messages specifies that the responding +name server is an authority for the domain name in the question section. + + +type: boolean + +-- + +*`zeek.dns.TC`*:: ++ +-- +The Truncation bit specifies that the message was truncated. + + +type: boolean + +-- + +*`zeek.dns.RD`*:: ++ +-- +The Recursion Desired bit in a request message indicates that the client +wants recursive service for this query. + + +type: boolean + +-- + +*`zeek.dns.RA`*:: ++ +-- +The Recursion Available bit in a response message indicates that the name +server supports recursive queries. + + +type: boolean + +-- + +*`zeek.dns.answers`*:: ++ +-- +The set of resource descriptions in the query answer. + + +type: keyword + +-- + +*`zeek.dns.TTLs`*:: ++ +-- +The caching intervals of the associated RRs described by the answers field. + + +type: double + +-- + +*`zeek.dns.rejected`*:: ++ +-- +Indicates whether the DNS query was rejected by the server. + + +type: boolean + +-- + +*`zeek.dns.total_answers`*:: ++ +-- +The total number of resource records in the reply. + + +type: integer + +-- + +*`zeek.dns.total_replies`*:: ++ +-- +The total number of resource records in the reply message. + + +type: integer + +-- + +*`zeek.dns.saw_query`*:: ++ +-- +Whether the full DNS query has been seen. + + +type: boolean + +-- + +*`zeek.dns.saw_reply`*:: ++ +-- +Whether the full DNS reply has been seen. + + +type: boolean + +-- + +[float] +=== dpd + +Fields exported by the Zeek DPD log + + + +*`zeek.dpd.analyzer`*:: ++ +-- +The analyzer that generated the violation. + + +type: keyword + +-- + +*`zeek.dpd.failure_reason`*:: ++ +-- +The textual reason for the analysis failure. + + +type: keyword + +-- + +*`zeek.dpd.packet_segment`*:: ++ +-- +(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) +A chunk of the payload that most likely resulted in the protocol violation. + + +type: keyword + +-- + +[float] +=== files + +Fields exported by the Zeek Files log. + + + +*`zeek.files.fuid`*:: ++ +-- +A file unique identifier. + + +type: keyword + +-- + +*`zeek.files.tx_host`*:: ++ +-- +The host that transferred the file. + + +type: ip + +-- + +*`zeek.files.rx_host`*:: ++ +-- +The host that received the file. + + +type: ip + +-- + +*`zeek.files.session_ids`*:: ++ +-- +The sessions that have this file. + + +type: keyword + +-- + +*`zeek.files.source`*:: ++ +-- +An identification of the source of the file data. E.g. it may be a network protocol +over which it was transferred, or a local file path which was read, or some other +input source. + + +type: keyword + +-- + +*`zeek.files.depth`*:: ++ +-- +A value to represent the depth of this file in relation to its source. In SMTP, it +is the depth of the MIME attachment on the message. In HTTP, it is the depth of the +request within the TCP connection. + + +type: long + +-- + +*`zeek.files.analyzers`*:: ++ +-- +A set of analysis types done during the file analysis. + + +type: keyword + +-- + +*`zeek.files.mime_type`*:: ++ +-- +Mime type of the file. + + +type: keyword + +-- + +*`zeek.files.filename`*:: ++ +-- +Name of the file if available. + + +type: keyword + +-- + +*`zeek.files.local_orig`*:: ++ +-- +If the source of this file is a network connection, this field indicates if the data +originated from the local network or not. + + +type: boolean + +-- + +*`zeek.files.is_orig`*:: ++ +-- +If the source of this file is a network connection, this field indicates if the file is +being sent by the originator of the connection or the responder. + + +type: boolean + +-- + +*`zeek.files.duration`*:: ++ +-- +The duration the file was analyzed for. Not the duration of the session. + + +type: double + +-- + +*`zeek.files.seen_bytes`*:: ++ +-- +Number of bytes provided to the file analysis engine for the file. + + +type: long + +-- + +*`zeek.files.total_bytes`*:: ++ +-- +Total number of bytes that are supposed to comprise the full file. + + +type: long + +-- + +*`zeek.files.missing_bytes`*:: ++ +-- +The number of bytes in the file stream that were completely missed during the process +of analysis. + + +type: long + +-- + +*`zeek.files.overflow_bytes`*:: ++ +-- +The number of bytes in the file stream that were not delivered to stream file analyzers. +This could be overlapping bytes or bytes that couldn't be reassembled. + + +type: long + +-- + +*`zeek.files.timedout`*:: ++ +-- +Whether the file analysis timed out at least once for the file. + + +type: boolean + +-- + +*`zeek.files.parent_fuid`*:: ++ +-- +Identifier associated with a container file from which this one was extracted as part of +the file analysis. + + +type: keyword + +-- + +*`zeek.files.md5`*:: ++ +-- +An MD5 digest of the file contents. + + +type: keyword + +-- + +*`zeek.files.sha1`*:: ++ +-- +A SHA1 digest of the file contents. + + +type: keyword + +-- + +*`zeek.files.sha256`*:: ++ +-- +A SHA256 digest of the file contents. + + +type: keyword + +-- + +*`zeek.files.extracted`*:: ++ +-- +Local filename of extracted file. + + +type: keyword + +-- + +*`zeek.files.extracted_cutoff`*:: ++ +-- +Indicate whether the file being extracted was cut off hence not extracted completely. + + +type: boolean + +-- + +*`zeek.files.extracted_size`*:: ++ +-- +The number of bytes extracted to disk. + + +type: long + +-- + +*`zeek.files.entropy`*:: ++ +-- +The information density of the contents of the file. + + +type: double + +-- + +[float] +=== ftp + +Fields exported by the Zeek FTP log + + + +*`zeek.ftp.user`*:: ++ +-- +User name for the current FTP session. + + +type: keyword + +-- + +*`zeek.ftp.password`*:: ++ +-- +Password for the current FTP session if captured. + + +type: keyword + +-- + +*`zeek.ftp.command`*:: ++ +-- +Command given by the client. + + +type: keyword + +-- + +*`zeek.ftp.arg`*:: ++ +-- +Argument for the command if one is given. + + +type: keyword + +-- + + +*`zeek.ftp.file.size`*:: ++ +-- +Size of the file if the command indicates a file transfer. + + +type: long + +-- + +*`zeek.ftp.file.mime_type`*:: ++ +-- +Sniffed mime type of file. + + +type: keyword + +-- + +*`zeek.ftp.file.fuid`*:: ++ +-- +(present if base/protocols/ftp/files.bro is loaded) +File unique ID. + + +type: keyword + +-- + + +*`zeek.ftp.reply.code`*:: ++ +-- +Reply code from the server in response to the command. + + +type: integer + +-- + +*`zeek.ftp.reply.msg`*:: ++ +-- +Reply message from the server in response to the command. + + +type: keyword + +-- + +[float] +=== data_channel + +Expected FTP data channel. + + + +*`zeek.ftp.data_channel.passive`*:: ++ +-- +Whether PASV mode is toggled for control channel. + + +type: boolean + +-- + +*`zeek.ftp.data_channel.originating_host`*:: ++ +-- +The host that will be initiating the data connection. + + +type: ip + +-- + +*`zeek.ftp.data_channel.response_host`*:: ++ +-- +The host that will be accepting the data connection. + + +type: ip + +-- + +*`zeek.ftp.data_channel.response_port`*:: ++ +-- +The port at which the acceptor is listening for the data connection. + + +type: integer + +-- + +*`zeek.ftp.cwd`*:: ++ +-- +Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. + + +type: keyword + +-- + +[float] +=== cmdarg + +Command that is currently waiting for a response. + + + +*`zeek.ftp.cmdarg.cmd`*:: ++ +-- +Command. + + +type: keyword + +-- + +*`zeek.ftp.cmdarg.arg`*:: ++ +-- +Argument for the command if one was given. + + +type: keyword + +-- + +*`zeek.ftp.cmdarg.seq`*:: ++ +-- +Counter to track how many commands have been executed. + + +type: integer + +-- + +*`zeek.ftp.pending_commands`*:: ++ +-- +Queue for commands that have been sent but not yet responded to are tracked here. + + +type: integer + +-- + +*`zeek.ftp.passive`*:: ++ +-- +Indicates if the session is in active or passive mode. + + +type: boolean + +-- + +*`zeek.ftp.capture_password`*:: ++ +-- +Determines if the password will be captured for this request. + + +type: boolean + +-- + +*`zeek.ftp.last_auth_requested`*:: ++ +-- +present if base/protocols/ftp/gridftp.bro is loaded. +Last authentication/security mechanism that was used. + + +type: keyword + +-- + +[float] +=== http + +Fields exported by the Zeek HTTP log + + + +*`zeek.http.trans_depth`*:: ++ +-- +Represents the pipelined depth into the connection of this request/response transaction. + + +type: integer + +-- + +*`zeek.http.status_msg`*:: ++ +-- +Status message returned by the server. + + +type: keyword + +-- + +*`zeek.http.info_code`*:: ++ +-- +Last seen 1xx informational reply code returned by the server. + + +type: integer + +-- + +*`zeek.http.info_msg`*:: ++ +-- +Last seen 1xx informational reply message returned by the server. + + +type: keyword + +-- + +*`zeek.http.tags`*:: ++ +-- +A set of indicators of various attributes discovered and related to a particular +request/response pair. + + +type: keyword + +-- + +*`zeek.http.password`*:: ++ +-- +Password if basic-auth is performed for the request. + + +type: keyword + +-- + +*`zeek.http.captured_password`*:: ++ +-- +Determines if the password will be captured for this request. + + +type: boolean + +-- + +*`zeek.http.proxied`*:: ++ +-- +All of the headers that may indicate if the HTTP request was proxied. + + +type: keyword + +-- + +*`zeek.http.range_request`*:: ++ +-- +Indicates if this request can assume 206 partial content in response. + + +type: boolean + +-- + +*`zeek.http.client_header_names`*:: ++ +-- +The vector of HTTP header names sent by the client. No header values +are included here, just the header names. + + +type: keyword + +-- + +*`zeek.http.server_header_names`*:: ++ +-- +The vector of HTTP header names sent by the server. No header values +are included here, just the header names. + + +type: keyword + +-- + +*`zeek.http.orig_fuids`*:: ++ +-- +An ordered vector of file unique IDs from the originator. + + +type: keyword + +-- + +*`zeek.http.orig_mime_types`*:: ++ +-- +An ordered vector of mime types from the originator. + + +type: keyword + +-- + +*`zeek.http.orig_filenames`*:: ++ +-- +An ordered vector of filenames from the originator. + + +type: keyword + +-- + +*`zeek.http.resp_fuids`*:: ++ +-- +An ordered vector of file unique IDs from the responder. + + +type: keyword + +-- + +*`zeek.http.resp_mime_types`*:: ++ +-- +An ordered vector of mime types from the responder. + + +type: keyword + +-- + +*`zeek.http.resp_filenames`*:: ++ +-- +An ordered vector of filenames from the responder. + + +type: keyword + +-- + +*`zeek.http.orig_mime_depth`*:: ++ +-- +Current number of MIME entities in the HTTP request message body. + + +type: integer + +-- + +*`zeek.http.resp_mime_depth`*:: ++ +-- +Current number of MIME entities in the HTTP response message body. + + +type: integer + +-- + +[float] +=== intel + +Fields exported by the Zeek Intel log. + + + + +*`zeek.intel.seen.indicator`*:: ++ +-- +The intelligence indicator. + + +type: keyword + +-- + +*`zeek.intel.seen.indicator_type`*:: ++ +-- +The type of data the indicator represents. + + +type: keyword + +-- + +*`zeek.intel.seen.host`*:: ++ +-- +If the indicator type was Intel::ADDR, then this field will be present. + + +type: keyword + +-- + +*`zeek.intel.seen.conn`*:: ++ +-- +If the data was discovered within a connection, the connection record should go here to give context to the data. + + +type: keyword + +-- + +*`zeek.intel.seen.where`*:: ++ +-- +Where the data was discovered. + + +type: keyword + +-- + +*`zeek.intel.seen.node`*:: ++ +-- +The name of the node where the match was discovered. + + +type: keyword + +-- + +*`zeek.intel.seen.uid`*:: ++ +-- +If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. + + +type: keyword + +-- + +*`zeek.intel.seen.f`*:: ++ +-- +If the data was discovered within a file, the file record should go here to provide context to the data. + + +type: object + +-- + +*`zeek.intel.seen.fuid`*:: ++ +-- +If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. + + +type: keyword + +-- + +*`zeek.intel.matched`*:: ++ +-- +Event to represent a match in the intelligence data from data that was seen. + + +type: keyword + +-- + +*`zeek.intel.sources`*:: ++ +-- +Sources which supplied data for this match. + + +type: keyword + +-- + +*`zeek.intel.fuid`*:: ++ +-- +If a file was associated with this intelligence hit, this is the uid for the file. + + +type: keyword + +-- + +*`zeek.intel.file_mime_type`*:: ++ +-- +A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. + + +type: keyword + +-- + +*`zeek.intel.file_desc`*:: ++ +-- +Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. + + +type: keyword + +-- + +[float] +=== irc + +Fields exported by the Zeek IRC log + + + +*`zeek.irc.nick`*:: ++ +-- +Nickname given for the connection. + + +type: keyword + +-- + +*`zeek.irc.user`*:: ++ +-- +Username given for the connection. + + +type: keyword + +-- + +*`zeek.irc.command`*:: ++ +-- +Command given by the client. + + +type: keyword + +-- + +*`zeek.irc.value`*:: ++ +-- +Value for the command given by the client. + + +type: keyword + +-- + +*`zeek.irc.addl`*:: ++ +-- +Any additional data for the command. + + +type: keyword + +-- + + + +*`zeek.irc.dcc.file.name`*:: ++ +-- +Present if base/protocols/irc/dcc-send.bro is loaded. +DCC filename requested. + + +type: keyword + +-- + +*`zeek.irc.dcc.file.size`*:: ++ +-- +Present if base/protocols/irc/dcc-send.bro is loaded. +Size of the DCC transfer as indicated by the sender. + + +type: long + +-- + +*`zeek.irc.dcc.mime_type`*:: ++ +-- +present if base/protocols/irc/dcc-send.bro is loaded. +Sniffed mime type of the file. + + +type: keyword + +-- + +*`zeek.irc.fuid`*:: ++ +-- +present if base/protocols/irc/files.bro is loaded. +File unique ID. + + +type: keyword + +-- + +[float] +=== kerberos + +Fields exported by the Zeek Kerberos log + + + +*`zeek.kerberos.request_type`*:: ++ +-- +Request type - Authentication Service (AS) or Ticket Granting Service (TGS). + + +type: keyword + +-- + +*`zeek.kerberos.client`*:: ++ +-- +Client name. + + +type: keyword + +-- + +*`zeek.kerberos.service`*:: ++ +-- +Service name. + + +type: keyword + +-- + +*`zeek.kerberos.success`*:: ++ +-- +Request result. + + +type: boolean + +-- + + +*`zeek.kerberos.error.code`*:: ++ +-- +Error code. + + +type: integer + +-- + +*`zeek.kerberos.error.msg`*:: ++ +-- +Error message. + + +type: keyword + +-- + + +*`zeek.kerberos.valid.from`*:: ++ +-- +Ticket valid from. + + +type: date + +-- + +*`zeek.kerberos.valid.until`*:: ++ +-- +Ticket valid until. + + +type: date + +-- + +*`zeek.kerberos.valid.days`*:: ++ +-- +Number of days the ticket is valid for. + + +type: integer + +-- + +*`zeek.kerberos.cipher`*:: ++ +-- +Ticket encryption type. + + +type: keyword + +-- + +*`zeek.kerberos.forwardable`*:: ++ +-- +Forwardable ticket requested. + + +type: boolean + +-- + +*`zeek.kerberos.renewable`*:: ++ +-- +Renewable ticket requested. + + +type: boolean + +-- + + +*`zeek.kerberos.ticket.auth`*:: ++ +-- +Hash of ticket used to authorize request/transaction. + + +type: keyword + +-- + +*`zeek.kerberos.ticket.new`*:: ++ +-- +Hash of ticket returned by the KDC. + + +type: keyword + +-- + + + +*`zeek.kerberos.cert.client.value`*:: ++ +-- +Client certificate. + + +type: keyword + +-- + +*`zeek.kerberos.cert.client.fuid`*:: ++ +-- +File unique ID of client cert. + + +type: keyword + +-- + +*`zeek.kerberos.cert.client.subject`*:: ++ +-- +Subject of client certificate. + + +type: keyword + +-- + + +*`zeek.kerberos.cert.server.value`*:: ++ +-- +Server certificate. + + +type: keyword + +-- + +*`zeek.kerberos.cert.server.fuid`*:: ++ +-- +File unique ID of server certificate. + + +type: keyword + +-- + +*`zeek.kerberos.cert.server.subject`*:: ++ +-- +Subject of server certificate. + + +type: keyword + +-- + +[float] +=== modbus + +Fields exported by the Zeek modbus log. + + + +*`zeek.modbus.function`*:: ++ +-- +The name of the function message that was sent. + + +type: keyword + +-- + +*`zeek.modbus.exception`*:: ++ +-- +The exception if the response was a failure. + + +type: keyword + +-- + +*`zeek.modbus.track_address`*:: ++ +-- +Present if policy/protocols/modbus/track-memmap.bro is loaded. +Modbus track address. + + +type: integer + +-- + +[float] +=== mysql + +Fields exported by the Zeek MySQL log. + + + +*`zeek.mysql.cmd`*:: ++ +-- +The command that was issued. + + +type: keyword + +-- + +*`zeek.mysql.arg`*:: ++ +-- +The argument issued to the command. + + +type: keyword + +-- + +*`zeek.mysql.success`*:: ++ +-- +Whether the command succeeded. + + +type: boolean + +-- + +*`zeek.mysql.rows`*:: ++ +-- +The number of affected rows, if any. + + +type: integer + +-- + +*`zeek.mysql.response`*:: ++ +-- +Server message, if any. + + +type: keyword + +-- + +[float] +=== notice + +Fields exported by the Zeek Notice log. + + + +*`zeek.notice.connection_id`*:: ++ +-- +Identifier of the related connection session. + + +type: keyword + +-- + +*`zeek.notice.icmp_id`*:: ++ +-- +Identifier of the related ICMP session. + + +type: keyword + +-- + +*`zeek.notice.file.id`*:: ++ +-- +An identifier associated with a single file that is related to this notice. + + +type: keyword + +-- + +*`zeek.notice.file.parent_id`*:: ++ +-- +Identifier associated with a container file from which this one was extracted. + + +type: keyword + +-- + +*`zeek.notice.file.source`*:: ++ +-- +An identification of the source of the file data. E.g. it may be a network protocol +over which it was transferred, or a local file path which was read, or some other +input source. + + +type: keyword + +-- + +*`zeek.notice.file.mime_type`*:: ++ +-- +A mime type if the notice is related to a file. + + +type: keyword + +-- + +*`zeek.notice.file.is_orig`*:: ++ +-- +If the source of this file is a network connection, this field indicates if the file is +being sent by the originator of the connection or the responder. + + +type: boolean + +-- + +*`zeek.notice.file.seen_bytes`*:: ++ +-- +Number of bytes provided to the file analysis engine for the file. + + +type: long + +-- + +*`zeek.notice.ffile.total_bytes`*:: ++ +-- +Total number of bytes that are supposed to comprise the full file. + + +type: long + +-- + +*`zeek.notice.file.missing_bytes`*:: ++ +-- +The number of bytes in the file stream that were completely missed during the process +of analysis. + + +type: long + +-- + +*`zeek.notice.file.overflow_bytes`*:: ++ +-- +The number of bytes in the file stream that were not delivered to stream file analyzers. +This could be overlapping bytes or bytes that couldn't be reassembled. + + +type: long + +-- + +*`zeek.notice.fuid`*:: ++ +-- +A file unique ID if this notice is related to a file. + + +type: keyword + +-- + +*`zeek.notice.note`*:: ++ +-- +The type of the notice. + + +type: keyword + +-- + +*`zeek.notice.msg`*:: ++ +-- +The human readable message for the notice. + + +type: keyword + +-- + +*`zeek.notice.sub`*:: ++ +-- +The human readable sub-message. + + +type: keyword + +-- + +*`zeek.notice.n`*:: ++ +-- +Associated count, or a status code. + + +type: long + +-- + +*`zeek.notice.peer_name`*:: ++ +-- +Name of remote peer that raised this notice. + + +type: keyword + +-- + +*`zeek.notice.peer_descr`*:: ++ +-- +Textual description for the peer that raised this notice. + + +type: text + +-- + +*`zeek.notice.actions`*:: ++ +-- +The actions which have been applied to this notice. + + +type: keyword + +-- + +*`zeek.notice.email_body_sections`*:: ++ +-- +By adding chunks of text into this element, other scripts can expand on notices +that are being emailed. + + +type: text + +-- + +*`zeek.notice.email_delay_tokens`*:: ++ +-- +Adding a string token to this set will cause the built-in emailing functionality +to delay sending the email either the token has been removed or the email +has been delayed for the specified time duration. + + +type: keyword + +-- + +*`zeek.notice.identifier`*:: ++ +-- +This field is provided when a notice is generated for the purpose of deduplicating notices. + + +type: keyword + +-- + +*`zeek.notice.suppress_for`*:: ++ +-- +This field indicates the length of time that this unique notice should be suppressed. + + +type: double + +-- + +*`zeek.notice.dropped`*:: ++ +-- +Indicate if the source IP address was dropped and denied network access. + + +type: boolean + +-- + +[float] +=== ntlm + +Fields exported by the Zeek NTLM log. + + + +*`zeek.ntlm.domain`*:: ++ +-- +Domain name given by the client. + + +type: keyword + +-- + +*`zeek.ntlm.hostname`*:: ++ +-- +Hostname given by the client. + + +type: keyword + +-- + +*`zeek.ntlm.success`*:: ++ +-- +Indicate whether or not the authentication was successful. + + +type: boolean + +-- + +*`zeek.ntlm.username`*:: ++ +-- +Username given by the client. + + +type: keyword + +-- + + + +*`zeek.ntlm.server.name.dns`*:: ++ +-- +DNS name given by the server in a CHALLENGE. + + +type: keyword + +-- + +*`zeek.ntlm.server.name.netbios`*:: ++ +-- +NetBIOS name given by the server in a CHALLENGE. + + +type: keyword + +-- + +*`zeek.ntlm.server.name.tree`*:: ++ +-- +Tree name given by the server in a CHALLENGE. + + +type: keyword + +-- + +[float] +=== ocsp + +Fields exported by the Zeek OCSP log +Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. + + + +*`zeek.ocsp.file_id`*:: ++ +-- +File id of the OCSP reply. + + +type: keyword + +-- + + +*`zeek.ocsp.hash.algorithm`*:: ++ +-- +Hash algorithm used to generate issuerNameHash and issuerKeyHash. + + +type: keyword + +-- + + +*`zeek.ocsp.hash.issuer.name`*:: ++ +-- +Hash of the issuer's distingueshed name. + + +type: keyword + +-- + +*`zeek.ocsp.hash.issuer.key`*:: ++ +-- +Hash of the issuer's public key. + + +type: keyword + +-- + +*`zeek.ocsp.serial_number`*:: ++ +-- +Serial number of the affected certificate. + + +type: keyword + +-- + +*`zeek.ocsp.status`*:: ++ +-- +Status of the affected certificate. + + +type: keyword + +-- + + +*`zeek.ocsp.revoke.time`*:: ++ +-- +Time at which the certificate was revoked. + + +type: date + +-- + +*`zeek.ocsp.revoke.reason`*:: ++ +-- +Reason for which the certificate was revoked. + + +type: keyword + +-- + + +*`zeek.ocsp.update.this`*:: ++ +-- +The time at which the status being shows is known to have been correct. + + +type: date + +-- + +*`zeek.ocsp.update.next`*:: ++ +-- +The latest time at which new information about the status of the certificate will be available. + + +type: date + +-- + +[float] +=== pe + +Fields exported by the Zeek pe log. + + + +*`zeek.pe.client`*:: ++ +-- +The client's version string. + + +type: keyword + +-- + +*`zeek.pe.id`*:: ++ +-- +File id of this portable executable file. + + +type: keyword + +-- + +*`zeek.pe.machine`*:: ++ +-- +The target machine that the file was compiled for. + + +type: keyword + +-- + +*`zeek.pe.compile_time`*:: ++ +-- +The time that the file was created at. + + +type: date + +-- + +*`zeek.pe.os`*:: ++ +-- +The required operating system. + + +type: keyword + +-- + +*`zeek.pe.subsystem`*:: ++ +-- +The subsystem that is required to run this file. + + +type: keyword + +-- + +*`zeek.pe.is_exe`*:: ++ +-- +Is the file an executable, or just an object file? + + +type: boolean + +-- + +*`zeek.pe.is_64bit`*:: ++ +-- +Is the file a 64-bit executable? + + +type: boolean + +-- + +*`zeek.pe.uses_aslr`*:: ++ +-- +Does the file support Address Space Layout Randomization? + + +type: boolean + +-- + +*`zeek.pe.uses_dep`*:: ++ +-- +Does the file support Data Execution Prevention? + + +type: boolean + +-- + +*`zeek.pe.uses_code_integrity`*:: ++ +-- +Does the file enforce code integrity checks? + + +type: boolean + +-- + +*`zeek.pe.uses_seh`*:: ++ +-- +Does the file use structured exception handing? + + +type: boolean + +-- + +*`zeek.pe.has_import_table`*:: ++ +-- +Does the file have an import table? + + +type: boolean + +-- + +*`zeek.pe.has_export_table`*:: ++ +-- +Does the file have an export table? + + +type: boolean + +-- + +*`zeek.pe.has_cert_table`*:: ++ +-- +Does the file have an attribute certificate table? + + +type: boolean + +-- + +*`zeek.pe.has_debug_data`*:: ++ +-- +Does the file have a debug table? + + +type: boolean + +-- + +*`zeek.pe.section_names`*:: ++ +-- +The names of the sections, in order. + + +type: keyword + +-- + +[float] +=== radius + +Fields exported by the Zeek Radius log. + + + +*`zeek.radius.username`*:: ++ +-- +The username, if present. + + +type: keyword + +-- + +*`zeek.radius.mac`*:: ++ +-- +MAC address, if present. + + +type: keyword + +-- + +*`zeek.radius.framed_addr`*:: ++ +-- +The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. + + +type: ip + +-- + +*`zeek.radius.remote_ip`*:: ++ +-- +Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. + + +type: ip + +-- + +*`zeek.radius.connect_info`*:: ++ +-- +Connect info, if present. + + +type: keyword + +-- + +*`zeek.radius.reply_msg`*:: ++ +-- +Reply message from the server challenge. This is frequently shown to the user authenticating. + + +type: keyword + +-- + +*`zeek.radius.result`*:: ++ +-- +Successful or failed authentication. + + +type: keyword + +-- + +*`zeek.radius.ttl`*:: ++ +-- +The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. + + +type: integer + +-- + +*`zeek.radius.logged`*:: ++ +-- +Whether this has already been logged and can be ignored. + + +type: boolean + +-- + +[float] +=== rdp + +Fields exported by the Zeek RDP log. + + + +*`zeek.rdp.cookie`*:: ++ +-- +Cookie value used by the client machine. This is typically a username. + + +type: keyword + +-- + +*`zeek.rdp.result`*:: ++ +-- +Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. + + +type: keyword + +-- + +*`zeek.rdp.security_protocol`*:: ++ +-- +Security protocol chosen by the server. + + +type: keyword + +-- + +*`zeek.rdp.keyboard_layout`*:: ++ +-- +Keyboard layout (language) of the client machine. + + +type: keyword + +-- + + +*`zeek.rdp.client.build`*:: ++ +-- +RDP client version used by the client machine. + + +type: keyword + +-- + +*`zeek.rdp.client.client_name`*:: ++ +-- +Name of the client machine. + + +type: keyword + +-- + +*`zeek.rdp.client.product_id`*:: ++ +-- +Product ID of the client machine. + + +type: keyword + +-- + + +*`zeek.rdp.desktop.width`*:: ++ +-- +Desktop width of the client machine. + + +type: integer + +-- + +*`zeek.rdp.desktop.height`*:: ++ +-- +Desktop height of the client machine. + + +type: integer + +-- + +*`zeek.rdp.desktop.color_depth`*:: ++ +-- +The color depth requested by the client in the high_color_depth field. + + +type: keyword + +-- + + +*`zeek.rdp.cert.type`*:: ++ +-- +If the connection is being encrypted with native RDP encryption, this is the type of cert being used. + + +type: keyword + +-- + +*`zeek.rdp.cert.count`*:: ++ +-- +The number of certs seen. X.509 can transfer an entire certificate chain. + + +type: integer + +-- + +*`zeek.rdp.cert.permanent`*:: ++ +-- +Indicates if the provided certificate or certificate chain is permanent or temporary. + + +type: boolean + +-- + + +*`zeek.rdp.encryption.level`*:: ++ +-- +Encryption level of the connection. + + +type: keyword + +-- + +*`zeek.rdp.encryption.method`*:: ++ +-- +Encryption method of the connection. + + +type: keyword + +-- + +*`zeek.rdp.done`*:: ++ +-- +Track status of logging RDP connections. + + +type: boolean + +-- + +*`zeek.rdp.ssl`*:: ++ +-- +(present if policy/protocols/rdp/indicate_ssl.bro is loaded) +Flag the connection if it was seen over SSL. + + +type: boolean + +-- + +[float] +=== rfb + +Fields exported by the Zeek RFB log. + + + + + +*`zeek.rfb.version.client.major`*:: ++ +-- +Major version of the client. + + +type: keyword + +-- + +*`zeek.rfb.version.client.minor`*:: ++ +-- +Minor version of the client. + + +type: keyword + +-- + + +*`zeek.rfb.version.server.major`*:: ++ +-- +Major version of the server. + + +type: keyword + +-- + +*`zeek.rfb.version.server.minor`*:: ++ +-- +Minor version of the server. + + +type: keyword + +-- + + +*`zeek.rfb.auth.success`*:: ++ +-- +Whether or not authentication was successful. + + +type: boolean + +-- + +*`zeek.rfb.auth.method`*:: ++ +-- +Identifier of authentication method used. + + +type: keyword + +-- + +*`zeek.rfb.share_flag`*:: ++ +-- +Whether the client has an exclusive or a shared session. + + +type: boolean + +-- + +*`zeek.rfb.desktop_name`*:: ++ +-- +Name of the screen that is being shared. + + +type: keyword + +-- + +*`zeek.rfb.width`*:: ++ +-- +Width of the screen that is being shared. + + +type: integer + +-- + +*`zeek.rfb.height`*:: ++ +-- +Height of the screen that is being shared. + + +type: integer + +-- + +[float] +=== sip + +Fields exported by the Zeek SIP log. + + + +*`zeek.sip.transaction_depth`*:: ++ +-- +Represents the pipelined depth into the connection of this request/response transaction. + + +type: integer + +-- + + +*`zeek.sip.sequence.method`*:: ++ +-- +Verb used in the SIP request (INVITE, REGISTER etc.). + + +type: keyword + +-- + +*`zeek.sip.sequence.number`*:: ++ +-- +Contents of the CSeq: header from the client. + + +type: keyword + +-- + +*`zeek.sip.uri`*:: ++ +-- +URI used in the request. + + +type: keyword + +-- + +*`zeek.sip.date`*:: ++ +-- +Contents of the Date: header from the client. + + +type: keyword + +-- + + +*`zeek.sip.request.from`*:: ++ +-- +Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + + +type: keyword + +-- + +*`zeek.sip.request.to`*:: ++ +-- +Contents of the To: header. + + +type: keyword + +-- + +*`zeek.sip.request.path`*:: ++ +-- +The client message transmission path, as extracted from the headers. + + +type: keyword + +-- + +*`zeek.sip.request.body_length`*:: ++ +-- +Contents of the Content-Length: header from the client. + + +type: long + +-- + + +*`zeek.sip.response.from`*:: ++ +-- +Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + + +type: keyword + +-- + +*`zeek.sip.response.to`*:: ++ +-- +Contents of the response To: header. + + +type: keyword + +-- + +*`zeek.sip.response.path`*:: ++ +-- +The server message transmission path, as extracted from the headers. + + +type: keyword + +-- + +*`zeek.sip.response.body_length`*:: ++ +-- +Contents of the Content-Length: header from the server. + + +type: long + +-- + +*`zeek.sip.reply_to`*:: ++ +-- +Contents of the Reply-To: header. + + +type: keyword + +-- + +*`zeek.sip.call_id`*:: ++ +-- +Contents of the Call-ID: header from the client. + + +type: keyword + +-- + +*`zeek.sip.subject`*:: ++ +-- +Contents of the Subject: header from the client. + + +type: keyword + +-- + +*`zeek.sip.user_agent`*:: ++ +-- +Contents of the User-Agent: header from the client. + + +type: keyword + +-- + + +*`zeek.sip.status.code`*:: ++ +-- +Status code returned by the server. + + +type: integer + +-- + +*`zeek.sip.status.msg`*:: ++ +-- +Status message returned by the server. + + +type: keyword + +-- + +*`zeek.sip.warning`*:: ++ +-- +Contents of the Warning: header. + + +type: keyword + +-- + +*`zeek.sip.content_type`*:: ++ +-- +Contents of the Content-Type: header from the server. + + +type: keyword + +-- + +[float] +=== smb_cmd + +Fields exported by the Zeek smb_cmd log. + + + +*`zeek.smb_cmd.command`*:: ++ +-- +The command sent by the client. + + +type: keyword + +-- + +*`zeek.smb_cmd.sub_command`*:: ++ +-- +The subcommand sent by the client, if present. + + +type: keyword + +-- + +*`zeek.smb_cmd.argument`*:: ++ +-- +Command argument sent by the client, if any. + + +type: keyword + +-- + +*`zeek.smb_cmd.status`*:: ++ +-- +Server reply to the client's command. + + +type: keyword + +-- + +*`zeek.smb_cmd.rtt`*:: ++ +-- +Round trip time from the request to the response. + + +type: double + +-- + +*`zeek.smb_cmd.version`*:: ++ +-- +Version of SMB for the command. + + +type: keyword + +-- + +*`zeek.smb_cmd.username`*:: ++ +-- +Authenticated username, if available. + + +type: keyword + +-- + +*`zeek.smb_cmd.tree`*:: ++ +-- +If this is related to a tree, this is the tree that was used for the current command. + + +type: keyword + +-- + +*`zeek.smb_cmd.tree_service`*:: ++ +-- +The type of tree (disk share, printer share, named pipe, etc.). + + +type: keyword + +-- + +[float] +=== file + +If the command referenced a file, store it here. + + + +*`zeek.smb_cmd.file.name`*:: ++ +-- +Filename if one was seen. + + +type: keyword + +-- + +*`zeek.smb_cmd.file.action`*:: ++ +-- +Action this log record represents. + + +type: keyword + +-- + +*`zeek.smb_cmd.file.uid`*:: ++ +-- +UID of the referenced file. + + +type: keyword + +-- + + +*`zeek.smb_cmd.file.host.tx`*:: ++ +-- +Address of the transmitting host. + + +type: ip + +-- + +*`zeek.smb_cmd.file.host.rx`*:: ++ +-- +Address of the receiving host. + + +type: ip + +-- + +*`zeek.smb_cmd.smb1_offered_dialects`*:: ++ +-- +Present if base/protocols/smb/smb1-main.bro is loaded. +Dialects offered by the client. + + +type: keyword + +-- + +*`zeek.smb_cmd.smb2_offered_dialects`*:: ++ +-- +Present if base/protocols/smb/smb2-main.bro is loaded. +Dialects offered by the client. + + +type: integer + +-- + +[float] +=== smb_files + +Fields exported by the Zeek SMB Files log. + + + +*`zeek.smb_files.action`*:: ++ +-- +Action this log record represents. + + +type: keyword + +-- + +*`zeek.smb_files.fid`*:: ++ +-- +ID referencing this file. + + +type: integer + +-- + +*`zeek.smb_files.name`*:: ++ +-- +Filename if one was seen. + + +type: keyword + +-- + +*`zeek.smb_files.path`*:: ++ +-- +Path pulled from the tree this file was transferred to or from. + + +type: keyword + +-- + +*`zeek.smb_files.previous_name`*:: ++ +-- +If the rename action was seen, this will be the file's previous name. + + +type: keyword + +-- + +*`zeek.smb_files.size`*:: ++ +-- +Byte size of the file. + + +type: long + +-- + +[float] +=== times + +Timestamps of the file. + + + +*`zeek.smb_files.times.accessed`*:: ++ +-- +The file's access time. + + +type: date + +-- + +*`zeek.smb_files.times.changed`*:: ++ +-- +The file's change time. + + +type: date + +-- + +*`zeek.smb_files.times.created`*:: ++ +-- +The file's create time. + + +type: date + +-- + +*`zeek.smb_files.times.modified`*:: ++ +-- +The file's modify time. + + +type: date + +-- + +*`zeek.smb_files.uuid`*:: ++ +-- +UUID referencing this file if DCE/RPC. + + +type: keyword + +-- + +[float] +=== smb_mapping + +Fields exported by the Zeek SMB_Mapping log. + + + +*`zeek.smb_mapping.path`*:: ++ +-- +Name of the tree path. + + +type: keyword + +-- + +*`zeek.smb_mapping.service`*:: ++ +-- +The type of resource of the tree (disk share, printer share, named pipe, etc.). + + +type: keyword + +-- + +*`zeek.smb_mapping.native_file_system`*:: ++ +-- +File system of the tree. + + +type: keyword + +-- + +*`zeek.smb_mapping.share_type`*:: ++ +-- +If this is SMB2, a share type will be included. For SMB1, the type of share +will be deduced and included as well. + + +type: keyword + +-- + +[float] +=== smtp + +Fields exported by the Zeek SMTP log. + + + +*`zeek.smtp.transaction_depth`*:: ++ +-- +A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. + + +type: integer + +-- + +*`zeek.smtp.helo`*:: ++ +-- +Contents of the Helo header. + + +type: keyword + +-- + +*`zeek.smtp.mail_from`*:: ++ +-- +Email addresses found in the MAIL FROM header. + + +type: keyword + +-- + +*`zeek.smtp.rcpt_to`*:: ++ +-- +Email addresses found in the RCPT TO header. + + +type: keyword + +-- + +*`zeek.smtp.date`*:: ++ +-- +Contents of the Date header. + + +type: date + +-- + +*`zeek.smtp.from`*:: ++ +-- +Contents of the From header. + + +type: keyword + +-- + +*`zeek.smtp.to`*:: ++ +-- +Contents of the To header. + + +type: keyword + +-- + +*`zeek.smtp.cc`*:: ++ +-- +Contents of the CC header. + + +type: keyword + +-- + +*`zeek.smtp.reply_to`*:: ++ +-- +Contents of the ReplyTo header. + + +type: keyword + +-- + +*`zeek.smtp.msg_id`*:: ++ +-- +Contents of the MsgID header. + + +type: keyword + +-- + +*`zeek.smtp.in_reply_to`*:: ++ +-- +Contents of the In-Reply-To header. + + +type: keyword + +-- + +*`zeek.smtp.subject`*:: ++ +-- +Contents of the Subject header. + + +type: keyword + +-- + +*`zeek.smtp.x_originating_ip`*:: ++ +-- +Contents of the X-Originating-IP header. + + +type: keyword + +-- + +*`zeek.smtp.first_received`*:: ++ +-- +Contents of the first Received header. + + +type: keyword + +-- + +*`zeek.smtp.second_received`*:: ++ +-- +Contents of the second Received header. + + +type: keyword + +-- + +*`zeek.smtp.last_reply`*:: ++ +-- +The last message that the server sent to the client. + + +type: keyword + +-- + +*`zeek.smtp.path`*:: ++ +-- +The message transmission path, as extracted from the headers. + + +type: ip + +-- + +*`zeek.smtp.user_agent`*:: ++ +-- +Value of the User-Agent header from the client. + + +type: keyword + +-- + +*`zeek.smtp.tls`*:: ++ +-- +Indicates that the connection has switched to using TLS. + + +type: boolean + +-- + +*`zeek.smtp.process_received_from`*:: ++ +-- +Indicates if the "Received: from" headers should still be processed. + + +type: boolean + +-- + +*`zeek.smtp.has_client_activity`*:: ++ +-- +Indicates if client activity has been seen, but not yet logged. + + +type: boolean + +-- + +*`zeek.smtp.fuids`*:: ++ +-- +(present if base/protocols/smtp/files.bro is loaded) +An ordered vector of file unique IDs seen attached to the message. + + +type: keyword + +-- + +*`zeek.smtp.is_webmail`*:: ++ +-- +Indicates if the message was sent through a webmail interface. + + +type: boolean + +-- + +[float] +=== snmp + +Fields exported by the Zeek SNMP log. + + + +*`zeek.snmp.duration`*:: ++ +-- +The amount of time between the first packet beloning to the SNMP session and the latest one seen. + + +type: double + +-- + +*`zeek.snmp.version`*:: ++ +-- +The version of SNMP being used. + + +type: keyword + +-- + +*`zeek.snmp.community`*:: ++ +-- +The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. + + +type: keyword + +-- + + +*`zeek.snmp.get.requests`*:: ++ +-- +The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. + + +type: integer + +-- + +*`zeek.snmp.get.bulk_requests`*:: ++ +-- +The number of variable bindings in GetBulkRequest PDUs seen for the session. + + +type: integer + +-- + +*`zeek.snmp.get.responses`*:: ++ +-- +The number of variable bindings in GetResponse/Response PDUs seen for the session. + + +type: integer + +-- + + +*`zeek.snmp.set.requests`*:: ++ +-- +The number of variable bindings in SetRequest PDUs seen for the session. + + +type: integer + +-- + +*`zeek.snmp.display_string`*:: ++ +-- +A system description of the SNMP responder endpoint. + + +type: keyword + +-- + +*`zeek.snmp.up_since`*:: ++ +-- +The time at which the SNMP responder endpoint claims it's been up since. + + +type: date + +-- + +[float] +=== socks + +Fields exported by the Zeek SOCKS log. + + + +*`zeek.socks.version`*:: ++ +-- +Protocol version of SOCKS. + + +type: integer + +-- + +*`zeek.socks.user`*:: ++ +-- +Username used to request a login to the proxy. + + +type: keyword + +-- + +*`zeek.socks.password`*:: ++ +-- +Password used to request a login to the proxy. + + +type: keyword + +-- + +*`zeek.socks.status`*:: ++ +-- +Server status for the attempt at using the proxy. + + +type: keyword + +-- + + +*`zeek.socks.request.host`*:: ++ +-- +Client requested SOCKS address. Could be an address, a name or both. + + +type: keyword + +-- + +*`zeek.socks.request.port`*:: ++ +-- +Client requested port. + + +type: integer + +-- + + +*`zeek.socks.bound.host`*:: ++ +-- +Server bound address. Could be an address, a name or both. + + +type: keyword + +-- + +*`zeek.socks.bound.port`*:: ++ +-- +Server bound port. + + +type: integer + +-- + +*`zeek.socks.capture_password`*:: ++ +-- +Determines if the password will be captured for this request. + + +type: boolean + +-- + +[float] +=== ssh + +Fields exported by the Zeek SSH log. + + + +*`zeek.ssh.client`*:: ++ +-- +The client's version string. + + +type: keyword + +-- + +*`zeek.ssh.direction`*:: ++ +-- +Direction of the connection. If the client was a local host logging into +an external host, this would be OUTBOUND. INBOUND would be set for the +opposite situation. + + +type: keyword + +-- + +*`zeek.ssh.host_key`*:: ++ +-- +The server's key thumbprint. + + +type: keyword + +-- + +*`zeek.ssh.server`*:: ++ +-- +The server's version string. + + +type: keyword + +-- + +*`zeek.ssh.version`*:: ++ +-- +SSH major version (1 or 2). + + +type: integer + +-- + +[float] +=== algorithm + +Cipher algorithms used in this session. + + + +*`zeek.ssh.algorithm.cipher`*:: ++ +-- +The encryption algorithm in use. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.compression`*:: ++ +-- +The compression algorithm in use. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.host_key`*:: ++ +-- +The server host key's algorithm. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.key_exchange`*:: ++ +-- +The key exchange algorithm in use. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.mac`*:: ++ +-- +The signing (MAC) algorithm in use. + + +type: keyword + +-- + + +*`zeek.ssh.auth.attempts`*:: ++ +-- +The number of authentication attemps we observed. There's always at +least one, since some servers might support no authentication at all. +It's important to note that not all of these are failures, since some +servers require two-factor auth (e.g. password AND pubkey). + + +type: integer + +-- + +*`zeek.ssh.auth.success`*:: ++ +-- +Authentication result. + + +type: boolean + +-- + +[float] +=== ssl + +Fields exported by the Zeek SSL log. + + + +*`zeek.ssl.version`*:: ++ +-- +SSL/TLS version that was logged. + + +type: keyword + +-- + +*`zeek.ssl.cipher`*:: ++ +-- +SSL/TLS cipher suite that was logged. + + +type: keyword + +-- + +*`zeek.ssl.curve`*:: ++ +-- +Elliptic curve that was logged when using ECDH/ECDHE. + + +type: keyword + +-- + +*`zeek.ssl.resumed`*:: ++ +-- +Flag to indicate if the session was resumed reusing the key material exchanged in an +earlier connection. + + +type: boolean + +-- + +*`zeek.ssl.next_protocol`*:: ++ +-- +Next protocol the server chose using the application layer next protocol extension. + + +type: keyword + +-- + +*`zeek.ssl.established`*:: ++ +-- +Flag to indicate if this ssl session has been established successfully. + + +type: boolean + +-- + + +*`zeek.ssl.validation.status`*:: ++ +-- +Result of certificate validation for this connection. + + +type: keyword + +-- + +*`zeek.ssl.validation.code`*:: ++ +-- +Result of certificate validation for this connection, given as OpenSSL validation code. + + +type: keyword + +-- + +*`zeek.ssl.last_alert`*:: ++ +-- +Last alert that was seen during the connection. + + +type: keyword + +-- + + +*`zeek.ssl.server.name`*:: ++ +-- +Value of the Server Name Indicator SSL/TLS extension. It indicates the server name +that the client was requesting. + + +type: keyword + +-- + +*`zeek.ssl.server.cert_chain`*:: ++ +-- +Chain of certificates offered by the server to validate its complete signing chain. + + +type: keyword + +-- + +*`zeek.ssl.server.cert_chain_fuids`*:: ++ +-- +An ordered vector of certificate file identifiers for the certificates offered by the server. + + +type: keyword + +-- + +[float] +=== issuer + +Subject of the signer of the X.509 certificate offered by the server. + + + +*`zeek.ssl.server.issuer.common_name`*:: ++ +-- +Common name of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.country`*:: ++ +-- +Country code of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.locality`*:: ++ +-- +Locality of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.organization`*:: ++ +-- +Organization of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.organizational_unit`*:: ++ +-- +Organizational unit of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.state`*:: ++ +-- +State or province name of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +[float] +=== subject + +Subject of the X.509 certificate offered by the server. + + + +*`zeek.ssl.server.subject.common_name`*:: ++ +-- +Common name of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.country`*:: ++ +-- +Country code of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.locality`*:: ++ +-- +Locality of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.organization`*:: ++ +-- +Organization of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.organizational_unit`*:: ++ +-- +Organizational unit of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.state`*:: ++ +-- +State or province name of the X.509 certificate offered by the server. + + +type: keyword + +-- + + +*`zeek.ssl.client.cert_chain`*:: ++ +-- +Chain of certificates offered by the client to validate its complete signing chain. + + +type: keyword + +-- + +*`zeek.ssl.client.cert_chain_fuids`*:: ++ +-- +An ordered vector of certificate file identifiers for the certificates offered by the client. + + +type: keyword + +-- + +[float] +=== issuer + +Subject of the signer of the X.509 certificate offered by the client. + + + +*`zeek.ssl.client.issuer.common_name`*:: ++ +-- +Common name of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.country`*:: ++ +-- +Country code of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.locality`*:: ++ +-- +Locality of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.organization`*:: ++ +-- +Organization of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.organizational_unit`*:: ++ +-- +Organizational unit of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.state`*:: ++ +-- +State or province name of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +[float] +=== subject + +Subject of the X.509 certificate offered by the client. + + + +*`zeek.ssl.client.subject.common_name`*:: ++ +-- +Common name of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.country`*:: ++ +-- +Country code of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.locality`*:: ++ +-- +Locality of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.organization`*:: ++ +-- +Organization of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.organizational_unit`*:: ++ +-- +Organizational unit of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.state`*:: ++ +-- +State or province name of the X.509 certificate offered by the client. + + +type: keyword + +-- + +[float] +=== stats + +Fields exported by the Zeek stats log. + + + +*`zeek.stats.peer`*:: ++ +-- +Peer that generated this log. Mostly for clusters. + + +type: keyword + +-- + +*`zeek.stats.memory`*:: ++ +-- +Amount of memory currently in use in MB. + + +type: integer + +-- + + +*`zeek.stats.packets.processed`*:: ++ +-- +Number of packets processed since the last stats interval. + + +type: long + +-- + +*`zeek.stats.packets.dropped`*:: ++ +-- +Number of packets dropped since the last stats interval if reading live traffic. + + +type: long -- -*`system.auth.sudo.command`*:: +*`zeek.stats.packets.received`*:: + -- -The command executed via sudo. +Number of packets seen on the link since the last stats interval if reading live traffic. + + +type: long + +-- + + +*`zeek.stats.bytes.received`*:: ++ +-- +Number of bytes received since the last stats interval if reading live traffic. + + +type: long + +-- + + + +*`zeek.stats.connections.tcp.active`*:: ++ +-- +TCP connections currently in memory. + + +type: integer + +-- + +*`zeek.stats.connections.tcp.count`*:: ++ +-- +TCP connections seen since last stats interval. + + +type: integer + +-- + + +*`zeek.stats.connections.udp.active`*:: ++ +-- +UDP connections currently in memory. + + +type: integer + +-- + +*`zeek.stats.connections.udp.count`*:: ++ +-- +UDP connections seen since last stats interval. + + +type: integer + +-- + + +*`zeek.stats.connections.icmp.active`*:: ++ +-- +ICMP connections currently in memory. + + +type: integer + +-- + +*`zeek.stats.connections.icmp.count`*:: ++ +-- +ICMP connections seen since last stats interval. + + +type: integer + +-- + + +*`zeek.stats.events.processed`*:: ++ +-- +Number of events processed since the last stats interval. + + +type: integer + +-- + +*`zeek.stats.events.queued`*:: ++ +-- +Number of events that have been queued since the last stats interval. + + +type: integer + +-- + + +*`zeek.stats.timers.count`*:: ++ +-- +Number of timers scheduled since last stats interval. + + +type: integer + +-- + +*`zeek.stats.timers.active`*:: ++ +-- +Current number of scheduled timers. + +type: integer + +-- + + +*`zeek.stats.files.count`*:: ++ +-- +Number of files seen since last stats interval. + + +type: integer + +-- + +*`zeek.stats.files.active`*:: ++ +-- +Current number of files actively being seen. + + +type: integer + +-- + + +*`zeek.stats.dns_requests.count`*:: ++ +-- +Number of DNS requests seen since last stats interval. + + +type: integer + +-- + +*`zeek.stats.dns_requests.active`*:: ++ +-- +Current number of DNS requests awaiting a reply. + + +type: integer + +-- + + +*`zeek.stats.reassembly_size.tcp`*:: ++ +-- +Current size of TCP data in reassembly. + + +type: integer + +-- + +*`zeek.stats.reassembly_size.file`*:: ++ +-- +Current size of File data in reassembly. + + +type: integer + +-- + +*`zeek.stats.reassembly_size.frag`*:: ++ +-- +Current size of packet fragment data in reassembly. + + +type: integer + +-- + +*`zeek.stats.reassembly_size.unknown`*:: ++ +-- +Current size of unknown data in reassembly (this is only PIA buffer right now). + + +type: integer + +-- + +*`zeek.stats.timestamp_lag`*:: ++ +-- +Lag between the wall clock and packet timestamps if reading live traffic. + + +type: integer -- [float] -=== useradd +=== syslog -Fields specific to events created by the `useradd` command. +Fields exported by the Zeek syslog log. -*`system.auth.useradd.home`*:: +*`zeek.syslog.facility`*:: + -- -The home folder for the new user. +Syslog facility for the message. + + +type: keyword -- -*`system.auth.useradd.shell`*:: +*`zeek.syslog.severity`*:: + -- -The default shell for the new user. +Syslog severity for the message. + + +type: keyword -- -*`system.auth.useradd.name`*:: +*`zeek.syslog.message`*:: + -- -type: alias +The plain text message. -alias to: user.name + +type: keyword -- -*`system.auth.useradd.uid`*:: +[float] +=== tunnel + +Fields exported by the Zeek SSH log. + + + +*`zeek.tunnel.type`*:: + -- -type: alias +The type of tunnel. -alias to: user.id + +type: keyword -- -*`system.auth.useradd.gid`*:: +*`zeek.tunnel.action`*:: + -- -type: alias +The type of activity that occurred. -alias to: group.id + +type: keyword + +-- + +[float] +=== weird + +Fields exported by the Zeek Weird log. + + + +*`zeek.weird.name`*:: ++ +-- +The name of the weird that occurred. + + +type: keyword + +-- + +*`zeek.weird.additional_info`*:: ++ +-- +Additional information accompanying the weird if any. + + +type: keyword + +-- + +*`zeek.weird.notice`*:: ++ +-- +Indicate if this weird was also turned into a notice. + + +type: boolean + +-- + +*`zeek.weird.peer`*:: ++ +-- +The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. + + +type: keyword + +-- + +*`zeek.weird.identifier`*:: ++ +-- +This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. + + +type: keyword + +-- + +[float] +=== x509 + +Fields exported by the Zeek x509 log. + + + +*`zeek.x509.id`*:: ++ +-- +File id of this certificate. + + +type: keyword + +-- + +[float] +=== certificate + +Basic information about the certificate. + + + +*`zeek.x509.certificate.version`*:: ++ +-- +Version number. + + +type: integer + +-- + +*`zeek.x509.certificate.serial`*:: ++ +-- +Serial number. + + +type: keyword + +-- + +[float] +=== subject + +Subject. + + + +*`zeek.x509.certificate.subject.country`*:: ++ +-- +Country provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.common_name`*:: ++ +-- +Common name provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.locality`*:: ++ +-- +Locality provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.organization`*:: ++ +-- +Organization provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.organizational_unit`*:: ++ +-- +Organizational unit provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.state`*:: ++ +-- +State or province provided in the certificate subject. + + +type: keyword + +-- + +[float] +=== issuer + +Issuer. + + + +*`zeek.x509.certificate.issuer.country`*:: ++ +-- +Country provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.common_name`*:: ++ +-- +Common name provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.locality`*:: ++ +-- +Locality provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.organization`*:: ++ +-- +Organization provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.organizational_unit`*:: ++ +-- +Organizational unit provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.state`*:: ++ +-- +State or province provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.common_name`*:: ++ +-- +Last (most specific) common name. + + +type: keyword -- [float] -=== groupadd +=== valid -Fields specific to events created by the `groupadd` command. +Certificate validity timestamps -*`system.auth.groupadd.name`*:: +*`zeek.x509.certificate.valid.from`*:: + -- -type: alias +Timestamp before when certificate is not valid. -alias to: group.name --- +type: date -*`system.auth.groupadd.gid`*:: -+ -- -type: alias - -alias to: group.id +*`zeek.x509.certificate.valid.until`*:: ++ -- +Timestamp after when certificate is not valid. -[float] -=== syslog -Contains fields from the syslog system logs. +type: date +-- -*`system.syslog.timestamp`*:: +*`zeek.x509.certificate.key.algorithm`*:: + -- -type: alias +Name of the key algorithm. -alias to: @timestamp + +type: keyword -- -*`system.syslog.hostname`*:: +*`zeek.x509.certificate.key.type`*:: + -- -type: alias +Key type, if key parseable by openssl (either rsa, dsa or ec). -alias to: host.hostname + +type: keyword -- -*`system.syslog.program`*:: +*`zeek.x509.certificate.key.length`*:: + -- -type: alias +Key length in bits. -alias to: process.name + +type: integer -- -*`system.syslog.pid`*:: +*`zeek.x509.certificate.signature_algorithm`*:: + -- -type: alias +Name of the signature algorithm. -alias to: process.pid --- +type: keyword -*`system.syslog.message`*:: -+ -- -type: alias - -alias to: message +*`zeek.x509.certificate.exponent`*:: ++ -- +Exponent, if RSA-certificate. -[[exported-fields-traefik]] -== Traefik fields - -Module for parsing the Traefik log files. +type: keyword +-- -[float] -=== traefik +*`zeek.x509.certificate.curve`*:: ++ +-- +Curve, if EC-certificate. -Fields from the Traefik log files. +type: keyword +-- [float] -=== access +=== san -Contains fields for the Traefik access logs. +Subject alternative name extension of the certificate. -*`traefik.access.user_identifier`*:: +*`zeek.x509.san.dns`*:: + -- -Is the RFC 1413 identity of the client +List of DNS entries in SAN. type: keyword -- -*`traefik.access.request_count`*:: +*`zeek.x509.san.uri`*:: + -- -The number of requests +List of URI entries in SAN. -type: long +type: keyword -- -*`traefik.access.frontend_name`*:: +*`zeek.x509.san.email`*:: + -- -The name of the frontend used +List of email entries in SAN. type: keyword -- -*`traefik.access.backend_url`*:: +*`zeek.x509.san.ip`*:: + -- -The url of the backend where request is forwarded +List of IP entries in SAN. -type: keyword + +type: ip -- -*`traefik.access.body_sent.bytes`*:: +*`zeek.x509.san.other_fields`*:: + -- -type: alias +True if the certificate contained other, not recognized or parsed name fields. -alias to: http.response.body.bytes --- +type: boolean -*`traefik.access.remote_ip`*:: -+ -- -type: alias -alias to: source.address +[float] +=== basic_constraints --- +Basic constraints extension of the certificate. -*`traefik.access.user_name`*:: + + +*`zeek.x509.basic_constraints.certificate_authority`*:: + -- -type: alias +CA flag set or not. -alias to: user.name + +type: boolean -- -*`traefik.access.method`*:: +*`zeek.x509.basic_constraints.path_length`*:: + -- -type: alias +Maximum path length. -alias to: http.request.method + +type: integer -- -*`traefik.access.url`*:: +*`zeek.x509.log_cert`*:: + -- -type: alias +Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded +Logging of certificate is suppressed if set to F. -alias to: url.original --- +type: boolean -*`traefik.access.http_version`*:: -+ -- -type: alias -alias to: http.version +[[exported-fields-zscaler]] +== Zscaler NSS fields --- +zscaler fields. -*`traefik.access.response_code`*:: + + +*`network.interface.name`*:: + -- -type: alias +Name of the network interface where the traffic has been observed. -alias to: http.response.status_code --- +type: keyword -*`traefik.access.referrer`*:: -+ -- -type: alias -alias to: http.request.referrer --- -*`traefik.access.agent`*:: +*`rsa.internal.msg`*:: + -- -type: alias +This key is used to capture the raw message that comes into the Log Decoder -alias to: user_agent.original +type: keyword -- - -*`traefik.access.user_agent.device`*:: +*`rsa.internal.messageid`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`traefik.access.user_agent.name`*:: +*`rsa.internal.event_desc`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`traefik.access.user_agent.os`*:: +*`rsa.internal.message`*:: + -- -type: alias +This key captures the contents of instant messages -alias to: user_agent.os.full_name +type: keyword -- -*`traefik.access.user_agent.os_name`*:: +*`rsa.internal.time`*:: + -- -type: alias +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -alias to: user_agent.os.name +type: date -- -*`traefik.access.user_agent.original`*:: +*`rsa.internal.level`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: user_agent.original +type: long -- - -*`traefik.access.geoip.continent_name`*:: +*`rsa.internal.msg_id`*:: + -- -type: alias +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: source.geo.continent_name +type: keyword -- -*`traefik.access.geoip.country_iso_code`*:: +*`rsa.internal.msg_vid`*:: + -- -type: alias +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -alias to: source.geo.country_iso_code +type: keyword -- -*`traefik.access.geoip.location`*:: +*`rsa.internal.data`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.location +type: keyword -- -*`traefik.access.geoip.region_name`*:: +*`rsa.internal.obj_server`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.region_name +type: keyword -- -*`traefik.access.geoip.city_name`*:: +*`rsa.internal.obj_val`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.city_name +type: keyword -- -*`traefik.access.geoip.region_iso_code`*:: +*`rsa.internal.resource`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-zeek]] -== Zeek fields - -Module for handling logs produced by Zeek/Bro - - - -[float] -=== zeek - -Fields from Zeek/Bro logs after normalization +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`zeek.session_id`*:: +*`rsa.internal.statement`*:: + -- -A unique identifier of the session - +Deprecated key defined only in table map. type: keyword -- -[float] -=== capture_loss - -Fields exported by the Zeek capture_loss log +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`zeek.capture_loss.ts_delta`*:: +*`rsa.internal.entry`*:: + -- -The time delay between this measurement and the last. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`zeek.capture_loss.peer`*:: +*`rsa.internal.hcode`*:: + -- -In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.capture_loss.gaps`*:: +*`rsa.internal.inode`*:: + -- -Number of missed ACKs from the previous measurement interval. - +Deprecated key defined only in table map. -type: integer +type: long -- -*`zeek.capture_loss.acks`*:: +*`rsa.internal.resource_class`*:: + -- -Total number of ACKs seen in the previous measurement interval. +Deprecated key defined only in table map. - -type: integer +type: keyword -- -*`zeek.capture_loss.percent_lost`*:: +*`rsa.internal.dead`*:: + -- -Percentage of ACKs seen where the data being ACKed wasn't seen. - +Deprecated key defined only in table map. -type: double +type: long -- -[float] -=== connection - -Fields exported by the Zeek Connection log +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`zeek.connection.local_orig`*:: +*`rsa.internal.feed_name`*:: + -- -Indicates whether the session is originated locally. +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: boolean +type: keyword -- -*`zeek.connection.local_resp`*:: +*`rsa.internal.cid`*:: + -- -Indicates whether the session is responded locally. - +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: boolean +type: keyword -- -*`zeek.connection.missed_bytes`*:: +*`rsa.internal.device_class`*:: + -- -Missed bytes for the session. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`zeek.connection.state`*:: +*`rsa.internal.device_group`*:: + -- -Code indicating the state of the session. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.connection.state_message`*:: +*`rsa.internal.device_host`*:: + -- -The state of the session. - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`zeek.connection.icmp.type`*:: +*`rsa.internal.device_ip`*:: + -- -ICMP message type. +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: ip -- -*`zeek.connection.icmp.code`*:: +*`rsa.internal.device_ipv6`*:: + -- -ICMP message code. - +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: ip -- -*`zeek.connection.history`*:: +*`rsa.internal.device_type`*:: + -- -Flags indicating the history of the session. - +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.connection.vlan`*:: +*`rsa.internal.device_type_id`*:: + -- -VLAN identifier. - +Deprecated key defined only in table map. -type: integer +type: long -- -*`zeek.connection.inner_vlan`*:: +*`rsa.internal.did`*:: + -- -VLAN identifier. +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: keyword -- -[float] -=== dce_rpc - -Fields exported by the Zeek DCE_RPC log - - - -*`zeek.dce_rpc.rtt`*:: +*`rsa.internal.entropy_req`*:: + -- -Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: integer +type: long -- -*`zeek.dce_rpc.named_pipe`*:: +*`rsa.internal.entropy_res`*:: + -- -Remote pipe name. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`zeek.dce_rpc.endpoint`*:: +*`rsa.internal.event_name`*:: + -- -Endpoint name looked up from the uuid. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.dce_rpc.operation`*:: +*`rsa.internal.feed_category`*:: + -- -Operation seen in the call. - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== dhcp - -Fields exported by the Zeek DHCP log - - - -*`zeek.dhcp.domain`*:: +*`rsa.internal.forward_ip`*:: + -- -Domain given by the server in option 15. - +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`zeek.dhcp.duration`*:: +*`rsa.internal.forward_ipv6`*:: + -- -Duration of the DHCP session representing the time from the first -message to the last, in seconds. - +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: ip -- -*`zeek.dhcp.hostname`*:: +*`rsa.internal.header_id`*:: + -- -Name given by client in Hostname option 12. - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.client_fqdn`*:: +*`rsa.internal.lc_cid`*:: + -- -FQDN given by client in Client FQDN option 81. - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.lease_time`*:: +*`rsa.internal.lc_ctime`*:: + -- -IP address lease interval in seconds. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: date -- -[float] -=== address - -Addresses seen in this DHCP exchange. - - - -*`zeek.dhcp.address.assigned`*:: +*`rsa.internal.mcb_req`*:: + -- -IP address assigned by the server. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: ip +type: long -- -*`zeek.dhcp.address.client`*:: +*`rsa.internal.mcb_res`*:: + -- -IP address of the client. If a transaction is only a client sending -INFORM messages then there is no lease information exchanged so this -is helpful to know who sent the messages. Getting an address in this -field does require that the client sources at least one DHCP message -using a non-broadcast address. - +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: ip +type: long -- -*`zeek.dhcp.address.mac`*:: +*`rsa.internal.mcbc_req`*:: + -- -Client's hardware address. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: keyword +type: long -- -*`zeek.dhcp.address.requested`*:: +*`rsa.internal.mcbc_res`*:: + -- -IP address requested by the client. - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: ip +type: long -- -*`zeek.dhcp.address.server`*:: +*`rsa.internal.medium`*:: + -- -IP address of the DHCP server. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: ip +type: long -- - -*`zeek.dhcp.msg.types`*:: +*`rsa.internal.node_name`*:: + -- -List of DHCP message types seen in this exchange. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.dhcp.msg.origin`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -(present if policy/protocols/dhcp/msg-orig.bro is loaded) -The address that originated each message from the msg.types field. +This key denotes that event is endpoint related - -type: ip +type: keyword -- -*`zeek.dhcp.msg.client`*:: +*`rsa.internal.parse_error`*:: + -- -Message typically accompanied with a DHCP_DECLINE so the client can -tell the server why it rejected an address. - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.msg.server`*:: +*`rsa.internal.payload_req`*:: + -- -Message typically accompanied with a DHCP_NAK to let the client know -why it rejected the request. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +type: long -type: keyword +-- +*`rsa.internal.payload_res`*:: ++ -- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +type: long -*`zeek.dhcp.software.client`*:: -+ -- -(present if policy/protocols/dhcp/software.bro is loaded) -Software reported by the client in the vendor_class option. +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`zeek.dhcp.software.server`*:: +*`rsa.internal.process_vid_src`*:: + -- -(present if policy/protocols/dhcp/software.bro is loaded) -Software reported by the client in the vendor_class option. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- - -*`zeek.dhcp.id.circuit`*:: +*`rsa.internal.rid`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -Added by DHCP relay agents which terminate switched or permanent -circuits. It encodes an agent-local identifier of the circuit from -which a DHCP client-to-server packet was received. Typically it -should represent a router or switch interface number. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`zeek.dhcp.id.remote_agent`*:: +*`rsa.internal.session_split`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -A globally unique identifier added by relay agents to identify the -remote host end of the circuit. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.id.subscriber`*:: +*`rsa.internal.site`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -The subscriber ID is a value independent of the physical network -configuration so that a customer's DHCP configuration can be given -to them correctly no matter where they are physically connected. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== dnp3 - -Fields exported by the Zeek DNP3 log - +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: long +-- -*`zeek.dnp3.function.request`*:: +*`rsa.internal.sourcefile`*:: + -- -The name of the function message in the request. - +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dnp3.function.reply`*:: +*`rsa.internal.ubc_req`*:: + -- -The name of the function message in the reply. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: keyword +type: long -- -*`zeek.dnp3.id`*:: +*`rsa.internal.ubc_res`*:: + -- -The response's internal indication number. - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: integer +type: long -- -[float] -=== dns +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log -Fields exported by the Zeek DNS log +type: keyword +-- -*`zeek.dns.trans_id`*:: +*`rsa.time.event_time`*:: + -- -DNS transaction identifier. - +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`zeek.dns.rtt`*:: +*`rsa.time.duration_time`*:: + -- -Round trip time for the query and response. - +This key is used to capture the normalized duration/lifetime in seconds. type: double -- -*`zeek.dns.query`*:: +*`rsa.time.event_time_str`*:: + -- -The domain name that is the subject of the DNS query. - +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`zeek.dns.qclass`*:: +*`rsa.time.starttime`*:: + -- -The QCLASS value specifying the class of the query. +This key is used to capture the Start time mentioned in a session in a standard form - -type: long +type: date -- -*`zeek.dns.qclass_name`*:: +*`rsa.time.month`*:: + -- -A descriptive name for the class of the query. +type: keyword +-- +*`rsa.time.day`*:: ++ +-- type: keyword -- -*`zeek.dns.qtype`*:: +*`rsa.time.endtime`*:: + -- -A QTYPE value specifying the type of the query. - +This key is used to capture the End time mentioned in a session in a standard form -type: long +type: date -- -*`zeek.dns.qtype_name`*:: +*`rsa.time.timezone`*:: + --- -A descriptive name for the type of the query. - +-- +This key is used to capture the timezone of the Event Time type: keyword -- -*`zeek.dns.rcode`*:: +*`rsa.time.duration_str`*:: + -- -The response code value in DNS response messages. - +A text string version of the duration -type: long +type: keyword -- -*`zeek.dns.rcode_name`*:: +*`rsa.time.date`*:: + -- -A descriptive name for the response code value. +type: keyword +-- +*`rsa.time.year`*:: ++ +-- type: keyword -- -*`zeek.dns.AA`*:: +*`rsa.time.recorded_time`*:: + -- -The Authoritative Answer bit for response messages specifies that the responding -name server is an authority for the domain name in the question section. - +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: boolean +type: date -- -*`zeek.dns.TC`*:: +*`rsa.time.datetime`*:: + -- -The Truncation bit specifies that the message was truncated. - - -type: boolean +type: keyword -- -*`zeek.dns.RD`*:: +*`rsa.time.effective_time`*:: + -- -The Recursion Desired bit in a request message indicates that the client -wants recursive service for this query. - +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: boolean +type: date -- -*`zeek.dns.RA`*:: +*`rsa.time.expire_time`*:: + -- -The Recursion Available bit in a response message indicates that the name -server supports recursive queries. - +This key is the timestamp that explicitly refers to an expiration. -type: boolean +type: date -- -*`zeek.dns.answers`*:: +*`rsa.time.process_time`*:: + -- -The set of resource descriptions in the query answer. - +Deprecated, use duration.time type: keyword -- -*`zeek.dns.TTLs`*:: +*`rsa.time.hour`*:: + -- -The caching intervals of the associated RRs described by the answers field. - - -type: double +type: keyword -- -*`zeek.dns.rejected`*:: +*`rsa.time.min`*:: + -- -Indicates whether the DNS query was rejected by the server. - - -type: boolean +type: keyword -- -*`zeek.dns.total_answers`*:: +*`rsa.time.timestamp`*:: + -- -The total number of resource records in the reply. - - -type: integer +type: keyword -- -*`zeek.dns.total_replies`*:: +*`rsa.time.event_queue_time`*:: + -- -The total number of resource records in the reply message. - +This key is the Time that the event was queued. -type: integer +type: date -- -*`zeek.dns.saw_query`*:: +*`rsa.time.p_time1`*:: + -- -Whether the full DNS query has been seen. +type: keyword +-- -type: boolean +*`rsa.time.tzone`*:: ++ +-- +type: keyword -- -*`zeek.dns.saw_reply`*:: +*`rsa.time.eventtime`*:: + -- -Whether the full DNS reply has been seen. +type: keyword +-- -type: boolean +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword -- -[float] -=== dpd +*`rsa.time.gmttime`*:: ++ +-- +type: keyword -Fields exported by the Zeek DPD log +-- +*`rsa.time.p_date`*:: ++ +-- +type: keyword +-- -*`zeek.dpd.analyzer`*:: +*`rsa.time.p_month`*:: + -- -The analyzer that generated the violation. +type: keyword +-- +*`rsa.time.p_time`*:: ++ +-- type: keyword -- -*`zeek.dpd.failure_reason`*:: +*`rsa.time.p_time2`*:: + -- -The textual reason for the analysis failure. +type: keyword +-- +*`rsa.time.p_year`*:: ++ +-- type: keyword -- -*`zeek.dpd.packet_segment`*:: +*`rsa.time.expire_time_str`*:: + -- -(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) -A chunk of the payload that most likely resulted in the protocol violation. - +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -[float] -=== files +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. -Fields exported by the Zeek Files log. +type: date +-- -*`zeek.files.fuid`*:: +*`rsa.misc.action`*:: + -- -A file unique identifier. - - type: keyword -- -*`zeek.files.tx_host`*:: +*`rsa.misc.result`*:: + -- -The host that transferred the file. +This key is used to capture the outcome/result string value of an action in a session. - -type: ip +type: keyword -- -*`zeek.files.rx_host`*:: +*`rsa.misc.severity`*:: + -- -The host that received the file. - +This key is used to capture the severity given the session -type: ip +type: keyword -- -*`zeek.files.session_ids`*:: +*`rsa.misc.event_type`*:: + -- -The sessions that have this file. - +This key captures the event category type as specified by the event source. type: keyword -- -*`zeek.files.source`*:: +*`rsa.misc.reference_id`*:: + -- -An identification of the source of the file data. E.g. it may be a network protocol -over which it was transferred, or a local file path which was read, or some other -input source. - +This key is used to capture an event id from the session directly type: keyword -- -*`zeek.files.depth`*:: +*`rsa.misc.version`*:: + -- -A value to represent the depth of this file in relation to its source. In SMTP, it -is the depth of the MIME attachment on the message. In HTTP, it is the depth of the -request within the TCP connection. +This key captures Version of the application or OS which is generating the event. - -type: long +type: keyword -- -*`zeek.files.analyzers`*:: +*`rsa.misc.disposition`*:: + -- -A set of analysis types done during the file analysis. - +This key captures the The end state of an action. type: keyword -- -*`zeek.files.mime_type`*:: +*`rsa.misc.result_code`*:: + -- -Mime type of the file. - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`zeek.files.filename`*:: +*`rsa.misc.category`*:: + -- -Name of the file if available. - +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`zeek.files.local_orig`*:: +*`rsa.misc.obj_name`*:: + -- -If the source of this file is a network connection, this field indicates if the data -originated from the local network or not. - +This is used to capture name of object -type: boolean +type: keyword -- -*`zeek.files.is_orig`*:: +*`rsa.misc.obj_type`*:: + -- -If the source of this file is a network connection, this field indicates if the file is -being sent by the originator of the connection or the responder. - +This is used to capture type of object -type: boolean +type: keyword -- -*`zeek.files.duration`*:: +*`rsa.misc.event_source`*:: + -- -The duration the file was analyzed for. Not the duration of the session. +This key captures Source of the event that’s not a hostname - -type: double +type: keyword -- -*`zeek.files.seen_bytes`*:: +*`rsa.misc.log_session_id`*:: + -- -Number of bytes provided to the file analysis engine for the file. - +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -*`zeek.files.total_bytes`*:: +*`rsa.misc.group`*:: + -- -Total number of bytes that are supposed to comprise the full file. +This key captures the Group Name value - -type: long +type: keyword -- -*`zeek.files.missing_bytes`*:: +*`rsa.misc.policy_name`*:: + -- -The number of bytes in the file stream that were completely missed during the process -of analysis. +This key is used to capture the Policy Name only. - -type: long +type: keyword -- -*`zeek.files.overflow_bytes`*:: +*`rsa.misc.rule_name`*:: + -- -The number of bytes in the file stream that were not delivered to stream file analyzers. -This could be overlapping bytes or bytes that couldn't be reassembled. +This key captures the Rule Name - -type: long +type: keyword -- -*`zeek.files.timedout`*:: +*`rsa.misc.context`*:: + -- -Whether the file analysis timed out at least once for the file. - +This key captures Information which adds additional context to the event. -type: boolean +type: keyword -- -*`zeek.files.parent_fuid`*:: +*`rsa.misc.change_new`*:: + -- -Identifier associated with a container file from which this one was extracted as part of -the file analysis. - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`zeek.files.md5`*:: +*`rsa.misc.space`*:: + -- -An MD5 digest of the file contents. - - type: keyword -- -*`zeek.files.sha1`*:: +*`rsa.misc.client`*:: + -- -A SHA1 digest of the file contents. - +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`zeek.files.sha256`*:: +*`rsa.misc.msgIdPart1`*:: + -- -A SHA256 digest of the file contents. - - type: keyword -- -*`zeek.files.extracted`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Local filename of extracted file. - - type: keyword -- -*`zeek.files.extracted_cutoff`*:: +*`rsa.misc.change_old`*:: + -- -Indicate whether the file being extracted was cut off hence not extracted completely. - +This key is used to capture the old value of the attribute that’s changing in a session -type: boolean +type: keyword -- -*`zeek.files.extracted_size`*:: +*`rsa.misc.operation_id`*:: + -- -The number of bytes extracted to disk. +An alert number or operation number. The values should be unique and non-repeating. - -type: long +type: keyword -- -*`zeek.files.entropy`*:: +*`rsa.misc.event_state`*:: + -- -The information density of the contents of the file. - +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -type: double +type: keyword -- -[float] -=== ftp - -Fields exported by the Zeek FTP log +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage +type: keyword +-- -*`zeek.ftp.user`*:: +*`rsa.misc.node`*:: + -- -User name for the current FTP session. - +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`zeek.ftp.password`*:: +*`rsa.misc.rule`*:: + -- -Password for the current FTP session if captured. - +This key captures the Rule number type: keyword -- -*`zeek.ftp.command`*:: +*`rsa.misc.device_name`*:: + -- -Command given by the client. - +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`zeek.ftp.arg`*:: +*`rsa.misc.param`*:: + -- -Argument for the command if one is given. - +This key is the parameters passed as part of a command or application, etc. type: keyword -- - -*`zeek.ftp.file.size`*:: +*`rsa.misc.change_attrib`*:: + -- -Size of the file if the command indicates a file transfer. - +This key is used to capture the name of the attribute that’s changing in a session -type: long +type: keyword -- -*`zeek.ftp.file.mime_type`*:: +*`rsa.misc.event_computer`*:: + -- -Sniffed mime type of file. - +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`zeek.ftp.file.fuid`*:: +*`rsa.misc.reference_id1`*:: + -- -(present if base/protocols/ftp/files.bro is loaded) -File unique ID. - +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- - -*`zeek.ftp.reply.code`*:: +*`rsa.misc.event_log`*:: + -- -Reply code from the server in response to the command. +This key captures the Name of the event log - -type: integer +type: keyword -- -*`zeek.ftp.reply.msg`*:: +*`rsa.misc.OS`*:: + -- -Reply message from the server in response to the command. - +This key captures the Name of the Operating System type: keyword -- -[float] -=== data_channel - -Expected FTP data channel. +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only +type: keyword +-- -*`zeek.ftp.data_channel.passive`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Whether PASV mode is toggled for control channel. - - -type: boolean +type: keyword -- -*`zeek.ftp.data_channel.originating_host`*:: +*`rsa.misc.filter`*:: + -- -The host that will be initiating the data connection. +This key captures Filter used to reduce result set - -type: ip +type: keyword -- -*`zeek.ftp.data_channel.response_host`*:: +*`rsa.misc.serial_number`*:: + -- -The host that will be accepting the data connection. - +This key is the Serial number associated with a physical asset. -type: ip +type: keyword -- -*`zeek.ftp.data_channel.response_port`*:: +*`rsa.misc.checksum`*:: + -- -The port at which the acceptor is listening for the data connection. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: integer +type: keyword -- -*`zeek.ftp.cwd`*:: +*`rsa.misc.event_user`*:: + -- -Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. - +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -[float] -=== cmdarg - -Command that is currently waiting for a response. +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus +type: keyword +-- -*`zeek.ftp.cmdarg.cmd`*:: +*`rsa.misc.content_type`*:: + -- -Command. - +This key is used to capture Content Type only. type: keyword -- -*`zeek.ftp.cmdarg.arg`*:: +*`rsa.misc.group_id`*:: + -- -Argument for the command if one was given. - +This key captures Group ID Number (related to the group name) type: keyword -- -*`zeek.ftp.cmdarg.seq`*:: +*`rsa.misc.policy_id`*:: + -- -Counter to track how many commands have been executed. +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: integer +type: keyword -- -*`zeek.ftp.pending_commands`*:: +*`rsa.misc.vsys`*:: + -- -Queue for commands that have been sent but not yet responded to are tracked here. - +This key captures Virtual System Name -type: integer +type: keyword -- -*`zeek.ftp.passive`*:: +*`rsa.misc.connection_id`*:: + -- -Indicates if the session is in active or passive mode. +This key captures the Connection ID - -type: boolean +type: keyword -- -*`zeek.ftp.capture_password`*:: +*`rsa.misc.reference_id2`*:: + -- -Determines if the password will be captured for this request. - +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. -type: boolean +type: keyword -- -*`zeek.ftp.last_auth_requested`*:: +*`rsa.misc.sensor`*:: + -- -present if base/protocols/ftp/gridftp.bro is loaded. -Last authentication/security mechanism that was used. - +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -[float] -=== http - -Fields exported by the Zeek HTTP log +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID +type: long +-- -*`zeek.http.trans_depth`*:: +*`rsa.misc.port_name`*:: + -- -Represents the pipelined depth into the connection of this request/response transaction. +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: integer +type: keyword -- -*`zeek.http.status_msg`*:: +*`rsa.misc.rule_group`*:: + -- -Status message returned by the server. - +This key captures the Rule group name type: keyword -- -*`zeek.http.info_code`*:: +*`rsa.misc.risk_num`*:: + -- -Last seen 1xx informational reply code returned by the server. +This key captures a Numeric Risk value - -type: integer +type: double -- -*`zeek.http.info_msg`*:: +*`rsa.misc.trigger_val`*:: + -- -Last seen 1xx informational reply message returned by the server. - +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`zeek.http.tags`*:: +*`rsa.misc.log_session_id1`*:: + -- -A set of indicators of various attributes discovered and related to a particular -request/response pair. - +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`zeek.http.password`*:: +*`rsa.misc.comp_version`*:: + -- -Password if basic-auth is performed for the request. - +This key captures the Version level of a sub-component of a product. type: keyword -- -*`zeek.http.captured_password`*:: +*`rsa.misc.content_version`*:: + -- -Determines if the password will be captured for this request. - +This key captures Version level of a signature or database content. -type: boolean +type: keyword -- -*`zeek.http.proxied`*:: +*`rsa.misc.hardware_id`*:: + -- -All of the headers that may indicate if the HTTP request was proxied. - +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`zeek.http.range_request`*:: +*`rsa.misc.risk`*:: + -- -Indicates if this request can assume 206 partial content in response. - +This key captures the non-numeric risk value -type: boolean +type: keyword -- -*`zeek.http.client_header_names`*:: +*`rsa.misc.event_id`*:: + -- -The vector of HTTP header names sent by the client. No header values -are included here, just the header names. - - type: keyword -- -*`zeek.http.server_header_names`*:: +*`rsa.misc.reason`*:: + -- -The vector of HTTP header names sent by the server. No header values -are included here, just the header names. - - type: keyword -- -*`zeek.http.orig_fuids`*:: +*`rsa.misc.status`*:: + -- -An ordered vector of file unique IDs from the originator. - - type: keyword -- -*`zeek.http.orig_mime_types`*:: +*`rsa.misc.mail_id`*:: + -- -An ordered vector of mime types from the originator. - +This key is used to capture the mailbox id/name type: keyword -- -*`zeek.http.orig_filenames`*:: +*`rsa.misc.rule_uid`*:: + -- -An ordered vector of filenames from the originator. - +This key is the Unique Identifier for a rule. type: keyword -- -*`zeek.http.resp_fuids`*:: +*`rsa.misc.trigger_desc`*:: + -- -An ordered vector of file unique IDs from the responder. - +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`zeek.http.resp_mime_types`*:: +*`rsa.misc.inout`*:: + -- -An ordered vector of mime types from the responder. - - type: keyword -- -*`zeek.http.resp_filenames`*:: +*`rsa.misc.p_msgid`*:: + -- -An ordered vector of filenames from the responder. - - type: keyword -- -*`zeek.http.orig_mime_depth`*:: +*`rsa.misc.data_type`*:: + -- -Current number of MIME entities in the HTTP request message body. - - -type: integer +type: keyword -- -*`zeek.http.resp_mime_depth`*:: +*`rsa.misc.msgIdPart4`*:: + -- -Current number of MIME entities in the HTTP response message body. - - -type: integer +type: keyword -- -[float] -=== intel - -Fields exported by the Zeek Intel log. - +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses +type: keyword +-- -*`zeek.intel.seen.indicator`*:: +*`rsa.misc.index`*:: + -- -The intelligence indicator. - - type: keyword -- -*`zeek.intel.seen.indicator_type`*:: +*`rsa.misc.listnum`*:: + -- -The type of data the indicator represents. - +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`zeek.intel.seen.host`*:: +*`rsa.misc.ntype`*:: + -- -If the indicator type was Intel::ADDR, then this field will be present. - - type: keyword -- -*`zeek.intel.seen.conn`*:: +*`rsa.misc.observed_val`*:: + -- -If the data was discovered within a connection, the connection record should go here to give context to the data. - +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`zeek.intel.seen.where`*:: +*`rsa.misc.policy_value`*:: + -- -Where the data was discovered. - +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`zeek.intel.seen.node`*:: +*`rsa.misc.pool_name`*:: + -- -The name of the node where the match was discovered. - +This key captures the name of a resource pool type: keyword -- -*`zeek.intel.seen.uid`*:: +*`rsa.misc.rule_template`*:: + -- -If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. - +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`zeek.intel.seen.f`*:: +*`rsa.misc.count`*:: + -- -If the data was discovered within a file, the file record should go here to provide context to the data. +type: keyword +-- -type: object +*`rsa.misc.number`*:: ++ +-- +type: keyword -- -*`zeek.intel.seen.fuid`*:: +*`rsa.misc.sigcat`*:: + -- -If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. +type: keyword +-- +*`rsa.misc.type`*:: ++ +-- type: keyword -- -*`zeek.intel.matched`*:: +*`rsa.misc.comments`*:: + -- -Event to represent a match in the intelligence data from data that was seen. - +Comment information provided in the log message type: keyword -- -*`zeek.intel.sources`*:: +*`rsa.misc.doc_number`*:: + -- -Sources which supplied data for this match. +This key captures File Identification number - -type: keyword +type: long -- -*`zeek.intel.fuid`*:: +*`rsa.misc.expected_val`*:: + -- -If a file was associated with this intelligence hit, this is the uid for the file. - +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`zeek.intel.file_mime_type`*:: +*`rsa.misc.job_num`*:: + -- -A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. - +This key captures the Job Number type: keyword -- -*`zeek.intel.file_desc`*:: +*`rsa.misc.spi_dst`*:: + -- -Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. - +Destination SPI Index type: keyword -- -[float] -=== irc - -Fields exported by the Zeek IRC log +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index +type: keyword +-- -*`zeek.irc.nick`*:: +*`rsa.misc.code`*:: + -- -Nickname given for the connection. - - type: keyword -- -*`zeek.irc.user`*:: +*`rsa.misc.agent_id`*:: + -- -Username given for the connection. - +This key is used to capture agent id type: keyword -- -*`zeek.irc.command`*:: +*`rsa.misc.message_body`*:: + -- -Command given by the client. - +This key captures the The contents of the message body. type: keyword -- -*`zeek.irc.value`*:: +*`rsa.misc.phone`*:: + -- -Value for the command given by the client. - - type: keyword -- -*`zeek.irc.addl`*:: +*`rsa.misc.sig_id_str`*:: + -- -Any additional data for the command. - +This key captures a string object of the sigid variable. type: keyword -- +*`rsa.misc.cmd`*:: ++ +-- +type: keyword +-- -*`zeek.irc.dcc.file.name`*:: +*`rsa.misc.misc`*:: + -- -Present if base/protocols/irc/dcc-send.bro is loaded. -DCC filename requested. +type: keyword +-- +*`rsa.misc.name`*:: ++ +-- type: keyword -- -*`zeek.irc.dcc.file.size`*:: +*`rsa.misc.cpu`*:: + -- -Present if base/protocols/irc/dcc-send.bro is loaded. -Size of the DCC transfer as indicated by the sender. - +This key is the CPU time used in the execution of the event being recorded. type: long -- -*`zeek.irc.dcc.mime_type`*:: +*`rsa.misc.event_desc`*:: + -- -present if base/protocols/irc/dcc-send.bro is loaded. -Sniffed mime type of the file. - +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`zeek.irc.fuid`*:: +*`rsa.misc.sig_id1`*:: + -- -present if base/protocols/irc/files.bro is loaded. -File unique ID. - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -[float] -=== kerberos - -Fields exported by the Zeek Kerberos log - - - -*`zeek.kerberos.request_type`*:: +*`rsa.misc.im_buddyid`*:: + -- -Request type - Authentication Service (AS) or Ticket Granting Service (TGS). - - type: keyword -- -*`zeek.kerberos.client`*:: +*`rsa.misc.im_client`*:: + -- -Client name. +type: keyword +-- +*`rsa.misc.im_userid`*:: ++ +-- type: keyword -- -*`zeek.kerberos.service`*:: +*`rsa.misc.pid`*:: + -- -Service name. +type: keyword +-- +*`rsa.misc.priority`*:: ++ +-- type: keyword -- -*`zeek.kerberos.success`*:: +*`rsa.misc.context_subject`*:: + -- -Request result. - +This key is to be used in an audit context where the subject is the object being identified -type: boolean +type: keyword -- - -*`zeek.kerberos.error.code`*:: +*`rsa.misc.context_target`*:: + -- -Error code. - - -type: integer +type: keyword -- -*`zeek.kerberos.error.msg`*:: +*`rsa.misc.cve`*:: + -- -Error message. - +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- - -*`zeek.kerberos.valid.from`*:: +*`rsa.misc.fcatnum`*:: + -- -Ticket valid from. - +This key captures Filter Category Number. Legacy Usage -type: date +type: keyword -- -*`zeek.kerberos.valid.until`*:: +*`rsa.misc.library`*:: + -- -Ticket valid until. +This key is used to capture library information in mainframe devices - -type: date +type: keyword -- -*`zeek.kerberos.valid.days`*:: +*`rsa.misc.parent_node`*:: + -- -Number of days the ticket is valid for. - +This key captures the Parent Node Name. Must be related to node variable. -type: integer +type: keyword -- -*`zeek.kerberos.cipher`*:: +*`rsa.misc.risk_info`*:: + -- -Ticket encryption type. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`zeek.kerberos.forwardable`*:: +*`rsa.misc.tcp_flags`*:: + -- -Forwardable ticket requested. - +This key is captures the TCP flags set in any packet of session -type: boolean +type: long -- -*`zeek.kerberos.renewable`*:: +*`rsa.misc.tos`*:: + -- -Renewable ticket requested. +This key describes the type of service - -type: boolean +type: long -- - -*`zeek.kerberos.ticket.auth`*:: +*`rsa.misc.vm_target`*:: + -- -Hash of ticket used to authorize request/transaction. - +VMWare Target **VMWARE** only varaible. type: keyword -- -*`zeek.kerberos.ticket.new`*:: +*`rsa.misc.workspace`*:: + -- -Hash of ticket returned by the KDC. - +This key captures Workspace Description type: keyword -- - - -*`zeek.kerberos.cert.client.value`*:: +*`rsa.misc.command`*:: + -- -Client certificate. +type: keyword +-- +*`rsa.misc.event_category`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.client.fuid`*:: +*`rsa.misc.facilityname`*:: + -- -File unique ID of client cert. +type: keyword +-- +*`rsa.misc.forensic_info`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.client.subject`*:: +*`rsa.misc.jobname`*:: + -- -Subject of client certificate. +type: keyword +-- +*`rsa.misc.mode`*:: ++ +-- type: keyword -- - -*`zeek.kerberos.cert.server.value`*:: +*`rsa.misc.policy`*:: + -- -Server certificate. +type: keyword +-- +*`rsa.misc.policy_waiver`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.server.fuid`*:: +*`rsa.misc.second`*:: + -- -File unique ID of server certificate. +type: keyword +-- +*`rsa.misc.space1`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.server.subject`*:: +*`rsa.misc.subcategory`*:: + -- -Subject of server certificate. +type: keyword +-- +*`rsa.misc.tbdstr2`*:: ++ +-- type: keyword -- -[float] -=== modbus - -Fields exported by the Zeek modbus log. +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +type: keyword +-- -*`zeek.modbus.function`*:: +*`rsa.misc.checksum_dst`*:: + -- -The name of the function message that was sent. - +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`zeek.modbus.exception`*:: +*`rsa.misc.checksum_src`*:: + -- -The exception if the response was a failure. - +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`zeek.modbus.track_address`*:: +*`rsa.misc.fresult`*:: + -- -Present if policy/protocols/modbus/track-memmap.bro is loaded. -Modbus track address. +This key captures the Filter Result - -type: integer +type: long -- -[float] -=== mysql - -Fields exported by the Zeek MySQL log. +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload +type: keyword +-- -*`zeek.mysql.cmd`*:: +*`rsa.misc.payload_src`*:: + -- -The command that was issued. - +This key is used to capture source payload type: keyword -- -*`zeek.mysql.arg`*:: +*`rsa.misc.pool_id`*:: + -- -The argument issued to the command. - +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`zeek.mysql.success`*:: +*`rsa.misc.process_id_val`*:: + -- -Whether the command succeeded. - +This key is a failure key for Process ID when it is not an integer value -type: boolean +type: keyword -- -*`zeek.mysql.rows`*:: +*`rsa.misc.risk_num_comm`*:: + -- -The number of affected rows, if any. +This key captures Risk Number Community - -type: integer +type: double -- -*`zeek.mysql.response`*:: +*`rsa.misc.risk_num_next`*:: + -- -Server message, if any. - +This key captures Risk Number NextGen -type: keyword +type: double -- -[float] -=== notice - -Fields exported by the Zeek Notice log. +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox +type: double +-- -*`zeek.notice.connection_id`*:: +*`rsa.misc.risk_num_static`*:: + -- -Identifier of the related connection session. +This key captures Risk Number Static - -type: keyword +type: double -- -*`zeek.notice.icmp_id`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Identifier of the related ICMP session. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`zeek.notice.file.id`*:: +*`rsa.misc.risk_warning`*:: + -- -An identifier associated with a single file that is related to this notice. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`zeek.notice.file.parent_id`*:: +*`rsa.misc.snmp_oid`*:: + -- -Identifier associated with a container file from which this one was extracted. - +SNMP Object Identifier type: keyword -- -*`zeek.notice.file.source`*:: +*`rsa.misc.sql`*:: + -- -An identification of the source of the file data. E.g. it may be a network protocol -over which it was transferred, or a local file path which was read, or some other -input source. - +This key captures the SQL query type: keyword -- -*`zeek.notice.file.mime_type`*:: +*`rsa.misc.vuln_ref`*:: + -- -A mime type if the notice is related to a file. - +This key captures the Vulnerability Reference details type: keyword -- -*`zeek.notice.file.is_orig`*:: +*`rsa.misc.acl_id`*:: + -- -If the source of this file is a network connection, this field indicates if the file is -being sent by the originator of the connection or the responder. +type: keyword +-- -type: boolean +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword -- -*`zeek.notice.file.seen_bytes`*:: +*`rsa.misc.acl_pos`*:: + -- -Number of bytes provided to the file analysis engine for the file. +type: keyword +-- -type: long +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword -- -*`zeek.notice.ffile.total_bytes`*:: +*`rsa.misc.admin`*:: + -- -Total number of bytes that are supposed to comprise the full file. +type: keyword +-- -type: long +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword -- -*`zeek.notice.file.missing_bytes`*:: +*`rsa.misc.alarmname`*:: + -- -The number of bytes in the file stream that were completely missed during the process -of analysis. +type: keyword +-- -type: long +*`rsa.misc.app_id`*:: ++ +-- +type: keyword -- -*`zeek.notice.file.overflow_bytes`*:: +*`rsa.misc.audit`*:: + -- -The number of bytes in the file stream that were not delivered to stream file analyzers. -This could be overlapping bytes or bytes that couldn't be reassembled. +type: keyword +-- -type: long +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword -- -*`zeek.notice.fuid`*:: +*`rsa.misc.auditdata`*:: + -- -A file unique ID if this notice is related to a file. +type: keyword +-- +*`rsa.misc.benchmark`*:: ++ +-- type: keyword -- -*`zeek.notice.note`*:: +*`rsa.misc.bypass`*:: + -- -The type of the notice. +type: keyword +-- +*`rsa.misc.cache`*:: ++ +-- type: keyword -- -*`zeek.notice.msg`*:: +*`rsa.misc.cache_hit`*:: + -- -The human readable message for the notice. +type: keyword +-- +*`rsa.misc.cefversion`*:: ++ +-- type: keyword -- -*`zeek.notice.sub`*:: +*`rsa.misc.cfg_attr`*:: + -- -The human readable sub-message. +type: keyword +-- +*`rsa.misc.cfg_obj`*:: ++ +-- type: keyword -- -*`zeek.notice.n`*:: +*`rsa.misc.cfg_path`*:: + -- -Associated count, or a status code. +type: keyword +-- -type: long +*`rsa.misc.changes`*:: ++ +-- +type: keyword -- -*`zeek.notice.peer_name`*:: +*`rsa.misc.client_ip`*:: + -- -Name of remote peer that raised this notice. +type: keyword +-- +*`rsa.misc.clustermembers`*:: ++ +-- type: keyword -- -*`zeek.notice.peer_descr`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Textual description for the peer that raised this notice. +type: keyword +-- -type: text +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword -- -*`zeek.notice.actions`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -The actions which have been applied to this notice. +type: keyword +-- +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- type: keyword -- -*`zeek.notice.email_body_sections`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -By adding chunks of text into this element, other scripts can expand on notices -that are being emailed. +type: keyword +-- -type: text +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword -- -*`zeek.notice.email_delay_tokens`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Adding a string token to this set will cause the built-in emailing functionality -to delay sending the email either the token has been removed or the email -has been delayed for the specified time duration. +type: keyword +-- +*`rsa.misc.cn_engine_type`*:: ++ +-- type: keyword -- -*`zeek.notice.identifier`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This field is provided when a notice is generated for the purpose of deduplicating notices. +type: keyword +-- +*`rsa.misc.cn_flowsampid`*:: ++ +-- type: keyword -- -*`zeek.notice.suppress_for`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This field indicates the length of time that this unique notice should be suppressed. +type: keyword +-- -type: double +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword -- -*`zeek.notice.dropped`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Indicate if the source IP address was dropped and denied network access. +type: keyword +-- -type: boolean +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword -- -[float] -=== ntlm +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword -Fields exported by the Zeek NTLM log. +-- +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword +-- -*`zeek.ntlm.domain`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -Domain name given by the client. +type: keyword +-- +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- type: keyword -- -*`zeek.ntlm.hostname`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Hostname given by the client. +type: keyword +-- +*`rsa.misc.cn_log_did`*:: ++ +-- type: keyword -- -*`zeek.ntlm.success`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Indicate whether or not the authentication was successful. +type: keyword +-- -type: boolean +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword -- -*`zeek.ntlm.username`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Username given by the client. +type: keyword +-- +*`rsa.misc.cn_min_ttl`*:: ++ +-- type: keyword -- +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword +-- -*`zeek.ntlm.server.name.dns`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -DNS name given by the server in a CHALLENGE. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- type: keyword -- -*`zeek.ntlm.server.name.netbios`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -NetBIOS name given by the server in a CHALLENGE. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- type: keyword -- -*`zeek.ntlm.server.name.tree`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -Tree name given by the server in a CHALLENGE. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- type: keyword -- -[float] -=== ocsp +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword -Fields exported by the Zeek OCSP log -Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. +-- +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword +-- -*`zeek.ocsp.file_id`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -File id of the OCSP reply. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.hash.algorithm`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -Hash algorithm used to generate issuerNameHash and issuerKeyHash. +type: keyword +-- +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.hash.issuer.name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -Hash of the issuer's distingueshed name. +type: keyword +-- +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- type: keyword -- -*`zeek.ocsp.hash.issuer.key`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -Hash of the issuer's public key. +type: keyword +-- +*`rsa.misc.cn_sampalgo`*:: ++ +-- type: keyword -- -*`zeek.ocsp.serial_number`*:: +*`rsa.misc.cn_sampint`*:: + -- -Serial number of the affected certificate. +type: keyword +-- +*`rsa.misc.cn_seqctr`*:: ++ +-- type: keyword -- -*`zeek.ocsp.status`*:: +*`rsa.misc.cn_spackets`*:: + -- -Status of the affected certificate. +type: keyword +-- +*`rsa.misc.cn_src_tos`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.revoke.time`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -Time at which the certificate was revoked. +type: keyword +-- -type: date +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword -- -*`zeek.ocsp.revoke.reason`*:: +*`rsa.misc.cn_template_id`*:: + -- -Reason for which the certificate was revoked. +type: keyword +-- +*`rsa.misc.cn_totbytsexp`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.update.this`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -The time at which the status being shows is known to have been correct. +type: keyword +-- -type: date +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword -- -*`zeek.ocsp.update.next`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -The latest time at which new information about the status of the certificate will be available. +type: keyword +-- -type: date +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword -- -[float] -=== pe +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword -Fields exported by the Zeek pe log. +-- +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword +-- -*`zeek.pe.client`*:: +*`rsa.misc.comp_name`*:: + -- -The client's version string. +type: keyword +-- +*`rsa.misc.comp_rbytes`*:: ++ +-- type: keyword -- -*`zeek.pe.id`*:: +*`rsa.misc.comp_sbytes`*:: + -- -File id of this portable executable file. - - type: keyword -- -*`zeek.pe.machine`*:: +*`rsa.misc.cpu_data`*:: + -- -The target machine that the file was compiled for. - - type: keyword -- -*`zeek.pe.compile_time`*:: +*`rsa.misc.criticality`*:: + -- -The time that the file was created at. - - -type: date +type: keyword -- -*`zeek.pe.os`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -The required operating system. - - type: keyword -- -*`zeek.pe.subsystem`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -The subsystem that is required to run this file. - - type: keyword -- -*`zeek.pe.is_exe`*:: +*`rsa.misc.cs_av_other`*:: + -- -Is the file an executable, or just an object file? - - -type: boolean +type: keyword -- -*`zeek.pe.is_64bit`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Is the file a 64-bit executable? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_aslr`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Does the file support Address Space Layout Randomization? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_dep`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Does the file support Data Execution Prevention? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_code_integrity`*:: +*`rsa.misc.cs_bit9status`*:: + -- -Does the file enforce code integrity checks? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_seh`*:: +*`rsa.misc.cs_context`*:: + -- -Does the file use structured exception handing? - - -type: boolean +type: keyword -- -*`zeek.pe.has_import_table`*:: +*`rsa.misc.cs_control`*:: + -- -Does the file have an import table? - - -type: boolean +type: keyword -- -*`zeek.pe.has_export_table`*:: +*`rsa.misc.cs_data`*:: + -- -Does the file have an export table? - - -type: boolean +type: keyword -- -*`zeek.pe.has_cert_table`*:: +*`rsa.misc.cs_datecret`*:: + -- -Does the file have an attribute certificate table? - - -type: boolean +type: keyword -- -*`zeek.pe.has_debug_data`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -Does the file have a debug table? - - -type: boolean +type: keyword -- -*`zeek.pe.section_names`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -The names of the sections, in order. - - type: keyword -- -[float] -=== radius - -Fields exported by the Zeek Radius log. - - - -*`zeek.radius.username`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -The username, if present. - - type: keyword -- -*`zeek.radius.mac`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -MAC address, if present. - - type: keyword -- -*`zeek.radius.framed_addr`*:: +*`rsa.misc.cs_filetype`*:: + -- -The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. - - -type: ip +type: keyword -- -*`zeek.radius.remote_ip`*:: +*`rsa.misc.cs_fld`*:: + -- -Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. - - -type: ip +type: keyword -- -*`zeek.radius.connect_info`*:: +*`rsa.misc.cs_if_desc`*:: + -- -Connect info, if present. - - type: keyword -- -*`zeek.radius.reply_msg`*:: +*`rsa.misc.cs_if_name`*:: + -- -Reply message from the server challenge. This is frequently shown to the user authenticating. - - type: keyword -- -*`zeek.radius.result`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -Successful or failed authentication. - - type: keyword -- -*`zeek.radius.ttl`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. - - -type: integer +type: keyword -- -*`zeek.radius.logged`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -Whether this has already been logged and can be ignored. - - -type: boolean +type: keyword -- -[float] -=== rdp - -Fields exported by the Zeek RDP log. - - - -*`zeek.rdp.cookie`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Cookie value used by the client machine. This is typically a username. - - type: keyword -- -*`zeek.rdp.result`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. +type: keyword +-- +*`rsa.misc.cs_loginname`*:: ++ +-- type: keyword -- -*`zeek.rdp.security_protocol`*:: +*`rsa.misc.cs_modulescore`*:: + -- -Security protocol chosen by the server. +type: keyword +-- +*`rsa.misc.cs_modulesign`*:: ++ +-- type: keyword -- -*`zeek.rdp.keyboard_layout`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Keyboard layout (language) of the client machine. +type: keyword +-- +*`rsa.misc.cs_payload`*:: ++ +-- type: keyword -- - -*`zeek.rdp.client.build`*:: +*`rsa.misc.cs_registrant`*:: + -- -RDP client version used by the client machine. +type: keyword +-- +*`rsa.misc.cs_registrar`*:: ++ +-- type: keyword -- -*`zeek.rdp.client.client_name`*:: +*`rsa.misc.cs_represult`*:: + -- -Name of the client machine. +type: keyword +-- +*`rsa.misc.cs_rpayload`*:: ++ +-- type: keyword -- -*`zeek.rdp.client.product_id`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Product ID of the client machine. +type: keyword +-- +*`rsa.misc.cs_sourcemodule`*:: ++ +-- type: keyword -- - -*`zeek.rdp.desktop.width`*:: +*`rsa.misc.cs_streams`*:: + -- -Desktop width of the client machine. +type: keyword +-- -type: integer +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword -- -*`zeek.rdp.desktop.height`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Desktop height of the client machine. +type: keyword +-- -type: integer +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword -- -*`zeek.rdp.desktop.color_depth`*:: +*`rsa.misc.cs_yararesult`*:: + -- -The color depth requested by the client in the high_color_depth field. +type: keyword +-- +*`rsa.misc.description`*:: ++ +-- type: keyword -- - -*`zeek.rdp.cert.type`*:: +*`rsa.misc.devvendor`*:: + -- -If the connection is being encrypted with native RDP encryption, this is the type of cert being used. +type: keyword +-- +*`rsa.misc.distance`*:: ++ +-- type: keyword -- -*`zeek.rdp.cert.count`*:: +*`rsa.misc.dstburb`*:: + -- -The number of certs seen. X.509 can transfer an entire certificate chain. +type: keyword +-- -type: integer +*`rsa.misc.edomain`*:: ++ +-- +type: keyword -- -*`zeek.rdp.cert.permanent`*:: +*`rsa.misc.edomaub`*:: + -- -Indicates if the provided certificate or certificate chain is permanent or temporary. - +type: keyword -type: boolean +-- +*`rsa.misc.euid`*:: ++ -- +type: keyword +-- -*`zeek.rdp.encryption.level`*:: +*`rsa.misc.facility`*:: + -- -Encryption level of the connection. +type: keyword +-- +*`rsa.misc.finterface`*:: ++ +-- type: keyword -- -*`zeek.rdp.encryption.method`*:: +*`rsa.misc.flags`*:: + -- -Encryption method of the connection. +type: keyword +-- +*`rsa.misc.gaddr`*:: ++ +-- type: keyword -- -*`zeek.rdp.done`*:: +*`rsa.misc.id3`*:: + -- -Track status of logging RDP connections. +type: keyword +-- -type: boolean +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword -- -*`zeek.rdp.ssl`*:: +*`rsa.misc.im_croomid`*:: + -- -(present if policy/protocols/rdp/indicate_ssl.bro is loaded) -Flag the connection if it was seen over SSL. +type: keyword +-- -type: boolean +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword -- -[float] -=== rfb +*`rsa.misc.im_members`*:: ++ +-- +type: keyword -Fields exported by the Zeek RFB log. +-- +*`rsa.misc.im_username`*:: ++ +-- +type: keyword +-- +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword +-- -*`zeek.rfb.version.client.major`*:: +*`rsa.misc.ipscat`*:: + -- -Major version of the client. +type: keyword +-- +*`rsa.misc.ipspri`*:: ++ +-- type: keyword -- -*`zeek.rfb.version.client.minor`*:: +*`rsa.misc.latitude`*:: + -- -Minor version of the client. +type: keyword +-- +*`rsa.misc.linenum`*:: ++ +-- type: keyword -- - -*`zeek.rfb.version.server.major`*:: +*`rsa.misc.list_name`*:: + -- -Major version of the server. +type: keyword +-- +*`rsa.misc.load_data`*:: ++ +-- type: keyword -- -*`zeek.rfb.version.server.minor`*:: +*`rsa.misc.location_floor`*:: + -- -Minor version of the server. +type: keyword +-- +*`rsa.misc.location_mark`*:: ++ +-- type: keyword -- - -*`zeek.rfb.auth.success`*:: +*`rsa.misc.log_id`*:: + -- -Whether or not authentication was successful. +type: keyword +-- -type: boolean +*`rsa.misc.log_type`*:: ++ +-- +type: keyword -- -*`zeek.rfb.auth.method`*:: +*`rsa.misc.logid`*:: + -- -Identifier of authentication method used. +type: keyword +-- +*`rsa.misc.logip`*:: ++ +-- type: keyword -- -*`zeek.rfb.share_flag`*:: +*`rsa.misc.logname`*:: + -- -Whether the client has an exclusive or a shared session. +type: keyword +-- -type: boolean +*`rsa.misc.longitude`*:: ++ +-- +type: keyword -- -*`zeek.rfb.desktop_name`*:: +*`rsa.misc.lport`*:: + -- -Name of the screen that is being shared. +type: keyword +-- +*`rsa.misc.mbug_data`*:: ++ +-- type: keyword -- -*`zeek.rfb.width`*:: +*`rsa.misc.misc_name`*:: + -- -Width of the screen that is being shared. +type: keyword +-- -type: integer +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword -- -*`zeek.rfb.height`*:: +*`rsa.misc.msgid`*:: + -- -Height of the screen that is being shared. +type: keyword +-- -type: integer +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword -- -[float] -=== sip +*`rsa.misc.num`*:: ++ +-- +type: keyword -Fields exported by the Zeek SIP log. +-- +*`rsa.misc.number1`*:: ++ +-- +type: keyword +-- -*`zeek.sip.transaction_depth`*:: +*`rsa.misc.number2`*:: + -- -Represents the pipelined depth into the connection of this request/response transaction. - +type: keyword -type: integer +-- +*`rsa.misc.nwwn`*:: ++ -- +type: keyword +-- -*`zeek.sip.sequence.method`*:: +*`rsa.misc.object`*:: + -- -Verb used in the SIP request (INVITE, REGISTER etc.). +type: keyword +-- +*`rsa.misc.operation`*:: ++ +-- type: keyword -- -*`zeek.sip.sequence.number`*:: +*`rsa.misc.opkt`*:: + -- -Contents of the CSeq: header from the client. +type: keyword +-- +*`rsa.misc.orig_from`*:: ++ +-- type: keyword -- -*`zeek.sip.uri`*:: +*`rsa.misc.owner_id`*:: + -- -URI used in the request. +type: keyword +-- +*`rsa.misc.p_action`*:: ++ +-- type: keyword -- -*`zeek.sip.date`*:: +*`rsa.misc.p_filter`*:: + -- -Contents of the Date: header from the client. +type: keyword +-- +*`rsa.misc.p_group_object`*:: ++ +-- type: keyword -- - -*`zeek.sip.request.from`*:: +*`rsa.misc.p_id`*:: + -- -Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. +type: keyword +-- +*`rsa.misc.p_msgid1`*:: ++ +-- type: keyword -- -*`zeek.sip.request.to`*:: +*`rsa.misc.p_msgid2`*:: + -- -Contents of the To: header. +type: keyword +-- +*`rsa.misc.p_result1`*:: ++ +-- type: keyword -- -*`zeek.sip.request.path`*:: +*`rsa.misc.password_chg`*:: + -- -The client message transmission path, as extracted from the headers. +type: keyword +-- +*`rsa.misc.password_expire`*:: ++ +-- type: keyword -- -*`zeek.sip.request.body_length`*:: +*`rsa.misc.permgranted`*:: + -- -Contents of the Content-Length: header from the client. - +type: keyword -type: long +-- +*`rsa.misc.permwanted`*:: ++ -- +type: keyword +-- -*`zeek.sip.response.from`*:: +*`rsa.misc.pgid`*:: + -- -Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. +type: keyword +-- +*`rsa.misc.policyUUID`*:: ++ +-- type: keyword -- -*`zeek.sip.response.to`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Contents of the response To: header. +type: keyword +-- +*`rsa.misc.program`*:: ++ +-- type: keyword -- -*`zeek.sip.response.path`*:: +*`rsa.misc.real_data`*:: + -- -The server message transmission path, as extracted from the headers. +type: keyword +-- +*`rsa.misc.rec_asp_device`*:: ++ +-- type: keyword -- -*`zeek.sip.response.body_length`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Contents of the Content-Length: header from the server. +type: keyword +-- -type: long +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword -- -*`zeek.sip.reply_to`*:: +*`rsa.misc.recordnum`*:: + -- -Contents of the Reply-To: header. +type: keyword +-- +*`rsa.misc.ruid`*:: ++ +-- type: keyword -- -*`zeek.sip.call_id`*:: +*`rsa.misc.sburb`*:: + -- -Contents of the Call-ID: header from the client. +type: keyword +-- +*`rsa.misc.sdomain_fld`*:: ++ +-- type: keyword -- -*`zeek.sip.subject`*:: +*`rsa.misc.sec`*:: + -- -Contents of the Subject: header from the client. +type: keyword +-- +*`rsa.misc.sensorname`*:: ++ +-- type: keyword -- -*`zeek.sip.user_agent`*:: +*`rsa.misc.seqnum`*:: + -- -Contents of the User-Agent: header from the client. +type: keyword +-- +*`rsa.misc.session`*:: ++ +-- type: keyword -- - -*`zeek.sip.status.code`*:: +*`rsa.misc.sessiontype`*:: + -- -Status code returned by the server. +type: keyword +-- -type: integer +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword -- -*`zeek.sip.status.msg`*:: +*`rsa.misc.spi`*:: + -- -Status message returned by the server. +type: keyword +-- +*`rsa.misc.srcburb`*:: ++ +-- type: keyword -- -*`zeek.sip.warning`*:: +*`rsa.misc.srcdom`*:: + -- -Contents of the Warning: header. +type: keyword +-- +*`rsa.misc.srcservice`*:: ++ +-- type: keyword -- -*`zeek.sip.content_type`*:: +*`rsa.misc.state`*:: + -- -Contents of the Content-Type: header from the server. +type: keyword +-- +*`rsa.misc.status1`*:: ++ +-- type: keyword -- -[float] -=== smb_cmd +*`rsa.misc.svcno`*:: ++ +-- +type: keyword -Fields exported by the Zeek smb_cmd log. +-- +*`rsa.misc.system`*:: ++ +-- +type: keyword +-- -*`zeek.smb_cmd.command`*:: +*`rsa.misc.tbdstr1`*:: + -- -The command sent by the client. +type: keyword +-- +*`rsa.misc.tgtdom`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.sub_command`*:: +*`rsa.misc.tgtdomain`*:: + -- -The subcommand sent by the client, if present. - - type: keyword -- -*`zeek.smb_cmd.argument`*:: +*`rsa.misc.threshold`*:: + -- -Command argument sent by the client, if any. - - type: keyword -- -*`zeek.smb_cmd.status`*:: +*`rsa.misc.type1`*:: + -- -Server reply to the client's command. +type: keyword +-- +*`rsa.misc.udb_class`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.rtt`*:: +*`rsa.misc.url_fld`*:: + -- -Round trip time from the request to the response. +type: keyword +-- -type: double +*`rsa.misc.user_div`*:: ++ +-- +type: keyword -- -*`zeek.smb_cmd.version`*:: +*`rsa.misc.userid`*:: + -- -Version of SMB for the command. +type: keyword +-- +*`rsa.misc.username_fld`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.username`*:: +*`rsa.misc.utcstamp`*:: + -- -Authenticated username, if available. +type: keyword +-- +*`rsa.misc.v_instafname`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.tree`*:: +*`rsa.misc.virt_data`*:: + -- -If this is related to a tree, this is the tree that was used for the current command. +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.tree_service`*:: +*`rsa.misc.autorun_type`*:: + -- -The type of tree (disk share, printer share, named pipe, etc.). - +This is used to capture Auto Run type type: keyword -- -[float] -=== file - -If the command referenced a file, store it here. +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only +type: long +-- -*`zeek.smb_cmd.file.name`*:: +*`rsa.misc.content`*:: + -- -Filename if one was seen. - +This key captures the content type from protocol headers type: keyword -- -*`zeek.smb_cmd.file.action`*:: +*`rsa.misc.ein_number`*:: + -- -Action this log record represents. +Employee Identification Numbers only - -type: keyword +type: long -- -*`zeek.smb_cmd.file.uid`*:: +*`rsa.misc.found`*:: + -- -UID of the referenced file. - +This is used to capture the results of regex match type: keyword -- - -*`zeek.smb_cmd.file.host.tx`*:: +*`rsa.misc.language`*:: + -- -Address of the transmitting host. - +This is used to capture list of languages the client support and what it prefers -type: ip +type: keyword -- -*`zeek.smb_cmd.file.host.rx`*:: +*`rsa.misc.lifetime`*:: + -- -Address of the receiving host. +This key is used to capture the session lifetime in seconds. - -type: ip +type: long -- -*`zeek.smb_cmd.smb1_offered_dialects`*:: +*`rsa.misc.link`*:: + -- -Present if base/protocols/smb/smb1-main.bro is loaded. -Dialects offered by the client. - +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.smb_cmd.smb2_offered_dialects`*:: +*`rsa.misc.match`*:: + -- -Present if base/protocols/smb/smb2-main.bro is loaded. -Dialects offered by the client. +This key is for regex match name from search.ini - -type: integer +type: keyword -- -[float] -=== smb_files - -Fields exported by the Zeek SMB Files log. - - - -*`zeek.smb_files.action`*:: +*`rsa.misc.param_dst`*:: + -- -Action this log record represents. - +This key captures the command line/launch argument of the target process or file type: keyword -- -*`zeek.smb_files.fid`*:: +*`rsa.misc.param_src`*:: + -- -ID referencing this file. - +This key captures source parameter -type: integer +type: keyword -- -*`zeek.smb_files.name`*:: +*`rsa.misc.search_text`*:: + -- -Filename if one was seen. - +This key captures the Search Text used type: keyword -- -*`zeek.smb_files.path`*:: +*`rsa.misc.sig_name`*:: + -- -Path pulled from the tree this file was transferred to or from. - +This key is used to capture the Signature Name only. type: keyword -- -*`zeek.smb_files.previous_name`*:: +*`rsa.misc.snmp_value`*:: + -- -If the rename action was seen, this will be the file's previous name. - +SNMP set request value type: keyword -- -*`zeek.smb_files.size`*:: +*`rsa.misc.streams`*:: + -- -Byte size of the file. - +This key captures number of streams in session type: long -- -[float] -=== times - -Timestamps of the file. - - -*`zeek.smb_files.times.accessed`*:: +*`rsa.db.index`*:: + -- -The file's access time. +This key captures IndexID of the index. - -type: date +type: keyword -- -*`zeek.smb_files.times.changed`*:: +*`rsa.db.instance`*:: + -- -The file's change time. - +This key is used to capture the database server instance name -type: date +type: keyword -- -*`zeek.smb_files.times.created`*:: +*`rsa.db.database`*:: + -- -The file's create time. +This key is used to capture the name of a database or an instance as seen in a session - -type: date +type: keyword -- -*`zeek.smb_files.times.modified`*:: +*`rsa.db.transact_id`*:: + -- -The file's modify time. - +This key captures the SQL transantion ID of the current session -type: date +type: keyword -- -*`zeek.smb_files.uuid`*:: +*`rsa.db.permissions`*:: + -- -UUID referencing this file if DCE/RPC. - +This key captures permission or privilege level assigned to a resource. type: keyword -- -[float] -=== smb_mapping - -Fields exported by the Zeek SMB_Mapping log. +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name +type: keyword +-- -*`zeek.smb_mapping.path`*:: +*`rsa.db.db_id`*:: + -- -Name of the tree path. - +This key is used to capture the unique identifier for a database type: keyword -- -*`zeek.smb_mapping.service`*:: +*`rsa.db.db_pid`*:: + -- -The type of resource of the tree (disk share, printer share, named pipe, etc.). +This key captures the process id of a connection with database server - -type: keyword +type: long -- -*`zeek.smb_mapping.native_file_system`*:: +*`rsa.db.lread`*:: + -- -File system of the tree. - +This key is used for the number of logical reads -type: keyword +type: long -- -*`zeek.smb_mapping.share_type`*:: +*`rsa.db.lwrite`*:: + -- -If this is SMB2, a share type will be included. For SMB1, the type of share -will be deduced and included as well. - +This key is used for the number of logical writes -type: keyword +type: long -- -[float] -=== smtp +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes -Fields exported by the Zeek SMTP log. +type: long +-- -*`zeek.smtp.transaction_depth`*:: +*`rsa.network.alias_host`*:: + -- -A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. -type: integer +type: keyword -- -*`zeek.smtp.helo`*:: +*`rsa.network.domain`*:: + -- -Contents of the Helo header. - - type: keyword -- -*`zeek.smtp.mail_from`*:: +*`rsa.network.host_dst`*:: + -- -Email addresses found in the MAIL FROM header. - +This key should only be used when it’s a Destination Hostname type: keyword -- -*`zeek.smtp.rcpt_to`*:: +*`rsa.network.network_service`*:: + -- -Email addresses found in the RCPT TO header. - +This is used to capture layer 7 protocols/service names type: keyword -- -*`zeek.smtp.date`*:: +*`rsa.network.interface`*:: + -- -Contents of the Date header. +This key should be used when the source or destination context of an interface is not clear - -type: date +type: keyword -- -*`zeek.smtp.from`*:: +*`rsa.network.network_port`*:: + -- -Contents of the From header. - +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`zeek.smtp.to`*:: +*`rsa.network.eth_host`*:: + -- -Contents of the To header. - +Deprecated, use alias.mac type: keyword -- -*`zeek.smtp.cc`*:: +*`rsa.network.sinterface`*:: + -- -Contents of the CC header. - +This key should only be used when it’s a Source Interface type: keyword -- -*`zeek.smtp.reply_to`*:: +*`rsa.network.dinterface`*:: + -- -Contents of the ReplyTo header. - +This key should only be used when it’s a Destination Interface type: keyword -- -*`zeek.smtp.msg_id`*:: +*`rsa.network.vlan`*:: + -- -Contents of the MsgID header. - +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`zeek.smtp.in_reply_to`*:: +*`rsa.network.zone_src`*:: + -- -Contents of the In-Reply-To header. - +This key should only be used when it’s a Source Zone. type: keyword -- -*`zeek.smtp.subject`*:: +*`rsa.network.zone`*:: + -- -Contents of the Subject header. - +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`zeek.smtp.x_originating_ip`*:: +*`rsa.network.zone_dst`*:: + -- -Contents of the X-Originating-IP header. - +This key should only be used when it’s a Destination Zone. type: keyword -- -*`zeek.smtp.first_received`*:: +*`rsa.network.gateway`*:: + -- -Contents of the first Received header. - +This key is used to capture the IP Address of the gateway type: keyword -- -*`zeek.smtp.second_received`*:: +*`rsa.network.icmp_type`*:: + -- -Contents of the second Received header. +This key is used to capture the ICMP type only - -type: keyword +type: long -- -*`zeek.smtp.last_reply`*:: +*`rsa.network.mask`*:: + -- -The last message that the server sent to the client. - +This key is used to capture the device network IPmask. type: keyword -- -*`zeek.smtp.path`*:: +*`rsa.network.icmp_code`*:: + -- -The message transmission path, as extracted from the headers. +This key is used to capture the ICMP code only - -type: ip +type: long -- -*`zeek.smtp.user_agent`*:: +*`rsa.network.protocol_detail`*:: + -- -Value of the User-Agent header from the client. - +This key should be used to capture additional protocol information type: keyword -- -*`zeek.smtp.tls`*:: +*`rsa.network.dmask`*:: + -- -Indicates that the connection has switched to using TLS. +This key is used for Destionation Device network mask - -type: boolean +type: keyword -- -*`zeek.smtp.process_received_from`*:: +*`rsa.network.port`*:: + -- -Indicates if the "Received: from" headers should still be processed. - +This key should only be used to capture a Network Port when the directionality is not clear -type: boolean +type: long -- -*`zeek.smtp.has_client_activity`*:: +*`rsa.network.smask`*:: + -- -Indicates if client activity has been seen, but not yet logged. +This key is used for capturing source Network Mask - -type: boolean +type: keyword -- -*`zeek.smtp.fuids`*:: +*`rsa.network.netname`*:: + -- -(present if base/protocols/smtp/files.bro is loaded) -An ordered vector of file unique IDs seen attached to the message. - +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`zeek.smtp.is_webmail`*:: +*`rsa.network.paddr`*:: + -- -Indicates if the message was sent through a webmail interface. - +Deprecated -type: boolean +type: ip -- -[float] -=== snmp - -Fields exported by the Zeek SNMP log. - - - -*`zeek.snmp.duration`*:: +*`rsa.network.faddr`*:: + -- -The amount of time between the first packet beloning to the SNMP session and the latest one seen. - - -type: double +type: keyword -- -*`zeek.snmp.version`*:: +*`rsa.network.lhost`*:: + -- -The version of SNMP being used. - - type: keyword -- -*`zeek.snmp.community`*:: +*`rsa.network.origin`*:: + -- -The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. - - type: keyword -- - -*`zeek.snmp.get.requests`*:: +*`rsa.network.remote_domain_id`*:: + -- -The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. - - -type: integer +type: keyword -- -*`zeek.snmp.get.bulk_requests`*:: +*`rsa.network.addr`*:: + -- -The number of variable bindings in GetBulkRequest PDUs seen for the session. - - -type: integer +type: keyword -- -*`zeek.snmp.get.responses`*:: +*`rsa.network.dns_a_record`*:: + -- -The number of variable bindings in GetResponse/Response PDUs seen for the session. - - -type: integer +type: keyword -- - -*`zeek.snmp.set.requests`*:: +*`rsa.network.dns_ptr_record`*:: + -- -The number of variable bindings in SetRequest PDUs seen for the session. - - -type: integer +type: keyword -- -*`zeek.snmp.display_string`*:: +*`rsa.network.fhost`*:: + -- -A system description of the SNMP responder endpoint. - - type: keyword -- -*`zeek.snmp.up_since`*:: +*`rsa.network.fport`*:: + -- -The time at which the SNMP responder endpoint claims it's been up since. - - -type: date +type: keyword -- -[float] -=== socks - -Fields exported by the Zeek SOCKS log. - - - -*`zeek.socks.version`*:: +*`rsa.network.laddr`*:: + -- -Protocol version of SOCKS. - - -type: integer +type: keyword -- -*`zeek.socks.user`*:: +*`rsa.network.linterface`*:: + -- -Username used to request a login to the proxy. - - type: keyword -- -*`zeek.socks.password`*:: +*`rsa.network.phost`*:: + -- -Password used to request a login to the proxy. - - type: keyword -- -*`zeek.socks.status`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Server status for the attempt at using the proxy. - +Deprecated, use host.dst type: keyword -- - -*`zeek.socks.request.host`*:: +*`rsa.network.eth_type`*:: + -- -Client requested SOCKS address. Could be an address, a name or both. +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: keyword +type: long -- -*`zeek.socks.request.port`*:: +*`rsa.network.ip_proto`*:: + -- -Client requested port. - +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: integer +type: long -- - -*`zeek.socks.bound.host`*:: +*`rsa.network.dns_cname_record`*:: + -- -Server bound address. Could be an address, a name or both. - - type: keyword -- -*`zeek.socks.bound.port`*:: +*`rsa.network.dns_id`*:: + -- -Server bound port. - - -type: integer +type: keyword -- -*`zeek.socks.capture_password`*:: +*`rsa.network.dns_opcode`*:: + -- -Determines if the password will be captured for this request. - - -type: boolean +type: keyword -- -[float] -=== ssh - -Fields exported by the Zeek SSH log. - +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword +-- -*`zeek.ssh.client`*:: +*`rsa.network.dns_type`*:: + -- -The client's version string. +type: keyword +-- +*`rsa.network.domain1`*:: ++ +-- type: keyword -- -*`zeek.ssh.direction`*:: +*`rsa.network.host_type`*:: + -- -Direction of the connection. If the client was a local host logging into -an external host, this would be OUTBOUND. INBOUND would be set for the -opposite situation. +type: keyword +-- +*`rsa.network.packet_length`*:: ++ +-- type: keyword -- -*`zeek.ssh.host_key`*:: +*`rsa.network.host_orig`*:: + -- -The server's key thumbprint. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`zeek.ssh.server`*:: +*`rsa.network.rpayload`*:: + -- -The server's version string. - +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`zeek.ssh.version`*:: +*`rsa.network.vlan_name`*:: + -- -SSH major version (1 or 2). +This key should only be used to capture the name of the Virtual LAN - -type: integer +type: keyword -- -[float] -=== algorithm -Cipher algorithms used in this session. +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) +type: keyword +-- -*`zeek.ssh.algorithm.cipher`*:: +*`rsa.investigations.ec_theme`*:: + -- -The encryption algorithm in use. - +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`zeek.ssh.algorithm.compression`*:: +*`rsa.investigations.ec_subject`*:: + -- -The compression algorithm in use. - +This key captures the Subject of a particular Event(Ex:User) type: keyword -- -*`zeek.ssh.algorithm.host_key`*:: +*`rsa.investigations.ec_outcome`*:: + -- -The server host key's algorithm. - +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`zeek.ssh.algorithm.key_exchange`*:: +*`rsa.investigations.event_cat`*:: + -- -The key exchange algorithm in use. - +This key captures the Event category number -type: keyword +type: long -- -*`zeek.ssh.algorithm.mac`*:: +*`rsa.investigations.event_cat_name`*:: + -- -The signing (MAC) algorithm in use. - +This key captures the event category name corresponding to the event cat code type: keyword -- - -*`zeek.ssh.auth.attempts`*:: +*`rsa.investigations.event_vcat`*:: + -- -The number of authentication attemps we observed. There's always at -least one, since some servers might support no authentication at all. -It's important to note that not all of these are failures, since some -servers require two-factor auth (e.g. password AND pubkey). - +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. -type: integer +type: keyword -- -*`zeek.ssh.auth.success`*:: +*`rsa.investigations.analysis_file`*:: + -- -Authentication result. +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: boolean +type: keyword -- -[float] -=== ssl - -Fields exported by the Zeek SSL log. +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +type: keyword +-- -*`zeek.ssl.version`*:: +*`rsa.investigations.analysis_session`*:: + -- -SSL/TLS version that was logged. - +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -- -*`zeek.ssl.cipher`*:: +*`rsa.investigations.boc`*:: + -- -SSL/TLS cipher suite that was logged. - +This is used to capture behaviour of compromise type: keyword -- -*`zeek.ssl.curve`*:: +*`rsa.investigations.eoc`*:: + -- -Elliptic curve that was logged when using ECDH/ECDHE. - +This is used to capture Enablers of Compromise type: keyword -- -*`zeek.ssl.resumed`*:: +*`rsa.investigations.inv_category`*:: + -- -Flag to indicate if the session was resumed reusing the key material exchanged in an -earlier connection. - +This used to capture investigation category -type: boolean +type: keyword -- -*`zeek.ssl.next_protocol`*:: +*`rsa.investigations.inv_context`*:: + -- -Next protocol the server chose using the application layer next protocol extension. - +This used to capture investigation context type: keyword -- -*`zeek.ssl.established`*:: +*`rsa.investigations.ioc`*:: + -- -Flag to indicate if this ssl session has been established successfully. - +This is key capture indicator of compromise -type: boolean +type: keyword -- -*`zeek.ssl.validation.status`*:: +*`rsa.counters.dclass_c1`*:: + -- -Result of certificate validation for this connection. +This is a generic counter key that should be used with the label dclass.c1.str only - -type: keyword +type: long -- -*`zeek.ssl.validation.code`*:: +*`rsa.counters.dclass_c2`*:: + -- -Result of certificate validation for this connection, given as OpenSSL validation code. - +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`zeek.ssl.last_alert`*:: +*`rsa.counters.event_counter`*:: + -- -Last alert that was seen during the connection. +This is used to capture the number of times an event repeated - -type: keyword +type: long -- - -*`zeek.ssl.server.name`*:: +*`rsa.counters.dclass_r1`*:: + -- -Value of the Server Name Indicator SSL/TLS extension. It indicates the server name -that the client was requesting. - +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`zeek.ssl.server.cert_chain`*:: +*`rsa.counters.dclass_c3`*:: + -- -Chain of certificates offered by the server to validate its complete signing chain. +This is a generic counter key that should be used with the label dclass.c3.str only - -type: keyword +type: long -- -*`zeek.ssl.server.cert_chain_fuids`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -An ordered vector of certificate file identifiers for the certificates offered by the server. - +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -[float] -=== issuer - -Subject of the signer of the X.509 certificate offered by the server. +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only +type: keyword +-- -*`zeek.ssl.server.issuer.common_name`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Common name of the signer of the X.509 certificate offered by the server. - +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`zeek.ssl.server.issuer.country`*:: +*`rsa.counters.dclass_r2`*:: + -- -Country code of the signer of the X.509 certificate offered by the server. - +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -- -*`zeek.ssl.server.issuer.locality`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -Locality of the signer of the X.509 certificate offered by the server. - +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`zeek.ssl.server.issuer.organization`*:: +*`rsa.counters.dclass_r3`*:: + -- -Organization of the signer of the X.509 certificate offered by the server. - +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`zeek.ssl.server.issuer.organizational_unit`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Organizational unit of the signer of the X.509 certificate offered by the server. - +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`zeek.ssl.server.issuer.state`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -State or province name of the signer of the X.509 certificate offered by the server. - +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -[float] -=== subject -Subject of the X.509 certificate offered by the server. +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only +type: keyword +-- -*`zeek.ssl.server.subject.common_name`*:: +*`rsa.identity.user_role`*:: + -- -Common name of the X.509 certificate offered by the server. - +This key is used to capture the Role of a user only type: keyword -- -*`zeek.ssl.server.subject.country`*:: +*`rsa.identity.dn`*:: + -- -Country code of the X.509 certificate offered by the server. - +X.500 (LDAP) Distinguished Name type: keyword -- -*`zeek.ssl.server.subject.locality`*:: +*`rsa.identity.logon_type`*:: + -- -Locality of the X.509 certificate offered by the server. - +This key is used to capture the type of logon method used. type: keyword -- -*`zeek.ssl.server.subject.organization`*:: +*`rsa.identity.profile`*:: + -- -Organization of the X.509 certificate offered by the server. - +This key is used to capture the user profile type: keyword -- -*`zeek.ssl.server.subject.organizational_unit`*:: +*`rsa.identity.accesses`*:: + -- -Organizational unit of the X.509 certificate offered by the server. - +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`zeek.ssl.server.subject.state`*:: +*`rsa.identity.realm`*:: + -- -State or province name of the X.509 certificate offered by the server. - +Radius realm or similar grouping of accounts type: keyword -- - -*`zeek.ssl.client.cert_chain`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Chain of certificates offered by the client to validate its complete signing chain. - +This key captures Destination User Session ID type: keyword -- -*`zeek.ssl.client.cert_chain_fuids`*:: +*`rsa.identity.dn_src`*:: + -- -An ordered vector of certificate file identifiers for the certificates offered by the client. - +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -[float] -=== issuer - -Subject of the signer of the X.509 certificate offered by the client. +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization +type: keyword +-- -*`zeek.ssl.client.issuer.common_name`*:: +*`rsa.identity.dn_dst`*:: + -- -Common name of the signer of the X.509 certificate offered by the client. - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`zeek.ssl.client.issuer.country`*:: +*`rsa.identity.firstname`*:: + -- -Country code of the signer of the X.509 certificate offered by the client. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.ssl.client.issuer.locality`*:: +*`rsa.identity.lastname`*:: + -- -Locality of the signer of the X.509 certificate offered by the client. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.ssl.client.issuer.organization`*:: +*`rsa.identity.user_dept`*:: + -- -Organization of the signer of the X.509 certificate offered by the client. - +User's Department Names only type: keyword -- -*`zeek.ssl.client.issuer.organizational_unit`*:: +*`rsa.identity.user_sid_src`*:: + -- -Organizational unit of the signer of the X.509 certificate offered by the client. - +This key captures Source User Session ID type: keyword -- -*`zeek.ssl.client.issuer.state`*:: +*`rsa.identity.federated_sp`*:: + -- -State or province name of the signer of the X.509 certificate offered by the client. - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -[float] -=== subject - -Subject of the X.509 certificate offered by the client. +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. +type: keyword +-- -*`zeek.ssl.client.subject.common_name`*:: +*`rsa.identity.logon_type_desc`*:: + -- -Common name of the X.509 certificate offered by the client. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`zeek.ssl.client.subject.country`*:: +*`rsa.identity.middlename`*:: + -- -Country code of the X.509 certificate offered by the client. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.ssl.client.subject.locality`*:: +*`rsa.identity.password`*:: + -- -Locality of the X.509 certificate offered by the client. - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`zeek.ssl.client.subject.organization`*:: +*`rsa.identity.host_role`*:: + -- -Organization of the X.509 certificate offered by the client. - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`zeek.ssl.client.subject.organizational_unit`*:: +*`rsa.identity.ldap`*:: + -- -Organizational unit of the X.509 certificate offered by the client. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`zeek.ssl.client.subject.state`*:: +*`rsa.identity.ldap_query`*:: + -- -State or province name of the X.509 certificate offered by the client. - +This key is the Search criteria from an LDAP search type: keyword -- -[float] -=== stats - -Fields exported by the Zeek stats log. +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search +type: keyword +-- -*`zeek.stats.peer`*:: +*`rsa.identity.owner`*:: + -- -Peer that generated this log. Mostly for clusters. - +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`zeek.stats.memory`*:: +*`rsa.identity.service_account`*:: + -- -Amount of memory currently in use in MB. - +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -type: integer +type: keyword -- -*`zeek.stats.packets.processed`*:: +*`rsa.email.email_dst`*:: + -- -Number of packets processed since the last stats interval. +This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: long +type: keyword -- -*`zeek.stats.packets.dropped`*:: +*`rsa.email.email_src`*:: + -- -Number of packets dropped since the last stats interval if reading live traffic. - +This key is used to capture the source email address only, when the source context is not clear use email -type: long +type: keyword -- -*`zeek.stats.packets.received`*:: +*`rsa.email.subject`*:: + -- -Number of packets seen on the link since the last stats interval if reading live traffic. +This key is used to capture the subject string from an Email only. - -type: long +type: keyword -- - -*`zeek.stats.bytes.received`*:: +*`rsa.email.email`*:: + -- -Number of bytes received since the last stats interval if reading live traffic. +This key is used to capture a generic email address where the source or destination context is not clear - -type: long +type: keyword -- - - -*`zeek.stats.connections.tcp.active`*:: +*`rsa.email.trans_from`*:: + -- -TCP connections currently in memory. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`zeek.stats.connections.tcp.count`*:: +*`rsa.email.trans_to`*:: + -- -TCP connections seen since last stats interval. +Deprecated key defined only in table map. - -type: integer +type: keyword -- -*`zeek.stats.connections.udp.active`*:: +*`rsa.file.privilege`*:: + -- -UDP connections currently in memory. - +Deprecated, use permissions -type: integer +type: keyword -- -*`zeek.stats.connections.udp.count`*:: +*`rsa.file.attachment`*:: + -- -UDP connections seen since last stats interval. +This key captures the attachment file name - -type: integer +type: keyword -- - -*`zeek.stats.connections.icmp.active`*:: +*`rsa.file.filesystem`*:: + -- -ICMP connections currently in memory. - - -type: integer +type: keyword -- -*`zeek.stats.connections.icmp.count`*:: +*`rsa.file.binary`*:: + -- -ICMP connections seen since last stats interval. +Deprecated key defined only in table map. - -type: integer +type: keyword -- - -*`zeek.stats.events.processed`*:: +*`rsa.file.filename_dst`*:: + -- -Number of events processed since the last stats interval. +This is used to capture name of the file targeted by the action - -type: integer +type: keyword -- -*`zeek.stats.events.queued`*:: +*`rsa.file.filename_src`*:: + -- -Number of events that have been queued since the last stats interval. +This is used to capture name of the parent filename, the file which performed the action +type: keyword -type: integer +-- +*`rsa.file.filename_tmp`*:: ++ -- +type: keyword +-- -*`zeek.stats.timers.count`*:: +*`rsa.file.directory_dst`*:: + -- -Number of timers scheduled since last stats interval. - +This key is used to capture the directory of the target process or file -type: integer +type: keyword -- -*`zeek.stats.timers.active`*:: +*`rsa.file.directory_src`*:: + -- -Current number of scheduled timers. +This key is used to capture the directory of the source process or file +type: keyword -type: integer +-- +*`rsa.file.file_entropy`*:: ++ -- +This is used to capture entropy vale of a file +type: double -*`zeek.stats.files.count`*:: -+ -- -Number of files seen since last stats interval. +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info -type: integer +type: keyword -- -*`zeek.stats.files.active`*:: +*`rsa.file.task_name`*:: + -- -Current number of files actively being seen. +This is used to capture name of the task - -type: integer +type: keyword -- -*`zeek.stats.dns_requests.count`*:: +*`rsa.web.fqdn`*:: + -- -Number of DNS requests seen since last stats interval. - +Fully Qualified Domain Names -type: integer +type: keyword -- -*`zeek.stats.dns_requests.active`*:: +*`rsa.web.web_cookie`*:: + -- -Current number of DNS requests awaiting a reply. +This key is used to capture the Web cookies specifically. +type: keyword -type: integer +-- +*`rsa.web.alias_host`*:: ++ -- +type: keyword +-- -*`zeek.stats.reassembly_size.tcp`*:: +*`rsa.web.reputation_num`*:: + -- -Current size of TCP data in reassembly. +Reputation Number of an entity. Typically used for Web Domains - -type: integer +type: double -- -*`zeek.stats.reassembly_size.file`*:: +*`rsa.web.web_ref_domain`*:: + -- -Current size of File data in reassembly. - +Web referer's domain -type: integer +type: keyword -- -*`zeek.stats.reassembly_size.frag`*:: +*`rsa.web.web_ref_query`*:: + -- -Current size of packet fragment data in reassembly. +This key captures Web referer's query portion of the URL - -type: integer +type: keyword -- -*`zeek.stats.reassembly_size.unknown`*:: +*`rsa.web.remote_domain`*:: + -- -Current size of unknown data in reassembly (this is only PIA buffer right now). - - -type: integer +type: keyword -- -*`zeek.stats.timestamp_lag`*:: +*`rsa.web.web_ref_page`*:: + -- -Lag between the wall clock and packet timestamps if reading live traffic. - +This key captures Web referer's page information -type: integer +type: keyword -- -[float] -=== syslog - -Fields exported by the Zeek syslog log. +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path +type: keyword +-- -*`zeek.syslog.facility`*:: +*`rsa.web.cn_asn_dst`*:: + -- -Syslog facility for the message. - - type: keyword -- -*`zeek.syslog.severity`*:: +*`rsa.web.cn_rpackets`*:: + -- -Syslog severity for the message. +type: keyword +-- +*`rsa.web.urlpage`*:: ++ +-- type: keyword -- -*`zeek.syslog.message`*:: +*`rsa.web.urlroot`*:: + -- -The plain text message. +type: keyword +-- +*`rsa.web.p_url`*:: ++ +-- type: keyword -- -[float] -=== tunnel +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword -Fields exported by the Zeek SSH log. +-- +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword +-- -*`zeek.tunnel.type`*:: +*`rsa.web.p_web_method`*:: + -- -The type of tunnel. +type: keyword +-- +*`rsa.web.p_web_referer`*:: ++ +-- type: keyword -- -*`zeek.tunnel.action`*:: +*`rsa.web.web_extension_tmp`*:: + -- -The type of activity that occurred. +type: keyword +-- +*`rsa.web.web_page`*:: ++ +-- type: keyword -- -[float] -=== weird -Fields exported by the Zeek Weird log. +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert +type: keyword +-- -*`zeek.weird.name`*:: +*`rsa.threat.threat_desc`*:: + -- -The name of the weird that occurred. - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`zeek.weird.additional_info`*:: +*`rsa.threat.alert`*:: + -- -Additional information accompanying the weird if any. - +This key is used to capture name of the alert type: keyword -- -*`zeek.weird.notice`*:: +*`rsa.threat.threat_source`*:: + -- -Indicate if this weird was also turned into a notice. +This key is used to capture source of the threat - -type: boolean +type: keyword -- -*`zeek.weird.peer`*:: + +*`rsa.crypto.crypto`*:: + -- -The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. - +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`zeek.weird.identifier`*:: +*`rsa.crypto.cipher_src`*:: + -- -This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. - +This key is for Source (Client) Cipher type: keyword -- -[float] -=== x509 - -Fields exported by the Zeek x509 log. +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only +type: keyword +-- -*`zeek.x509.id`*:: +*`rsa.crypto.peer`*:: + -- -File id of this certificate. - +This key is for Encryption peer's IP Address type: keyword -- -[float] -=== certificate - -Basic information about the certificate. +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size +type: long +-- -*`zeek.x509.certificate.version`*:: +*`rsa.crypto.ike`*:: + -- -Version number. - +IKE negotiation phase. -type: integer +type: keyword -- -*`zeek.x509.certificate.serial`*:: +*`rsa.crypto.scheme`*:: + -- -Serial number. - +This key captures the Encryption scheme used type: keyword -- -[float] -=== subject - -Subject. +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity +type: keyword +-- -*`zeek.x509.certificate.subject.country`*:: +*`rsa.crypto.sig_type`*:: + -- -Country provided in the certificate subject. - +This key captures the Signature Type type: keyword -- -*`zeek.x509.certificate.subject.common_name`*:: +*`rsa.crypto.cert_issuer`*:: + -- -Common name provided in the certificate subject. - - type: keyword -- -*`zeek.x509.certificate.subject.locality`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Locality provided in the certificate subject. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.x509.certificate.subject.organization`*:: +*`rsa.crypto.cert_error`*:: + -- -Organization provided in the certificate subject. - +This key captures the Certificate Error String type: keyword -- -*`zeek.x509.certificate.subject.organizational_unit`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Organizational unit provided in the certificate subject. - +This key is for Destination (Server) Cipher type: keyword -- -*`zeek.x509.certificate.subject.state`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -State or province provided in the certificate subject. +This key captures Destination (Server) Cipher Size +type: long -type: keyword +-- +*`rsa.crypto.ssl_ver_src`*:: ++ -- +Deprecated, use version -[float] -=== issuer +type: keyword -Issuer. +-- +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword +-- -*`zeek.x509.certificate.issuer.country`*:: +*`rsa.crypto.s_certauth`*:: + -- -Country provided in the certificate issuer field. +type: keyword + +-- +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`zeek.x509.certificate.issuer.common_name`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Common name provided in the certificate issuer field. - +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -- -*`zeek.x509.certificate.issuer.locality`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Locality provided in the certificate issuer field. +type: keyword + +-- +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate type: keyword -- -*`zeek.x509.certificate.issuer.organization`*:: +*`rsa.crypto.cert_serial`*:: + -- -Organization provided in the certificate issuer field. - +This key is used to capture the Certificate serial number only type: keyword -- -*`zeek.x509.certificate.issuer.organizational_unit`*:: +*`rsa.crypto.cert_status`*:: + -- -Organizational unit provided in the certificate issuer field. - +This key captures Certificate validation status type: keyword -- -*`zeek.x509.certificate.issuer.state`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -State or province provided in the certificate issuer field. - +Deprecated, use version type: keyword -- -*`zeek.x509.certificate.common_name`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Last (most specific) common name. +type: keyword +-- +*`rsa.crypto.cert_username`*:: ++ +-- type: keyword -- -[float] -=== valid +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword -Certificate validity timestamps +-- +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword +-- -*`zeek.x509.certificate.valid.from`*:: +*`rsa.crypto.cert_ca`*:: + -- -Timestamp before when certificate is not valid. - +This key is used to capture the Certificate signing authority only -type: date +type: keyword -- -*`zeek.x509.certificate.valid.until`*:: +*`rsa.crypto.cert_common`*:: + -- -Timestamp after when certificate is not valid. +This key is used to capture the Certificate common name only - -type: date +type: keyword -- -*`zeek.x509.certificate.key.algorithm`*:: +*`rsa.wireless.wlan_ssid`*:: + -- -Name of the key algorithm. - +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`zeek.x509.certificate.key.type`*:: +*`rsa.wireless.access_point`*:: + -- -Key type, if key parseable by openssl (either rsa, dsa or ec). - +This key is used to capture the access point name. type: keyword -- -*`zeek.x509.certificate.key.length`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Key length in bits. - +This is used to capture the channel names -type: integer +type: long -- -*`zeek.x509.certificate.signature_algorithm`*:: +*`rsa.wireless.wlan_name`*:: + -- -Name of the signature algorithm. - +This key captures either WLAN number/name type: keyword -- -*`zeek.x509.certificate.exponent`*:: + +*`rsa.storage.disk_volume`*:: + -- -Exponent, if RSA-certificate. - +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`zeek.x509.certificate.curve`*:: +*`rsa.storage.lun`*:: + -- -Curve, if EC-certificate. - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -[float] -=== san +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. -Subject alternative name extension of the certificate. +type: keyword +-- -*`zeek.x509.san.dns`*:: +*`rsa.physical.org_dst`*:: + -- -List of DNS entries in SAN. - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`zeek.x509.san.uri`*:: +*`rsa.physical.org_src`*:: + -- -List of URI entries in SAN. - +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`zeek.x509.san.email`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -List of email entries in SAN. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.x509.san.ip`*:: +*`rsa.healthcare.patient_id`*:: + -- -List of IP entries in SAN. - +This key captures the unique ID for a patient -type: ip +type: keyword -- -*`zeek.x509.san.other_fields`*:: +*`rsa.healthcare.patient_lname`*:: + -- -True if the certificate contained other, not recognized or parsed name fields. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: boolean +type: keyword -- -[float] -=== basic_constraints +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -Basic constraints extension of the certificate. +type: keyword +-- -*`zeek.x509.basic_constraints.certificate_authority`*:: +*`rsa.endpoint.host_state`*:: + -- -CA flag set or not. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: boolean +type: keyword -- -*`zeek.x509.basic_constraints.path_length`*:: +*`rsa.endpoint.registry_key`*:: + -- -Maximum path length. - +This key captures the path to the registry key -type: integer +type: keyword -- -*`zeek.x509.log_cert`*:: +*`rsa.endpoint.registry_value`*:: + -- -Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded -Logging of certificate is suppressed if set to F. - +This key captures values or decorators used within a registry entry -type: boolean +type: keyword -- diff --git a/filebeat/docs/modules/barracuda.asciidoc b/filebeat/docs/modules/barracuda.asciidoc new file mode 100644 index 00000000000..5929c50d7d4 --- /dev/null +++ b/filebeat/docs/modules/barracuda.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-barracuda]] +[role="xpack"] + +:modulename: barracuda +:has-dashboards: false + +== Barracuda module + +experimental[] + +This is a module for receiving Barracuda Web Application Firewall logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: waf + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `waf` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" device revision 132. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9503` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/bluecoat.asciidoc b/filebeat/docs/modules/bluecoat.asciidoc new file mode 100644 index 00000000000..753db835b54 --- /dev/null +++ b/filebeat/docs/modules/bluecoat.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-bluecoat]] +[role="xpack"] + +:modulename: bluecoat +:has-dashboards: false + +== Bluecoat module + +experimental[] + +This is a module for receiving Blue Coat Director logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: director + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `director` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9505` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index ec13e658c7f..c072057cd22 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -16,6 +16,7 @@ filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. +- `nexus` fileset: supports Cisco Nexus switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in @@ -299,6 +300,51 @@ include::../include/timezone-support.asciidoc[] :fileset_ex!: +[float] +==== `nexus` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9506` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] [[dynamic-script-compilations]] === Dynamic Script Compilations diff --git a/filebeat/docs/modules/citrix.asciidoc b/filebeat/docs/modules/citrix.asciidoc new file mode 100644 index 00000000000..ab0ade1561d --- /dev/null +++ b/filebeat/docs/modules/citrix.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-citrix]] +[role="xpack"] + +:modulename: citrix +:has-dashboards: false + +== Citrix module + +experimental[] + +This is a module for receiving Citrix XenApp logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: virtualapps + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `virtualapps` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "citrixxa" device revision 79. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9507` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/cylance.asciidoc b/filebeat/docs/modules/cylance.asciidoc new file mode 100644 index 00000000000..1e27640f8df --- /dev/null +++ b/filebeat/docs/modules/cylance.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-cylance]] +[role="xpack"] + +:modulename: cylance +:has-dashboards: false + +== Cylance module + +experimental[] + +This is a module for receiving CylanceProtect logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: protect + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `protect` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cylance" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9508` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/f5.asciidoc b/filebeat/docs/modules/f5.asciidoc new file mode 100644 index 00000000000..e0f69dbffac --- /dev/null +++ b/filebeat/docs/modules/f5.asciidoc @@ -0,0 +1,124 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-f5]] +[role="xpack"] + +:modulename: f5 +:has-dashboards: false + +== F5 module + +experimental[] + +This is a module for receiving Big-IP Access Policy Manager logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: bigipapm + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `bigipapm` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9504` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `firepass` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9509` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/fortinet.asciidoc b/filebeat/docs/modules/fortinet.asciidoc index 47a421ca2f2..cef820bd0bb 100644 --- a/filebeat/docs/modules/fortinet.asciidoc +++ b/filebeat/docs/modules/fortinet.asciidoc @@ -64,6 +64,53 @@ A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[fortinet-firewall, forwarded]`. +:fileset_ex!: + +[float] +==== `clientendpoint` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9510` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== Fortinet ECS fields diff --git a/filebeat/docs/modules/imperva.asciidoc b/filebeat/docs/modules/imperva.asciidoc new file mode 100644 index 00000000000..7aa882cca43 --- /dev/null +++ b/filebeat/docs/modules/imperva.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-imperva]] +[role="xpack"] + +:modulename: imperva +:has-dashboards: false + +== Imperva module + +experimental[] + +This is a module for receiving Imperva SecureSphere logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: securesphere + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `securesphere` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device revision 117. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9511` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/infoblox.asciidoc b/filebeat/docs/modules/infoblox.asciidoc new file mode 100644 index 00000000000..17a789383c3 --- /dev/null +++ b/filebeat/docs/modules/infoblox.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-infoblox]] +[role="xpack"] + +:modulename: infoblox +:has-dashboards: false + +== Infoblox module + +experimental[] + +This is a module for receiving Infoblox NIOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nios + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nios` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9512` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc new file mode 100644 index 00000000000..68d0fb7d52f --- /dev/null +++ b/filebeat/docs/modules/juniper.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-juniper]] +[role="xpack"] + +:modulename: juniper +:has-dashboards: false + +== Juniper module + +experimental[] + +This is a module for receiving Juniper JUNOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: junos + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `junos` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9513` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/kaspersky.asciidoc b/filebeat/docs/modules/kaspersky.asciidoc new file mode 100644 index 00000000000..864adc6f859 --- /dev/null +++ b/filebeat/docs/modules/kaspersky.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-kaspersky]] +[role="xpack"] + +:modulename: kaspersky +:has-dashboards: false + +== Kaspersky module + +experimental[] + +This is a module for receiving Kaspersky Anti-Virus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: av + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `av` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "kasperskyav" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9514` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc new file mode 100644 index 00000000000..d58edefe56c --- /dev/null +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-microsoft]] +[role="xpack"] + +:modulename: microsoft +:has-dashboards: false + +== Microsoft module + +experimental[] + +This is a module for receiving Microsoft DHCP logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: dhcp + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `dhcp` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9515` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/netscout.asciidoc b/filebeat/docs/modules/netscout.asciidoc new file mode 100644 index 00000000000..d53fec8c56e --- /dev/null +++ b/filebeat/docs/modules/netscout.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-netscout]] +[role="xpack"] + +:modulename: netscout +:has-dashboards: false + +== Netscout module + +experimental[] + +This is a module for receiving Arbor Peakflow SP logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: sightline + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `sightline` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "arborpeakflowsp" device revision 109. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9502` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/radware.asciidoc b/filebeat/docs/modules/radware.asciidoc new file mode 100644 index 00000000000..4531c23d470 --- /dev/null +++ b/filebeat/docs/modules/radware.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-radware]] +[role="xpack"] + +:modulename: radware +:has-dashboards: false + +== Radware module + +experimental[] + +This is a module for receiving Radware DefensePro logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: defensepro + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `defensepro` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device revision 114. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9518` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/rapid7.asciidoc b/filebeat/docs/modules/rapid7.asciidoc new file mode 100644 index 00000000000..a74bdaa2dcd --- /dev/null +++ b/filebeat/docs/modules/rapid7.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-rapid7]] +[role="xpack"] + +:modulename: rapid7 +:has-dashboards: false + +== Rapid7 module + +experimental[] + +This is a module for receiving Rapid7 NeXpose logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nexpose + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nexpose` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nexpose" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9517` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/sonicwall.asciidoc b/filebeat/docs/modules/sonicwall.asciidoc new file mode 100644 index 00000000000..d1a8f65838c --- /dev/null +++ b/filebeat/docs/modules/sonicwall.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-sonicwall]] +[role="xpack"] + +:modulename: sonicwall +:has-dashboards: false + +== Sonicwall module + +experimental[] + +This is a module for receiving Sonicwall-FW logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device revision 124. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9519` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/squid.asciidoc b/filebeat/docs/modules/squid.asciidoc new file mode 100644 index 00000000000..187eed663b2 --- /dev/null +++ b/filebeat/docs/modules/squid.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-squid]] +[role="xpack"] + +:modulename: squid +:has-dashboards: false + +== Squid module + +experimental[] + +This is a module for receiving Squid logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "squid" device revision 112. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9520` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/tenable.asciidoc b/filebeat/docs/modules/tenable.asciidoc new file mode 100644 index 00000000000..ec8a168d19d --- /dev/null +++ b/filebeat/docs/modules/tenable.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-tenable]] +[role="xpack"] + +:modulename: tenable +:has-dashboards: false + +== Tenable module + +experimental[] + +This is a module for receiving Tenable Network Security Nessus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nessus_security + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nessus_security` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nessusvs" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9516` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/tomcat.asciidoc b/filebeat/docs/modules/tomcat.asciidoc new file mode 100644 index 00000000000..7a46670144d --- /dev/null +++ b/filebeat/docs/modules/tomcat.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-tomcat]] +[role="xpack"] + +:modulename: tomcat +:has-dashboards: false + +== Tomcat module + +experimental[] + +This is a module for receiving Apache Tomcat logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" device revision 105. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9501` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/zscaler.asciidoc b/filebeat/docs/modules/zscaler.asciidoc new file mode 100644 index 00000000000..f969982851e --- /dev/null +++ b/filebeat/docs/modules/zscaler.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-zscaler]] +[role="xpack"] + +:modulename: zscaler +:has-dashboards: false + +== Zscaler module + +experimental[] + +This is a module for receiving Zscaler NSS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: zia + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `zia` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device revision 108. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9521` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 2fad0a66105..345ee94ce87 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -8,13 +8,18 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> + * <> * <> * <> * <> + * <> * <> * <> + * <> * <> * <> + * <> * <> * <> * <> @@ -22,16 +27,22 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> + * <> * <> + * <> * <> + * <> * <> * <> + * <> * <> * <> * <> * <> * <> * <> + * <> * <> * <> * <> @@ -39,12 +50,19 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> + * <> * <> * <> + * <> + * <> * <> * <> + * <> + * <> * <> * <> + * <> -- @@ -55,13 +73,18 @@ include::modules/apache.asciidoc[] include::modules/auditd.asciidoc[] include::modules/aws.asciidoc[] include::modules/azure.asciidoc[] +include::modules/barracuda.asciidoc[] +include::modules/bluecoat.asciidoc[] include::modules/cef.asciidoc[] include::modules/checkpoint.asciidoc[] include::modules/cisco.asciidoc[] +include::modules/citrix.asciidoc[] include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] +include::modules/cylance.asciidoc[] include::modules/elasticsearch.asciidoc[] include::modules/envoyproxy.asciidoc[] +include::modules/f5.asciidoc[] include::modules/fortinet.asciidoc[] include::modules/googlecloud.asciidoc[] include::modules/gsuite.asciidoc[] @@ -69,16 +92,22 @@ include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] include::modules/icinga.asciidoc[] include::modules/iis.asciidoc[] +include::modules/imperva.asciidoc[] +include::modules/infoblox.asciidoc[] include::modules/iptables.asciidoc[] +include::modules/juniper.asciidoc[] include::modules/kafka.asciidoc[] +include::modules/kaspersky.asciidoc[] include::modules/kibana.asciidoc[] include::modules/logstash.asciidoc[] +include::modules/microsoft.asciidoc[] include::modules/misp.asciidoc[] include::modules/mongodb.asciidoc[] include::modules/mssql.asciidoc[] include::modules/mysql.asciidoc[] include::modules/nats.asciidoc[] include::modules/netflow.asciidoc[] +include::modules/netscout.asciidoc[] include::modules/nginx.asciidoc[] include::modules/o365.asciidoc[] include::modules/okta.asciidoc[] @@ -86,9 +115,16 @@ include::modules/osquery.asciidoc[] include::modules/panw.asciidoc[] include::modules/postgresql.asciidoc[] include::modules/rabbitmq.asciidoc[] +include::modules/radware.asciidoc[] +include::modules/rapid7.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] +include::modules/sonicwall.asciidoc[] +include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] +include::modules/tenable.asciidoc[] +include::modules/tomcat.asciidoc[] include::modules/traefik.asciidoc[] include::modules/zeek.asciidoc[] +include::modules/zscaler.asciidoc[] diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 731b6c194d6..727775d8fa7 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -228,8 +228,24 @@ def clean_keys(obj): # ECS versions change for any ECS release, large or small ecs_key = ["ecs.version"] # datasets for which @timestamp is removed due to date missing - remove_timestamp = {"icinga.startup", "redis.log", "haproxy.log", - "system.auth", "system.syslog", "cef.log", "activemq.audit", "iptables.log", "cisco.asa", "cisco.ios"} + remove_timestamp = { + "activemq.audit", + "barracuda.waf", + "bluecoat.director", + "cef.log", + "cisco.asa", + "cisco.ios", + "f5.firepass", + "haproxy.log", + "icinga.startup", + "imperva.securesphere", + "infoblox.nios", + "iptables.log", + "rapid7.nexpose", + "redis.log", + "system.auth", + "system.syslog", + } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { ('system.syslog', 'tz-offset.log'), @@ -253,6 +269,8 @@ def clean_keys(obj): if obj["event.dataset"] in remove_timestamp: if not (obj['event.dataset'], filename) in remove_timestamp_exception: delete_key(obj, "@timestamp") + # Also remove alternate time field from rsa parsers. + delete_key(obj, "rsa.time.event_time") else: # excluded events need to have their filename saved to the expected.json # so that the exception mechanism can be triggered when the json is diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py index ecedb17d7b6..f25ebc00779 100644 --- a/libbeat/scripts/generate_fields_docs.py +++ b/libbeat/scripts/generate_fields_docs.py @@ -121,9 +121,8 @@ def fields_to_asciidoc(input, output, beat): for field in section["fields"]: name = field["name"] if name in fields: - assert field["type"] == (fields[name]["type"], - 'field "{}" redefined with different type "{}"'.format( - name, field["type"])) + assert field["type"] == fields[name]["type"], 'field "{}" redefined with different type "{}"'.format( + name, field["type"]) fields[name].update(field) else: fields[name] = field diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 7af1ee43ef7..853eec3f827 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -334,6 +334,48 @@ filebeat.modules: # storage_account: "" # storage_account_key: "" +#------------------ Barracuda Web Application Firewall Module ------------------ +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#-------------------------- Blue Coat Director Module -------------------------- +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #--------------------------------- CEF Module --------------------------------- - module: cef log: @@ -412,6 +454,46 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#---------------------------- Citrix XenApp Module ---------------------------- +- module: citrix + virtualapps: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9507 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Coredns Module ------------------------------- - module: coredns # Fileset for native deployment @@ -432,6 +514,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#---------------------------- CylanceProtect Module ---------------------------- +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #---------------------------- Elasticsearch Module ---------------------------- - module: elasticsearch # Server log @@ -476,6 +579,46 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#--------------------- Big-IP Access Policy Manager Module --------------------- +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + firepass: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9509 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: @@ -491,6 +634,25 @@ filebeat.modules: # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #----------------------------- Google Cloud Module ----------------------------- - module: googlecloud vpcflow: @@ -642,6 +804,48 @@ filebeat.modules: # can be added under this section. #input: +#------------------------- Imperva SecureSphere Module ------------------------- +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#---------------------------- Infoblox NIOS Module ---------------------------- +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Iptables Module ------------------------------- - module: iptables log: @@ -654,6 +858,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#---------------------------- Juniper JUNOS Module ---------------------------- +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs @@ -668,6 +893,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------- Kaspersky Anti-Virus Module ------------------------- +- module: kaspersky + av: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9514 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Kibana Module -------------------------------- - module: kibana # All logs @@ -696,6 +942,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#---------------------------- Microsoft DHCP Module ---------------------------- +- module: microsoft + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #--------------------------------- MISP Module --------------------------------- - module: misp threat: @@ -783,6 +1050,27 @@ filebeat.modules: netflow_host: localhost netflow_port: 2055 +#-------------------------- Arbor Peakflow SP Module -------------------------- +- module: netscout + sightline: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9502 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Nginx Module -------------------------------- #- module: nginx # Access logs @@ -923,6 +1211,48 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] +#-------------------------- Radware DefensePro Module -------------------------- +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#---------------------------- Rapid7 NeXpose Module ---------------------------- +- module: rapid7 + nexpose: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9517 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Redis Module -------------------------------- #- module: redis # Main logs @@ -951,6 +1281,48 @@ filebeat.modules: # Filebeat will choose the the default path. #var.paths: +#----------------------------- Sonicwall-FW Module ----------------------------- +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#-------------------------------- Squid Module -------------------------------- +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Suricata Module ------------------------------- - module: suricata # All logs @@ -961,6 +1333,48 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------- Tenable Network Security Nessus Module ------------------- +- module: tenable + nessus_security: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9516 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#---------------------------- Apache Tomcat Module ---------------------------- +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Traefik Module ------------------------------- #- module: traefik # Access logs @@ -1056,6 +1470,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#----------------------------- Zscaler NSS Module ----------------------------- +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #=========================== Filebeat inputs ============================= diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 7d20d33952d..1e2831bb599 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -18,25 +18,43 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/activemq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/aws" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/azure" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/barracuda" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/bluecoat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cef" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/checkpoint" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cisco" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/citrix" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/f5" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/googlecloud" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gsuite" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/imperva" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/infoblox" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/iptables" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/juniper" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/kaspersky" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/microsoft" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/misp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mssql" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netflow" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netscout" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/o365" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/okta" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/panw" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rapid7" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tenable" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tomcat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zeek" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zscaler" _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef" ) diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md new file mode 100644 index 00000000000..57ada7880ce --- /dev/null +++ b/x-pack/filebeat/module/barracuda/README.md @@ -0,0 +1,7 @@ +# barracuda module + +This is a module for Barracuda Web Application Firewall logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 +at 2020-07-13 17:55:32.894932 +0000 UTC. + diff --git a/x-pack/filebeat/module/barracuda/_meta/config.yml b/x-pack/filebeat/module/barracuda/_meta/config.yml new file mode 100644 index 00000000000..12971cecc2a --- /dev/null +++ b/x-pack/filebeat/module/barracuda/_meta/config.yml @@ -0,0 +1,19 @@ +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc new file mode 100644 index 00000000000..5ebc34fa334 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: barracuda +:has-dashboards: false + +== Barracuda module + +experimental[] + +This is a module for receiving Barracuda Web Application Firewall logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: waf + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `waf` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" device revision 132. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9503` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/barracuda/_meta/fields.yml b/x-pack/filebeat/module/barracuda/_meta/fields.yml new file mode 100644 index 00000000000..c12b3acd69f --- /dev/null +++ b/x-pack/filebeat/module/barracuda/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: barracuda + title: Barracuda Web Application Firewall + description: > + barracuda fields. + fields: diff --git a/x-pack/filebeat/module/barracuda/fields.go b/x-pack/filebeat/module/barracuda/fields.go new file mode 100644 index 00000000000..e01b040a745 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package barracuda + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "barracuda", asset.ModuleFieldsPri, AssetBarracuda); err != nil { + panic(err) + } +} + +// AssetBarracuda returns asset data. +// This is the base64 encoded gzipped contents of module/barracuda. +func AssetBarracuda() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dkSrWmrCnpnwix3Ap4Tf7W/on8DlPypq4FZ9RyJckvXMOKCvEnQkowTPPa/fk1+eufCCEbUGTGQZRm8icS/us1fu7+9x2RtILXRIJdKX014dKCnlEGE/f37muEqCXoleYWXhOrm/4ndl3Da4f8Sumy9/cSZrQRtsAlX5MZFQa2Ph4g3P7vPa2AqBmxC2gRIx1iZLUADfiZ1XQ244wsqCFTAEnU1IBeQjkZ0KcNvQMxc62a+vak7DJ1syxiLanYIm989bH1Y0tsFqnMfOvv+1cY37DBrnxccOO+R7ghjYGSWEUYrW0T+K/pilRgDJ27f1NLmKrAOKKV+3wHNCFv1ZycAlMl6DghHhbfRepQclq4sARpC0daYsAB4czcDyw3yHOmpAVpjbsfXBpLpW3RMFEcLa8OQbCkdveDIXbc4+SWINSS1YKzBaHEgDFOPC24NYSS92B/51aCMe3uTwZHoyPWLFQjSiJhCZpMoTt3NdUGyDuw1KFGyUyrqrfU07dqbl5cUHYF1jwbgD/lGpgV6+fEBrwp+QBeWPgTLntoTqKMFLAEcQAnhZK793OLk6dQa2DUBkxKmHEJJVFSIFqWTgWQitZxrCozL5JdmD17/C7c8/PTH8iSiibceF6CtHzGw+mEa8osEWru90sPNgKp4/h4+dOC33PbUVNtOWsE1fj7sLGT0ZMxAH3QSYmdjAHk8ZMyuiXL4+7Jy/+/J/v3xK2aZ0Pud33V9F8FErK7LY8GuyU9ROhlR02DUY1mmd7e+7Mt1/2/H2bGUgsVSPsYkaNNyW3BBN25w48EPZBWrx8jYgunUz1GxLg8DLG8GlMrOR7vSSuBHiI98rJtBlCmtKFG9JqYndn7YusWcNgM9JCBknA/K2JHDxlAv8GKGOfijmvlSFyUPa9KlH2eXQMyE7GPRDh4Z/axY6jVjeRfGtio0bqjP/xpvW3UnijJ3ONArXrslu2IuFnyvOKwz90TtwyftS7McCDfqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4s/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/O3Kfkx9/JP9OmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8DSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Ryy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qFk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0IT2GvhsetlUVNJ5rDSXEIHhndZe9Eh5XA3h9okhaiV9ZMzSqt71DAaM3WoOxeHts4awBXfWjSrBTMi7xlg0k/pA3a2kdiQvl1o4cJP2CrDZzOG9hGNoQrjJ7YKedxpmoEEyfyCoU61LvuSl02zwPMQF2WUryD7uMC9O5HXN9dEo3OynjwVdu5PIrVh7Yo0Tek5fc0jhAd3vG0246aMunOdOGnfybDJYsksnU01qCVQNFLn7Quz4n/qqoAb5pYHmaEfJnW5/ijbycUUNQSTKkXODyP2QmqkJlYIthmaQafPKZnh951UOXOsiA6p1kUN7rlOKom2gL5NDzaAr9V6RhzEhd8zH6BszeC7v9OYcKjZvkmuHBAs2D8RON4TUjiDKBkp8CsXaNCJ32GnEilKNZaqCFx6HznjBrGw1G5wQKgMLtgzIkQMCS9Dc5iwd2UNYu3ooAuxFdva5fPIWLw56B/pXuqt0cdAw7lQD4zO+MXzi2q0P5oz1VAm6cv5spsgGdC5GXm4KJloXVRmCLFG8g9l8rE34vG2l9y1BpclvlyE1lps2IWDXr4brtzs0ViVpamV4QsFxq7OF5rQsfYcpTOVv7+5oF55G2CJf66I7iiLZVKA5u6ssitJ2hCq2PYT1K9m6m+HFkr/fA9KWIEulQ8LsXsrU9F8P0L2mDe2q6b+Axe1oh1j+WvABu50E3Y+Yl/Q5e9V9M7yQoeo/iJng5VrQLrdYKksoWYSOF/EEWqHmRZuo8iBCvT2Idxbqx+iZsiX7/o7pVti1GsVHXPFXgrN17tuzRy5cIAKhubYU6xG53IicedNxBn5oBCBicXGqpIXr3Bprh9C59P66TT9UWpbG/R8+qlS0CMUawNzwOLMFlXMoJKxyy4KxwCWseqF+VEKs1XzaWOhJiGGOvvGoO229//zFRYepaTJh13FO8GxtK/cxDQ3B3fwij0xff4sYt1gB5hjWNhw0m5wvvQQ9IZfgN6UxoCd0DtjKO2S6z5RucRjAbsF4vZ3h74n/fa9vhdJkqtXKfdb+Neia3uwa7Sd9Xl5QbVO76TrAqT0q4U6pQXXose6UEmWnNua6UqqGEFDM9Ra/kYQK0LbLLtKbRcPffHgriI9eEwBMQooozCWRSn6noQa0ZPZlP6DZcMwnhzVauwvT2Su4k6jHveA+wtaGfwaUrbhdBGXZy3pyigtOsdpEEiW/myv333teAlRSiojimJFu2gsGvkAEHJJqRpx0sBzMhFxuZMruYIN+ZVUejE98OV9jnBHjS0Z9sk0ZxG9gPCVMNMa2BzL8Y7BN+BNu3E6Gmujg33CKL346rgIdXfvxNyxu0fu2TPmUsic3GV4Oy1PEglBjFOPoL3W7EbUnccPe8it4TSipF2vDGRWk5ObqOak1zkR5TsCyJ3FFmWp6SO3lHR96X2ejaQUWtCE1NdjFy2AjB9+LgKmqclJMbQXth6U1YNledc+/Bw+l8fX2MMPD5MU3U1XdDO9ghm2jZMVlqVYhn5YpyaC2z7tMilFmDMicNUKsyZeGCu/8LFVFuQxSQ/YWEmrk6ep7PVOpS3tIdyrhWy6voAy1QG0iOjXonQoGivvkmw61CS/3bZwYdIXIKur6k528W2IXgRa93y4fCq/f6uB5JZfDdj1d0Bl0xXcHO+V2sYY1EVt//vdr2j8m1rRnXOS/4x3Jv+Bq3TXWUDYMSBs5gri7zYDmVBSR1zTbI3KJS7Zq8+772HsA3Qsz6hcAdmUOajmQwmMcVncP3YKaRXdDnVoYqTJs2MJn/rY1Nl2Z4UkLaadFmCOkW2ZiNHO/6v49rDQlTp5LwjHnrpFMANXuT9gIb4NaKCAM3k7dFnbeHH3wwq8Z9nl61C8WU9WUy65vdv/BCmWj+g6v15Lrxhzb09fXRhCBcY/fcQKkkStx4lf3PRnHPaXegsvuGu/Y573M56fkvZc0T0PjBuKn7YWiX4fbs7he7R3QD+HL77mfz0+RpaHkrRMTQ+/BdkTOpwF6Eib+EDlZsOImbqQuzTpnL/vtqG4o0Pbqwl4/tvTG9xFPjWP9SbcwOT+9UZNN5Z+7QZN1iL2U5UajnZATX58Z+p0K/8F+bRYR1Nvf+OGb4I6bNrar3FS2e4waKcB4zij/oKwUWVLN6VQMqgB9UwYuSS3oiCAwIE3W/ihbG9pXVf3KEyepnIbR1hdyt8+XL84vdnVoElrGeo/CWF32gQMFb10LuYm0eCTJubTkks8lRWExckRrpXM2r30ykF/ukF60upvCro74nw6R3l3GU1aqyMF5/9tHwiUTTQlOnIVBtu7nE/L07JpWtYDX5MI7RDxYlN6TuF8EI3NHj22ic2rztMQx4+bKqdwH4HWHUryeG/N9eBo+cHO1J+RqNZ/PQecbYRdn2ed+LCDggNrpQoNZKFG60+Nt9ZFJo1uh9yN4Foax9yCVn37wOsazrhnH+Wm8jOTW0Xmmqro4ct4V7krIvcIxrt6/Z5rpdw4dJbE+dYbjZlTZsDErLailD5Q11se8k5ZKY+cBJ9db/EamxFFdrqh+mAy9YVd9J11peIgcESOtkZ86IUrJO8rafspx5daJoKPaMUp+1yqoer8U8rZm8qHWGqhJnhtsLLVNKsW580dRLh7M7HCLT9U14eWL8ffLvazNMTB0GH0aND72d8FhEb+67TuWefre4JCfDufuHfKccamaVDHOXh2JmSe/U06SpnQ6DDyyPyUGnLsz49aReCOEk3vENIyBMbNGkDO3PmGqBOOORNvsN25ZcFnCdWIGCG7sYZrnPWULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikz8zv02SpnMcA7V1DcXeiCNOKxOnnb5nDVoU4eiWy9hBiwLKsImIb7t8PRspMjQu7mG73HuhBKvfHVJXsFX5b/tPqRcGlKCpVxEnAxT1dje70ZIU+LouZmtx5Z2eWyIx/hDaqGqRbZsnjekhBkNIaDQ+bKN4YdsTacVL0ELusZCLqvC40qeRm6k+wCt7vBrmLVV4N5Xbyy3DTZmJFHCNrbBsGHTfa9r0ihWz7/DaGpMM8gqpqrK3ac8x+jEQye8l+xba7XkpfeftV3kKjCjiVClYocHGu/uLfuFi43WyPp5eXHV4LrGpKeHkfXt6nll/b/U9EC/08Hk/W81DQGY+O2qeb7GuaeYUOx3/vLinJwPFKo+Gtm61obqkv0YJCzs6qph50kN6bv4w0JudVy59yKimKoyd8XXoOJuV+kIuBCHy4h6tEjfLcGHDI5Qed5zAYfSYZ9A28VD+JyXXShnxIlXpbYaB2XgCV7+dEpeR3fd5Hym2uneF59895w2EIXJGtfAmr4Xwad+TSFW3tp2YdqXuHEER0jUK15uO0S66kq6pFzQYSCDdK5wgvWVM9B6ZNKCv0OH+PrTxd2CsVKFBlA+ADsgKaQbGD6fjEhEXhXTpizXyf0zvCqS1gH14DYGDmt0vtdLlR6i5iphl4OdErvCNMcoSOCmn73qe67SpuS2q6zb9EULGMUG220qNrwo2YQX9hPps8RSc3B5NKv85PMZeRpqJT43wunKUy6wgAPzwM6ua2XcN5+R74aOBrkbhbmSaiW3DCEDrMFmFstt6COTNhk9ggtuNy30pK1yfx9Kk97CnLI1+TRqrgk+1fQhivLDwlss5pJUlMuZphXsTceoqcapvfn7JGwplxe4LHmvSp8cvWkL2Ms6iyBFbtC+MFXAMSKXhbTdN+49rMivjURT8p0qQZCnXC4n3z4nXLHnZOr+D9z/UUnF2nAz+TYeX7SsLmaCDibnp9ahtjX8kwuCi6KvC+Xkuh1+pWZ7GzVYlRVT/9dpwLNtg2BAu4McRWhZpZW7O5h9fvc71UA++gTgb7/9/O73Nx/Ovv3W59wuqaZ89EyulL5KWbJ84wX7vV2wH2EbdYJRmVqJCDU7abuUdM8BZe65WGcwYWZKgzScpRQgPVdSBoyr9F6QSHwgFdBiRflwOPG9vQPY+zw1UHd9Upeom2aa6VLYaWmsTl35jvXa2Rxi/bc02Tva1nzkc5IeWuyyGQw2UGlCscmm7iXUuzgQMz7qaGpJzeaIPZTUaDeiCJm75T1xoXxwP8G7Oy4c8kH//zBcdaMy+8l/D3LEyp6PPiCyF8kHORxtHHcffkodIWlra2d7dulT22W0t1l22CfzGbrdBif35sh027KaHyMehkVfM8qF43XbzOUiyIzz035tG3bicuaghXmkhcF4VmGbc104FfEAeg5JvMZ061B9dKKqqpG7nqgBdvKwxk33xe49XNu/Q1yn7nAzh2nW98XtksrybyoeNdvgZqnlh0iGe2M3XHgLOdOYmjOukmWJHsuCR+xXVMth0OGxo25kVRcqlzC+fP/ugvzm/aibpNQ4Il+Omkpw+R9vyZcG9Ejv1kbIQsNup868yQ09h+iafGiLzqJpXZ2WzhI+pH2gKvUYAQe0PshxdBNUGwmO3RtumX5AAxVUVxl2y4HN4F6gdcIC5A5oUyabSrsFM223qy3QJbW7WuF94U5BskVFdaqykg7uuqaD8cX3jj5RNkinSgKzWCQ/CwxmaQuoOsCzObZaygBWTf+VAWpNk0/C8B2nkh8vDLoXPPWDEzq3VeBUz+RIy4IyHIySvvzEwTYyofHeAzyd18uf5LVdJH/fmSyY1UVpkvZd70F3kA+LPN0C8FLQ5BJDFiDnXCYsihyCzpEbLYtZYVbcsuTyQxYzoVaGVulzV/qwpV3mg54h6sJkwWVOccJlDbqarpMlvA9g1+wqD/AlFTnOCq+LWiurivQhKYS+/KlAj2N62CLb3RRqXpQ5mO0Ap89/Y7Ko6HVhbSq3wTZgd6IFZHgUKi4zIc1lPqRrYQoxFUXqsOgW7O8zAk/eGbwHO3UvxD7s1FW9fdg/Z4T9KiPsf8sI+39khP3nPLCtqgWdQg6R0kFPb57JomoEKt/TdYZ3sgVeX2XQS6pG8HlV59G+nZZJxTx1ElKAzHMoJQa+sPS+EVkYn5CYYQeNZnmsSQc4jzVp1qapM8wiZbIrq85iqlplnekB1xlEiFXWGWa5YKNZkwV4I/m1pFIZYBkO4fKV40qmR2H5StV2AbTM4FZTVV0wkcGH7QBnCJIgXD1d2/RuUQfZZIFcN0WGmAbT3HJGRYYCIlPQOUi2Tph11YctqVj/AeU0B97LAtuAZoHs28Hkwdon1maBPp3Xy1d5fNCmmHL75yyNxpgp0s6K2wGsVXJRbbJcc4QKTKevcjPex59s1lYPMNiF9/Ond4544Kj2ZQHuu8mn6yDXgz3jAnLYMKaY5dhEPktZnL0NOIduYApeY5JikUXU8Xr5U2lsPWjmnwi20SwLbMFnkMOMMehorqDkyQpGt2FzmeeUVKpsBBimcnA7AOfzDLJJ1WZFbdKZ/z3osQzyJIA1zLmxmqb3hGxgZ9D4NNS5WK2z8dpgJ3KdSb76zHx/xDNAtxpolUGR9KVAudDOp1yvFoqbwk+YTQ99TTXNcsDLkULYFJCXfr59arjcWCqTzzkujZ02OtWwwBYq+FlBOaA2yXFNr0e3NcmpweLkhln6YdeHdhrYB3NOyzL1HeBl6rBq2zoow1vEq4JppaosXYkc4AxmGq+KPMmRoeNRDjbXV8nbM9UmfctSXpta88RABbXcNsmzzwSXkK7FzgaqSTpRp4OLxbfp3VpC+a6nxUyo5M95BzxDyr+zeZNLHQc0g8RxNnQGVJPnJgg1z3J05TzLBa6VTi3Aqmkzz3HNKm5YDrFQmSwHNsccCAkWmyslh5tchvsG0Kkz/jzU1Ol4crVKbYFkqShTfgB0cktUpdeMlObzIjKP695wVxJ0+jerLvxQ3uRgk06m3oD1I16zHLIMhZthJk5qYRDAppYGdeEdScnRpca4Dwu2SFXnPwAN1zVPHgioQVdzTaUd9NxNAXmVBXD6p9d3Ivv0aWcKaALAWs0LauqEAwP6oDVNDVUDFTn0Ow0M+eC7jmYCnp7JDnLaFq49yEqXGTBO78g0GXzDxvuGM+QDGEidCOAHHmcwTgx8SX8AYg1ak0HNYEoZPs8geE2d2stmNMtxDzQrkyvSRrNYV9wEgG26EVt9mI1J3lVzyWTqQonotNj7AvVNOlOTb+c2/bHyQNNH9LqZnqnhruvk3VqbcpolD73RIsNb2BjQRclTV71nGVvRRoZysMEyY2mV2hu8LLg0ls4yaAZLrm0ONXxZywytm6zSjUzpZo21RYt0FH3TWEU+NJIMlu6yRzIOy/tMBS/JiYaSW3JCdRm6GRps/x5Hx0/OysilsQmhCAaH6BPsb8CUILFSnS4fgst8nDuraqHWMBgseCP/ZqpJ1tT7lmfM8dD7jHDemYY5XJOK7jZa2MRi5bzZHQaSHUnBDQ5naFcPW48NlIhp6lppS4aNRwlZLagl3JJaw2zsKNwjLfcuQyhijA9WR4cC4TJ0dh/pCy24zD2Rv4eqW62PpyFWzcEuQE823zcL1QxeNEIkLEF344isIjXVBsg7sBQngvu7SjsWPH2r5ubFhS97fUZOw4iv58QuIlOKsBnwBwijjxFtSd6D/Z1bCSa+z8NDnYV5MxzZ3d0iXNwTa4BqtphwyaP44czdI/TX3hGfOAsDkyFeCNpInPU7b3COa9vEPd7Afadf+x6a8rfj7mjqmnCH+cUjxr7biCJhTdPtOq/isuQjXFu8FWPugmNMox4RSJvBde9xQrUUIxMvsXtuxnHg2D/XgCUavjRg7J6m3YdnK9+9V75XGXAsj1/VS+xdj1SXd7rtTtmHk8cIY2Nbf8cO7eZ1lPKUs/9vnm/oFjs/bYUCrh0/G2g1pEviveMRdo/LlBogPl27w4YMblW3S+EXD4Ov7EbBd5gr7dvXR9lICDXEAOC4M7p/XpWm0lB2hPG+gw7TfmmJau/m0LBG4wS0fUjXoCvu1Y1jIb1Z0g/m4EsuYA5EwBIEocbwufQbt5nXHz/62JL5AeU3rr/npE8fZNKzw6yR/EsDu2MSafzy9fA9rGPiYVNQWo2Gl/5CMiUlYG4FWXG7GBMUhEQqQzqNXcNB5UV3Ni0cO1GedE+UUHPOqCAOgxHTB7F4WOxwqZExjQ/Hu3qxNnH0eulsK7WT1Zr6gaeCU1MsVHabwBtxnbmGs1Q2Q42cVOyP4In3AyD+0jhs8U0Lg1iYAKonb4RRzhDfum+nGCwnv4ZfTMgbue7+NYBu0ZY30hJaTpiq6saCjovhLG58R1g+8+yb3b3AGYtbG8LtP5uX3//wZ2f7nva2o+XYN1G0wzkt0kbMbuu4oWvQ5N86n5x5EdBA5OK3PnX9T/4zLzc4b536vftxYPLyTbLtye7AFLfOhLz/7eOZox00eOcJ+ktLbpiGmkq2dlplUM/Ebi4IQQ49Jx/fvSbn0v748jk5f3969p+vyadzaV/9RJ6uFmsigdsFaMIWyoRRaUprYBa/9cOr//Xfnj2JcgTsIqOM2+UHytRJRePjeEzm03fHa37pz+J5i1T8ipePC+m+bLoB8wMbxt36gY/hu6OYbqyTz1zbhgry9s37KLJ/KAn5fFmHnYz/oyRM4rx16H41IhQJuVl44hY8xjd4zz7MqYUVfYAR6Xi6L8ibstTop/WnPIZO9/Syqj40znnfWMj5ybsL/yqNhscqao4Y/dhyKnlNNbzd5PzCoTLi/XI8PHASRBIeurXHedhqYoWfrnVcAdFDl5Yld1+mYhOw7c3yj79zRzwAziTEC67CDT/dPgIDVDa51ln0uts+aZS8DxheKG07kTwQuiUG2HADuF3fLHnNkXnv6eFy3j4mLVnvxhgvIWY3HsuLG7BDy5caoxh3Kqf3Gw10HOLksqZyDpPOdGJKzvi80VCS6RphgiwxayguZ+oDWw8MikZHtOXoorMM/Q5EQt2/X8KV3AGgoVIWipDZnT7PKD1rS2kKWvhU/Ayga6vzAJ9lOBKzDNXCIsd1yNX/pM7AVFoWrScun1q+a8E7Oia7q/WdCQ+gwZ7ZBWgJlnxc1/CcfGqfsbfoAPuRXLQOsMFL8NuYptaO6jmCMjFiGrdIB7/4c0KFiCoT9eaLmOBGNSbmLUG7N5BLq4ix+JhzST6djwoUhgmy2eRVcpHtgKo6w9g3B1iDSZ3R68BmKHHxL2LqVHT0t2fA1o9WKATIefJJkYizUz4yaqEjGqhXeajoBWAkYZhOMCOU/KL0iupyOKebkDdzTPbShLobf425dFOwKwAZVz0Td028a4xbWSr6oTqPDMGW8ZgZMaCQy5DnimkJFbdOLIURG3ESl4LKY8Txb+GgbBNEei7KAYHbLstNJGXpLNg5GrDbL0/qSCUw7EKwTNcP7nYRe6otZ42gmmC/aNIi8fTs+vVbNVezWXz6O7DCLiD79m4h+9Et6G9jD+8zh7dD901jFyBtSBYfRds0KTsn3C6hxy85jvonA3oUYdVYpo7L6bDkOMKXDWNgzAjO2Hn8sOZohyWeIF7EqbhzpdckUpgwwO0YwmkLR9jB0UklDPCZWkn3rji5FVMOux+SgaK0TdUyXT+6kXeTEt+1FGsGBIeyoyf4YXb0YS6J4baJyE+CxQUQRHSAuqCG0FLV7nWxC+CaqJXcbJlnnKXXSqpqJK8WZ3IY7lvUH1eJcMo9l6WTP0qbjgGU/MIFkDcBscmADbdx9sqOMH8nRxPGO/ofJF1hlAWXIWshLRdiNEYYkbLe/R6M8Pl6l6FeIzUnxhNCpypn9UCE+Cks6JKrBrVLpqpaq4qPZCjCsZE7k3QqsIhsRk7248blshM7GZHcxXBL6yRRBLYwTDpc5gAEI+t3+OXe3d4ru7lvo8duU2bZSLtbzpZaoy+xDLxgh5j1t9KC8D2egwTNWUsSMgQT/XZTC7hd4FMbm+1GArIT9sPEWD0e/GxpOqTt1oPR9HI/TUG98GtlpCtqmnZGuOUVGCfXvbanoYbRIFLYhWRNIW7cCGw8eM9t0Lc8Wof07n6wo/Xj7Wj6oTDJhpzemrTgML6JwgFtSPFGINxCGHy91L28kTp91L3zFy0JbfrmnUvWS/U4AuQGOd4JkK/3OP5485alGm1wnC27nXzUR5UgKe/YLeTHUY9jStoGh7FT6rEEbcdPnbxyp7GLogK7UA8QJaFbnmTi0QhfG91w7KWkVVav056ozgclgr/WIbLnXGbyhPzn5OfvvydP356+uXhGTrmxXM4bbhZQYil8FBeh5ip7X6B9kTDMlp15PMI24xdHMsa0yuxV3Ff/6XY1hkF3Y9Ajn2zo812uC8O0/67ut+f4Q5xiMVMqY23SN5liVKTqTrdDyAda8sb4FYjSxPCKC6q9eHJi090hhu96vLwK77nh5TE7jfQz5T+5g9B6EXf6Ym4ueb46izdy313HsEaoNOz5f4OTCD8ZnIXguIFeWUYZd2UqnTMxYBCyQVYrPaeS/7Enq1rmOwq3ZfYBnO6fqRF2z7iO1pJm6vrzi1sOXwvf4sv3LtrKav4VqLALRjWQWkOpKi5ptOCuJ54uqOUgrbkxPV7QY1L7lj4osb71I9SZDq67Ok+c4KqpttgMaUPqfrF6xGZHQdjcRqLOoARNLZRFsqSyPefDCZ9f2hW74NmFVkteds3DwvdoXYugqQ4ORmj+4561bZ02ruBsiOTlkajslgy9/ux6hMzo8FDMnFxyHz1f7CruIy3gOqUz5VDwu2qecI06U+9HvUroeYRQr6OixkoNMVZpL/EdtAosxdWe4Lcm7ltP4tRXvCwFHE/KvcP1bivnItvbk3sHybl2PMZxyL0Iq/U6DMl1G519TmpB3Za591lpApLpdT3m5cdUyCPYk7fIoNOdbfmrMpa8o2zB5YhJV9JMkuObXV5/kpjpX2tw4sPpR77JmZmQtyWtyWf8h9ePSiV93ek/h48nWdAlOM1JANXkSwN6TbAHoamVNNBqVPHiVEdvgb85jrwMPfCYg6x52wVSevJ9X75xPFuSjoDq5gB9CM1Rb4spTnnK6zDbPeNta+mtJkbONgwPLzdEN1JG7VjzvHt5fOTZt5EaqbELEItgYebfCEpWXJZqZYipgfEZZ+6T57E6wZAnO7wgjjyP7ybnhjzFjrAg2eYZwtDlsx63SCPxHX8Lc8rW5JPZbnzbRWCr3ULa5Nm1boUjGOwjr33f1EJUsFYND5l7EQcc7/oARKr/typNsZxnyL5tsvMr1GPdeb16HaEYKYwetPCbA4g9Tl7vGKkhwze43ltZd4akj3cBHVJzHIddFzDY3ptNQqbfhsEOxRtS3Fz8jGUDKUcCjla4IcklzLgMvnoUTtjVr6L1SNNBxO6gQrFMuG0cMDvqX2rB2Plsc9MeeimN9KbsfNjWUraojtwCf7MqMpwMrKP+dmQZ8jLlMt0EsaR3w5GMRYV5H8+IkOqX7eC2+Dbam/L+yNTOAdZ5374bsK6pbs+U+/PzDSmrBR+0Uifudjhb1ie/34o8m3xmiW9rofQ634b/xdRU/vXGjjEtIttd1Fv1PPY0Obb85QVCv4G2B1OJBlS1/db3UzV6CgqQVqv6ENFRqmY6cC7c6oyHNZ21DTeUIyCOvrrjuPfwRFU1levuPuK1w3H63l5ZgnbPUMHlTMWVAmquctcI3SA/dqzIFrMV5O2KPvuSK0fgl0aINfmPhgo+41CSU6x79s7BKCormBZMqSv+QEH332FK/Pob+5mKMW0+ebfZTTi8biyq3AeOML35rn/olghTdoI72vvkJ+TjuvakbzwHjjl+B8c3T8OsSNpMdgdth4N3ROgnJta2dheZY7jqOuVyGzvvWayVbr39GGL+8HZky3u9chIfp5YXdd45RHtY4Va+0XPfoqmVyqSJbCPl1nH7QWpq465JJgtqUkb7e4B1KKdPDLnRIuE296Am3JXOGC0ancob0oNpQBd0ns6m3IBO/jxtg06a/rgNOpz6DIIFri1IVK3SGycOfrLT3Cl6Cw07qTKpNSq/xDFqCbdk7kdcFtWrF+G/TwIKL8J/hLymmNufCtDx7LxAzgNGzz0x/eA5elx7o9YG5JRhIJozqbicgdYjcdch3Uehq6/438j6qHv2CEi2fYlnvW2IXCkMa6usVyqyxNGO35mP27tj9xEziHX/T/+AYYLW+MBPXi9AH8cf4XT2kPH09ARHPz4jJ7h+HDXQ9kjNUkb4fAI6DP+ErSzMPc15IWvouMfI3oa7RZ+YXqfovTvN/zjUK3n31ijx3SaX/I+4t4ZfZZIp5/84IxLmynK/gfWCmpEJUIYdu61Qbyv94uPDBd1WZ5sANUhw2TljbeP0tv4mnpBi+PwYFRXb/Y26qYcfRwctO2nCjWmSK50IGZOl8nnr7hdDQQxB66w+0MGm9KXnmVucXGJwep90OkqGRNcZPESRn15iauf+x6gnPQ9D8u7Scw+O4yLUGFEsc77ouyHV4MiOIlMW7ujRJnmbRpMLML+CYFFnam7wzWZcSf9BQtn6EzEYr1OanF+++ce7C3Lh3inymxyZvrLBNlMl9SHYflypOLYohtgC2JU5yIl8OyGctwdZbOhc16+zaxGGaaBhBOFGCu7RckHzQVPIB1ByPR5dV5BRowFxttQ2R5vw2cdySQUv/UGMILErCI/W1XqfIESOXcHa7IrtRCe/TSBNDHthbW0KjjNos4DGrczBEEYfwW3ic9lWvijN7fqGG8VUVWXtE3dLvD0ewSEUL8FfcQ1i19JM7WJZCSoLYx5q4K1b2cvw3wO1bY1WFFtfalzUih8jrTqGsMeAIAaIVNwaQLayBZVy0Dgjd7upsCoiMhKzPVLb5u5hCTMPf3/75n14917sLN89KFbpXd9/8p5t3FwVSyWaXAx4085xlmHOTTcZux3n20huDXnqkTDPsFsHFva2E3V3wBNEOkqNaDJJs7cB10+S25AuMNkuOliCxkyBWSMIU5JBbZ2hfOn3cKS9wmqVU/p6xjuDvR2h7RCtlbZEOf7++rc3sRTcKNtTnzul58dPsNwtMNhysU6pb3YSbRTz97PfLs4vyDt6XXFZdmO949vqaDt6GubWEMURsgIZA+r2kdWpT/GSxeTp2b7KsZgdr2DzoYvwW5Kzqx1bzrIglc9PQ5fegMVeDMXxNuWBewW0FFf/5euGu8IcWQ41ydS3G/0lzoR+oOzGMK4arfguqFv54t7nxDSRFHVqyF+M1UrO/zoVlF0JbiyUf3kR/va8+5TLGbD4RzOuYUVFVJGhU9H7DaGyJEaRkWOpYc6N1Wtn2R9TWNTULkKz/g4HsovDAEl0Sh0LTV8I7eu1mNK9LuSdPtlhDtLq9Z/+bwAAAP//MzrDOQ==" +} diff --git a/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml b/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml new file mode 100644 index 00000000000..30e0d5f2745 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Barracuda" + product: "Web" + type: "WAF" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/barracuda/waf/config/liblogparser.js + - ${path.home}/module/barracuda/waf/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + +var dup13 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + +var dup14 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + +var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + +var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + +var dup17 = setc("eventcategory","1204000000"); + +var dup18 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type->} "); + +var dup19 = match("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "%{stransport}"); + +var dup20 = setf("msg_id","web_method"); + +var dup21 = setc("category","TR"); + +var dup22 = setc("vid","TR_Logs"); + +var dup23 = linear_select([ + dup13, + dup14, +]); + +var dup24 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, +])); + +var dup25 = linear_select([ + dup18, + dup19, +]); + +var dup26 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var dup27 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(":"), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timezone->} Unit=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hfld12->} %{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, +])); + +var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} TR %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ + setc("header_id","0009"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" TR "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ + setc("header_id","0007"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" AUDIT "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} WF %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ + setc("header_id","0008"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" WF "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("htimezone"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hhost->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld10"), + constant(" "), + field("hfld11"), + constant(" "), + field("hhost"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, +]); + +var part1 = match("MESSAGE#0:UPDATE", "nwparser.payload", "UPDATE: [ALERT:%{fld3}] New attack definition version %{version->} is available", processor_chain([ + setc("eventcategory","1502030000"), + setc("event_description","UPDATE: ALERT New attack definition version is available"), +])); + +var msg1 = msg("UPDATE", part1); + +var part2 = match("MESSAGE#1:STM:01", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{id}] Server %{daddr}:%{dport->} is disabled by out of band monitor ( new mode out_of_service_all ) Reason:%{result}", processor_chain([ + setc("eventcategory","1603000000"), + setc("event_description","STM: LB Server disabled by out of band monitor"), +])); + +var msg2 = msg("STM:01", part2); + +var part3 = match("MESSAGE#2:STM:02", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} Server %{saddr->} is created.", processor_chain([ + dup3, + setc("event_description","STM: LB Server created."), +])); + +var msg3 = msg("STM:02", part3); + +var part4 = match("MESSAGE#3:STM:03", "nwparser.payload", "STM: SSKey-%{fld1->} %{fld2->} Cookie Encryption Key has already expired", processor_chain([ + setc("eventcategory","1613030100"), + setc("event_description","STM: SSKEY Cookie Encryption Key has already expired."), +])); + +var msg4 = msg("STM:03", part4); + +var part5 = match("MESSAGE#4:STM:04", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Module CookieKey registered with Stateful Failover module.", processor_chain([ + dup4, + setc("event_description","STM:FAILOVE Module CookieKey registered with Stateful Failover module."), +])); + +var msg5 = msg("STM:04", part5); + +var part6 = match("MESSAGE#5:STM:05", "nwparser.payload", "STM: FEHCMON-%{fld1->} %{fld2->} FEHC Monitor Module initialized.", processor_chain([ + dup3, + setc("event_description","STM:FECHMON FEHC Monitor Module initialized."), +])); + +var msg6 = msg("STM:05", part6); + +var part7 = match("MESSAGE#6:STM:06", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Stateful Failover Module initialized.", processor_chain([ + dup3, + setc("event_description","STM: FAILOVE Stateful Failover Module initialized."), +])); + +var msg7 = msg("STM:06", part7); + +var part8 = match("MESSAGE#7:STM:07", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld3->} [%{fld2}] New Service (ID %{fld4}) Created at %{saddr}:%{sport}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE New Service created."), +])); + +var msg8 = msg("STM:07", part8); + +var part9 = match("MESSAGE#8:STM:08", "nwparser.payload", "STM: SSL-%{fld1->} %{fld2->} Ssl Initialization", processor_chain([ + dup4, + setc("event_description","STM: SSL Initialization."), +])); + +var msg9 = msg("STM:08", part9); + +var part10 = match("MESSAGE#9:STM:09", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} LookupServerCtx = %{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB-LookupServerCtx."), +])); + +var msg10 = msg("STM:09", part10); + +var part11 = match("MESSAGE#10:STM:10", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamProtectionClonePatterns: Old:%{change_old}, New:%{change_new}, PatternsNode:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps ParamProtectionClonePatterns values changed."), +])); + +var msg11 = msg("STM:10", part11); + +var part12 = match("MESSAGE#11:STM:11", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SapCtx log."), +])); + +var msg12 = msg("STM:11", part12); + +var part13 = match("MESSAGE#12:STM:12", "nwparser.payload", "STM: CACHE-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}, Return Code %{result}", processor_chain([ + dup3, + setc("event_description","STM: CACHE SapCtx log."), +])); + +var msg13 = msg("STM:12", part13); + +var part14 = match("MESSAGE#13:STM:13", "nwparser.payload", "STM: FTPSVC-%{fld1->} %{fld2->} Ftp proxy initialized %{info}", processor_chain([ + dup3, + setc("event_description","STM: FTPSVC Ftp proxy initialized."), +])); + +var msg14 = msg("STM:13", part14); + +var part15 = match("MESSAGE#14:STM:14", "nwparser.payload", "STM: STM-%{fld1->} %{fld2->} Secure Traffic Manager Initialization complete: %{info}", processor_chain([ + dup3, + setc("event_description","STM: STM Secure Traffic Manager Initialization complete."), +])); + +var msg15 = msg("STM:14", part15); + +var part16 = match("MESSAGE#15:STM:15", "nwparser.payload", "STM: COOKIE-%{fld1->} %{fld2->} %{obj_name->} = %{info}", processor_chain([ + dup3, + setc("event_description","STM: COOKIE Cookie parameters set."), +])); + +var msg16 = msg("STM:15", part16); + +var part17 = match("MESSAGE#16:STM:16", "nwparser.payload", "STM: WebLog-%{fld1->} %{fld2->} %{obj_name}: SapCtx=%{fld3},SapId=%{fld4}, %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: WebLog Set Sap variable."), +])); + +var msg17 = msg("STM:16", part17); + +var part18 = match("MESSAGE#17:STM:17", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsPatternGroup SapCtx : %{fld3}, grp_id : %{fld4}, type : %{fld5->} grp: %{info}", processor_chain([ + dup3, + setc("event_description","STM: aps Set AddIpsPatternGroup."), +])); + +var msg18 = msg("STM:17", part18); + +var part19 = match("MESSAGE#18:STM:18", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddPCInfoKeyWordMeta: Info:%{fld3}, Table:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddPCInfoKeyWordMeta."), +])); + +var msg19 = msg("STM:18", part19); + +var part20 = match("MESSAGE#19:STM:19", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddParamClass: %{fld3}: KeyWords:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClass."), +])); + +var msg20 = msg("STM:19", part20); + +var part21 = match("MESSAGE#20:STM:20", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetParamClassPatternsAndDFA: Ctx:%{fld3}, type:%{fld4}, dfaId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassPatternsAndDFA."), +])); + +var msg21 = msg("STM:20", part21); + +var part22 = match("MESSAGE#21:STM:21", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamClassClonePatternsInfo: Old:%{fld3}, New:%{fld4}, PatternsNode:%{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassClonePatternsInfo."), +])); + +var msg22 = msg("STM:21", part22); + +var part23 = match("MESSAGE#22:STM:22", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLogIntrusionOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsLogIntrusionOn."), +])); + +var msg23 = msg("STM:22", part23); + +var part24 = match("MESSAGE#23:STM:23", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsCloakFilterRespHeader [%{fld3}] Ret %{fld4}, SapCtx %{fld5}, sapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: aps AddIpsCloakFilterRespHeader."), +])); + +var msg24 = msg("STM:23", part24); + +var part25 = match("MESSAGE#24:STM:24", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicy SapCtx %{fld3}, Policy %{fld4}, Return %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicy."), +])); + +var msg25 = msg("STM:24", part25); + +var part26 = match("MESSAGE#25:STM:25", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicyDfa SapCtx %{fld3}, Policy %{fld4}, mode %{fld5}, bytes %{fld6}, Return %{fld7}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicyDfa."), +])); + +var msg26 = msg("STM:25", part26); + +var part27 = match("MESSAGE#26:STM:26", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicy Return Code %{fld3}", processor_chain([ + dup3, + dup5, +])); + +var msg27 = msg("STM:26", part27); + +var part28 = match("MESSAGE#27:STM:27", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} CreateRC: RC Add policy Success", processor_chain([ + dup3, + setc("event_description","STM: aps CreateRC: RC Add policy Success."), +])); + +var msg28 = msg("STM:27", part28); + +var part29 = match("MESSAGE#28:STM:28", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetSap%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Sap command."), +])); + +var msg29 = msg("STM:28", part29); + +var part30 = match("MESSAGE#29:STM:29", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Server command."), +])); + +var msg30 = msg("STM:29", part30); + +var part31 = match("MESSAGE#30:STM:30", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} AddServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Add Server command."), +])); + +var msg31 = msg("STM:30", part31); + +var part32 = match("MESSAGE#31:STM:31", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} CreateServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Create Server command."), +])); + +var msg32 = msg("STM:31", part32); + +var part33 = match("MESSAGE#32:STM:32", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} EnableServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Enable Server command."), +])); + +var msg33 = msg("STM:32", part33); + +var part34 = match("MESSAGE#33:STM:33", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} ActiveServerOutOfBandMonitorAttr =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB ActiveServerOutOfBandMonitorAttr command."), +])); + +var msg34 = msg("STM:33", part34); + +var part35 = match("MESSAGE#34:STM:34", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} BindServerToSap =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB BindServerToSap command."), +])); + +var msg35 = msg("STM:34", part35); + +var part36 = match("MESSAGE#35:STM:35", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{fld3}] Server %{saddr}:%{sport->} is enabled by out of band monitor. Reason:out of band monitor", processor_chain([ + dup3, + setc("event_description","STM: LB Server is enabled by out of band monitor Reason out of band monitor"), +])); + +var msg36 = msg("STM:35", part36); + +var part37 = match("MESSAGE#36:STM:36", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld2->} [%{saddr}:%{sport}] Service Started %{fld3}:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE Server service started command."), +])); + +var msg37 = msg("STM:36", part37); + +var part38 = match("MESSAGE#37:STM:37", "nwparser.payload", "STM: RespPage-%{fld1->} %{fld2->} CreateRP: Response Page %{fld3->} created successfully", processor_chain([ + dup3, + setc("event_description","STM: RespPage Response Page created successfully."), +])); + +var msg38 = msg("STM:37", part38); + +var part39 = match("MESSAGE#38:STM:38", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} AddWATReqRewriteRule AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: AddWATReqRewriteRule AclName."), +])); + +var msg39 = msg("STM:38", part39); + +var part40 = match("MESSAGE#39:STM:39", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewriteRuleNameWithKe AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewriteRuleNameWithKe AclName."), +])); + +var msg40 = msg("STM:39", part40); + +var part41 = match("MESSAGE#40:STM:40", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewritePolicyOn."), +])); + +var msg41 = msg("STM:40", part41); + +var part42 = match("MESSAGE#41:STM:41", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsOn."), +])); + +var msg42 = msg("STM:41", part42); + +var part43 = match("MESSAGE#42:STM:42", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicyOn Return Code %{fld3}", processor_chain([ + dup3, + dup5, +])); + +var msg43 = msg("STM:42", part43); + +var part44 = match("MESSAGE#43:STM:43", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATRespRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATRespRewritePolicyOn."), +])); + +var msg44 = msg("STM:43", part44); + +var select2 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, +]); + +var part45 = match("MESSAGE#44:STM_WRAPPER:01", "nwparser.payload", "STM_WRAPPER: command(--digest) execution status = %{info}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: command execution status."), +])); + +var msg45 = msg("STM_WRAPPER:01", part45); + +var part46 = match("MESSAGE#45:STM_WRAPPER:02", "nwparser.payload", "STM_WRAPPER: [ALERT:%{fld1}] Configuration size is %{fld2->} which exceeds the %{fld3->} safe limit. Please check your configuration.", processor_chain([ + dup6, + setc("event_description","STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit."), +])); + +var msg46 = msg("STM_WRAPPER:02", part46); + +var part47 = match("MESSAGE#46:STM_WRAPPER:03", "nwparser.payload", "STM_WRAPPER: Committing UI configuration.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Committing UI configuration."), +])); + +var msg47 = msg("STM_WRAPPER:03", part47); + +var part48 = match("MESSAGE#47:STM_WRAPPER:04", "nwparser.payload", "STM_WRAPPER: Successfully stopped STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully stopped STM."), +])); + +var msg48 = msg("STM_WRAPPER:04", part48); + +var part49 = match("MESSAGE#48:STM_WRAPPER:05", "nwparser.payload", "STM_WRAPPER: Successfully initialized STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully initialized STM."), +])); + +var msg49 = msg("STM_WRAPPER:05", part49); + +var part50 = match("MESSAGE#49:STM_WRAPPER:06", "nwparser.payload", "STM_WRAPPER: Initializing STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Initializing STM."), +])); + +var msg50 = msg("STM_WRAPPER:06", part50); + +var part51 = match("MESSAGE#50:STM_WRAPPER:07", "nwparser.payload", "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed."), +])); + +var msg51 = msg("STM_WRAPPER:07", part51); + +var select3 = linear_select([ + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, +]); + +var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGENT: %{fld1->} RPC Name =%{fld2}, RPC Result: %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT: RPC information."), +])); + +var msg52 = msg("CONFIG_AGENT:01", part52); + +var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Received put-tree command", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Received put-tree command."), +])); + +var msg53 = msg("CONFIG_AGENT:02", part53); + +var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3}", processor_chain([ + dup4, + setc("event_description","It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time."), +])); + +var msg54 = msg("CONFIG_AGENT:03", part54); + +var part55 = match("MESSAGE#54:CONFIG_AGENT:04", "nwparser.payload", "CONFIG_AGENT: %{fld1->} Initiating config_agent database commit phase.", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Initiating config_agent database commit phase."), +])); + +var msg55 = msg("CONFIG_AGENT:04", part55); + +var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Update succeeded", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Update succeded."), +])); + +var msg56 = msg("CONFIG_AGENT:05", part56); + +var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} No rules, %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:No rules."), +])); + +var msg57 = msg("CONFIG_AGENT:06", part57); + +var select4 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, +]); + +var part58 = match("MESSAGE#57:PROCMON:01", "nwparser.payload", "PROCMON: Started monitoring%{}", processor_chain([ + dup3, + setc("event_description","PROCMON: Started monitoring"), +])); + +var msg58 = msg("PROCMON:01", part58); + +var part59 = match("MESSAGE#58:PROCMON:02", "nwparser.payload", "PROCMON: number of stm worker threads is%{info}", processor_chain([ + dup3, + setc("event_description","PROCMON: number of stm worker threads"), +])); + +var msg59 = msg("PROCMON:02", part59); + +var part60 = match("MESSAGE#59:PROCMON:03", "nwparser.payload", "PROCMON: Monitoring links: %{interface}", processor_chain([ + dup3, + setc("event_description","PROCMON: Monitoring links."), +])); + +var msg60 = msg("PROCMON:03", part60); + +var part61 = match("MESSAGE#60:PROCMON:04", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] %{interface}: link is up", processor_chain([ + dup3, + setc("event_description","PROCMON:Link is up."), +])); + +var msg61 = msg("PROCMON:04", part61); + +var part62 = match("MESSAGE#61:PROCMON:05", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] Firmware storage exceeds %{info}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","PROCMON:Firmware storage exceeding."), +])); + +var msg62 = msg("PROCMON:05", part62); + +var part63 = match("MESSAGE#62:PROCMON:06", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] One of the RAID arrays is degrading.", processor_chain([ + dup6, + setc("event_description","PROCMON:One of the RAID arrays is degrading."), +])); + +var msg63 = msg("PROCMON:06", part63); + +var select5 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, +]); + +var part64 = match("MESSAGE#63:BYPASS:01", "nwparser.payload", "BYPASS: State set to normal: starting heartbeat.%{}", processor_chain([ + dup3, + setc("event_description","BYPASS: State set to normal: starting heartbeat."), +])); + +var msg64 = msg("BYPASS:01", part64); + +var part65 = match("MESSAGE#64:BYPASS:02", "nwparser.payload", "BYPASS: Mode change: %{fld1},%{fld2}", processor_chain([ + dup3, + setc("event_description","Mode change."), +])); + +var msg65 = msg("BYPASS:02", part65); + +var part66 = match("MESSAGE#65:BYPASS:03", "nwparser.payload", "BYPASS: Mode set to BYPASS (%{fld2}).", processor_chain([ + dup3, + setc("event_description"," Mode set to BYPASS."), +])); + +var msg66 = msg("BYPASS:03", part66); + +var part67 = match("MESSAGE#66:BYPASS:04", "nwparser.payload", "BYPASS: Mode set to never bypass.%{}", processor_chain([ + dup3, + setc("event_description"," Mode set to never BYPASS."), +])); + +var msg67 = msg("BYPASS:04", part67); + +var select6 = linear_select([ + msg64, + msg65, + msg66, + msg67, +]); + +var part68 = match("MESSAGE#67:INSTALL:01", "nwparser.payload", "INSTALL: Migrating configuration from %{fld2->} to %{fld3}", processor_chain([ + dup3, + setc("event_description"," INSTALL: migrating configuration."), +])); + +var msg68 = msg("INSTALL:01", part68); + +var part69 = match("MESSAGE#68:INSTALL:02", "nwparser.payload", "INSTALL: Loading the snapshot for %{fld2->} release.", processor_chain([ + dup3, + setc("event_description"," INSTALL: Loading snapshot from previous version."), +])); + +var msg69 = msg("INSTALL:02", part69); + +var select7 = linear_select([ + msg68, + msg69, +]); + +var part70 = match("MESSAGE#69:eventmgr:01", "nwparser.payload", "eventmgr: Forwarding log messages to syslog host #%{fld3}, address=%{hostip}", processor_chain([ + dup3, + setc("event_description","eventmgr: Forwarding log messages to syslog host"), +])); + +var msg70 = msg("eventmgr:01", part70); + +var part71 = match("MESSAGE#70:eventmgr:02", "nwparser.payload", "eventmgr: Event manager startup succeeded.%{}", processor_chain([ + dup3, + setc("event_description","eventmgr: Event manager startup succeeded."), +])); + +var msg71 = msg("eventmgr:02", part71); + +var select8 = linear_select([ + msg70, + msg71, +]); + +var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + setc("event_description"," Configuration changes made."), + dup8, +])); + +var msg72 = msg("CONFIG", part72); + +var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401060000"), + setc("event_description"," Login."), + dup8, +])); + +var msg73 = msg("LOGIN", part73); + +var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("event_description"," Session timeout."), + dup8, +])); + +var msg74 = msg("SESSION_TIMEOUT", part74); + +var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + setc("ec_theme","Authentication"), + setc("ec_outcome","Success"), + setc("event_description"," Logout."), + dup8, +])); + +var msg75 = msg("LOGOUT", part75); + +var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401030000"), + setc("event_description"," Unsuccessful login."), + dup8, +])); + +var msg76 = msg("UNSUCCESSFUL_LOGIN", part76); + +var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Operating in Transport Mode"), + dup8, +])); + +var msg77 = msg("TRANSPARENT_MODE", part77); + +var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Support Tunnel Opened"), + dup8, +])); + +var msg78 = msg("SUPPORT_TUNNEL_OPEN", part78); + +var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Update"), + dup8, +])); + +var msg79 = msg("FIRMWARE_UPDATE", part79); + +var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Revert."), + dup8, +])); + +var msg80 = msg("FIRMWARE_REVERT", part80); + +var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System Reboot."), + dup8, +])); + +var msg81 = msg("REBOOT", part81); + +var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System ROLLBACK."), + dup8, +])); + +var msg82 = msg("ROLLBACK", part82); + +var part83 = match("MESSAGE#82:HEADER_COUNT_EXCEEDED:01", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} \"[%{result}]\" %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, +])); + +var msg83 = msg("HEADER_COUNT_EXCEEDED:01", part83); + +var part84 = match("MESSAGE#83:HEADER_COUNT_EXCEEDED:02", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, +])); + +var msg84 = msg("HEADER_COUNT_EXCEEDED:02", part84); + +var msg85 = msg("HEADER_COUNT_EXCEEDED", dup26); + +var select9 = linear_select([ + msg83, + msg84, + msg85, +]); + +var msg86 = msg("CROSS_SITE_SCRIPTING_IN_PARAM:01", dup27); + +var msg87 = msg("CROSS_SITE_SCRIPTING_IN_PARAM", dup26); + +var select10 = linear_select([ + msg86, + msg87, +]); + +var msg88 = msg("SQL_INJECTION_IN_URL:01", dup27); + +var msg89 = msg("SQL_INJECTION_IN_URL", dup26); + +var select11 = linear_select([ + msg88, + msg89, +]); + +var msg90 = msg("OS_CMD_INJECTION_IN_URL:01", dup27); + +var msg91 = msg("OS_CMD_INJECTION_IN_URL", dup26); + +var select12 = linear_select([ + msg90, + msg91, +]); + +var msg92 = msg("TILDE_IN_URL:01", dup27); + +var msg93 = msg("TILDE_IN_URL", dup26); + +var select13 = linear_select([ + msg92, + msg93, +]); + +var msg94 = msg("SQL_INJECTION_IN_PARAM:01", dup27); + +var msg95 = msg("SQL_INJECTION_IN_PARAM", dup26); + +var select14 = linear_select([ + msg94, + msg95, +]); + +var part85 = match("MESSAGE#95:OS_CMD_INJECTION_IN_PARAM:01/1_1", "nwparser.p0", "[%{result->} \"] %{p0}"); + +var select15 = linear_select([ + dup13, + part85, + dup14, +]); + +var all1 = all_match({ + processors: [ + dup12, + select15, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var msg96 = msg("OS_CMD_INJECTION_IN_PARAM:01", all1); + +var msg97 = msg("OS_CMD_INJECTION_IN_PARAM", dup26); + +var select16 = linear_select([ + msg96, + msg97, +]); + +var msg98 = msg("METHOD_NOT_ALLOWED:01", dup27); + +var msg99 = msg("METHOD_NOT_ALLOWED", dup26); + +var select17 = linear_select([ + msg98, + msg99, +]); + +var msg100 = msg("ERROR_RESPONSE_SUPPRESSED:01", dup27); + +var msg101 = msg("ERROR_RESPONSE_SUPPRESSED", dup26); + +var select18 = linear_select([ + msg100, + msg101, +]); + +var msg102 = msg("DENY_ACL_MATCHED:01", dup27); + +var msg103 = msg("DENY_ACL_MATCHED", dup26); + +var select19 = linear_select([ + msg102, + msg103, +]); + +var msg104 = msg("NO_DOMAIN_MATCH_IN_PROFILE", dup24); + +var msg105 = msg("NO_URL_PROFILE_MATCH", dup24); + +var msg106 = msg("UNRECOGNIZED_COOKIE", dup24); + +var msg107 = msg("HEADER_VALUE_LENGTH_EXCEEDED", dup24); + +var msg108 = msg("UNKNOWN_CONTENT_TYPE", dup24); + +var msg109 = msg("INVALID_URL_ENCODING", dup24); + +var msg110 = msg("INVALID_URL_CHARSET", dup24); + +var msg111 = msg("CROSS_SITE_SCRIPTING_IN_URL:01", dup27); + +var msg112 = msg("CROSS_SITE_SCRIPTING_IN_URL", dup26); + +var select20 = linear_select([ + msg111, + msg112, +]); + +var msg113 = msg("SLASH_DOT_IN_URL:01", dup27); + +var msg114 = msg("SLASH_DOT_IN_URL", dup26); + +var select21 = linear_select([ + msg113, + msg114, +]); + +var part86 = match("MESSAGE#114:SYS", "nwparser.payload", "%{fld9->} %{fld10->} %{timezone->} %{fld11->} %{category->} %{event_type->} %{severity->} %{operation_id->} %{event_description}", processor_chain([ + dup3, + date_time({ + dest: "event_time", + args: ["hfld9","hfld10"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), +])); + +var msg115 = msg("SYS", part86); + +var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_log->} Severity=%{severity->} Protocol=%{protocol->} SourceIP=%{saddr->} SourcePort=%{sport->} DestIP=%{daddr->} DestPort=%{dport->} Action=%{action->} AdminName=%{administrator->} Details=%{info}", processor_chain([ + dup17, + date_time({ + dest: "event_time", + args: ["hfld1","hfld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), +])); + +var msg116 = msg("BARRACUDAWAF", part87); + +var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} AUDIT %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + dup8, + setc("category","AUDIT"), + setc("vid","Audit_Logs"), +])); + +var msg117 = msg("Audit_Logs", part88); + +var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} WF %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + setc("category","WF"), + setc("vid","WF"), +])); + +var msg118 = msg("WF", part89); + +var part90 = match("MESSAGE#118:TR_Logs:01/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all2 = all_match({ + processors: [ + part90, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg119 = msg("TR_Logs:01", all2); + +var part91 = match("MESSAGE#119:TR_Logs:02/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all3 = all_match({ + processors: [ + part91, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg120 = msg("TR_Logs:02", all3); + +var part92 = match("MESSAGE#120:TR_Logs:03/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all4 = all_match({ + processors: [ + part92, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg121 = msg("TR_Logs:03", all4); + +var part93 = match("MESSAGE#121:TR_Logs/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all5 = all_match({ + processors: [ + part93, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg122 = msg("TR_Logs", all5); + +var select22 = linear_select([ + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "BARRACUDAWAF": msg116, + "BARRACUDA_GENRIC": select22, + "BYPASS": select6, + "CONFIG": msg72, + "CONFIG_AGENT": select4, + "CROSS_SITE_SCRIPTING_IN_PARAM": select10, + "CROSS_SITE_SCRIPTING_IN_URL": select20, + "DENY_ACL_MATCHED": select19, + "ERROR_RESPONSE_SUPPRESSED": select18, + "FIRMWARE_REVERT": msg80, + "FIRMWARE_UPDATE": msg79, + "HEADER_COUNT_EXCEEDED": select9, + "HEADER_VALUE_LENGTH_EXCEEDED": msg107, + "INSTALL": select7, + "INVALID_URL_CHARSET": msg110, + "INVALID_URL_ENCODING": msg109, + "LOGIN": msg73, + "LOGOUT": msg75, + "METHOD_NOT_ALLOWED": select17, + "NO_DOMAIN_MATCH_IN_PROFILE": msg104, + "NO_URL_PROFILE_MATCH": msg105, + "OS_CMD_INJECTION_IN_PARAM": select16, + "OS_CMD_INJECTION_IN_URL": select12, + "PROCMON": select5, + "REBOOT": msg81, + "ROLLBACK": msg82, + "SESSION_TIMEOUT": msg74, + "SLASH_DOT_IN_URL": select21, + "SQL_INJECTION_IN_PARAM": select14, + "SQL_INJECTION_IN_URL": select11, + "STM": select2, + "STM_WRAPPER": select3, + "SUPPORT_TUNNEL_OPEN": msg78, + "SYS": msg115, + "TILDE_IN_URL": select13, + "TRANSPARENT_MODE": msg77, + "UNKNOWN_CONTENT_TYPE": msg108, + "UNRECOGNIZED_COOKIE": msg106, + "UNSUCCESSFUL_LOGIN": msg76, + "UPDATE": msg1, + "eventmgr": select8, + }), +]); + +var part94 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + +var part95 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + +var part96 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + +var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + +var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + +var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type->} "); + +var part100 = match("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "%{stransport}"); + +var select23 = linear_select([ + dup13, + dup14, +]); + +var part101 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, +])); + +var select24 = linear_select([ + dup18, + dup19, +]); + +var all6 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var all7 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); diff --git a/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml new file mode 100644 index 00000000000..dffea972086 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Barracuda Web Application Firewall + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/barracuda/waf/manifest.yml b/x-pack/filebeat/module/barracuda/waf/manifest.yml new file mode 100644 index 00000000000..a49e3f69f81 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["barracuda.waf", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9503 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log b/x-pack/filebeat/module/barracuda/waf/test/generated.log new file mode 100644 index 00000000000..02e42897650 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log @@ -0,0 +1,100 @@ +PROCMON: Started monitoring +BYPASS: Mode set to BYPASS (nbyCic). +UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +STM_WRAPPER: Successfully initialized STM. +STM_WRAPPER: Initializing STM. +eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151 +PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading. +BYPASS: Mode change: ccusant,epteurs +UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available +STM: LB-doloreeu elillumq CreateServer =loremeum +STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu +UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available +PROCMON: Monitoring links: lo4933 +PROCMON: [ALERT:doconse] One of the RAID arrays is degrading. +CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet +STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv +STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration. +BYPASS: Mode change: urEx,labo +eventmgr: Event manager startup succeeded. +STM: LB-Maloru lapariat SetServerdmin=oinBCSed +STM_WRAPPER: Successfully stopped STM. +PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua +STM: LB-isistena Malorum SetSapquelauda=enderit +eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246 +UPDATE: [ALERT:exer] New attack definition version 1.481 is available +eventmgr: Event manager startup succeeded. +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +CONFIG_AGENT: isnisiu aspernat Update succeeded +INSTALL: Loading the snapshot for mquel release. +INSTALL: Migrating configuration from ueporr to ptate +PROCMON: [ALERT:onsequ] enp0s7094: link is up +CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali +eventmgr: Event manager startup succeeded. +PROCMON: Started monitoring +STM: LB-mveniam rvelill EnableServer =iame +PROCMON: number of stm worker threads iseuf +STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios +STM_WRAPPER: Successfully stopped STM. +eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30 +PROCMON: [ALERT:uiadolo] eth321: link is up +CONFIG_AGENT: rsi ciduntut Update succeeded +CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal +INSTALL: Loading the snapshot for ris release. +CONFIG_AGENT: aliqui rcitat Update succeeded +CONFIG_AGENT: aeconse Initiating config_agent database commit phase. +PROCMON: Started monitoring +CONFIG_AGENT: iaecon ipexea Update succeeded +INSTALL: Migrating configuration from nulapa to cillu +PROCMON: [ALERT:ectetura] Firmware storage exceeds didun +CONFIG_AGENT: rcit nul Received put-tree command +UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available +UPDATE: [ALERT:amei] New attack definition version 1.7778 is available +UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available +INSTALL: Migrating configuration from iceroin to qui +INSTALL: Migrating configuration from pariatu to issusc +STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized. +STM_WRAPPER: Committing UI configuration. +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60 +STM_WRAPPER: Successfully initialized STM. +STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully +STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration. +PROCMON: [ALERT:eumfu] eth5074: link is up +CONFIG_AGENT: tutlabo Initiating config_agent database commit phase. +INSTALL: Loading the snapshot for pli release. +CONFIG_AGENT: erit Initiating config_agent database commit phase. +INSTALL: Loading the snapshot for mod release. +INSTALL: Loading the snapshot for lamcolab release. +INSTALL: Migrating configuration from estlab to tis +PROCMON: [ALERT:uamqua] Firmware storage exceeds labo +INSTALL: Migrating configuration from tfugit to taspern +eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158 +STM_WRAPPER: Successfully initialized STM. +PROCMON: number of stm worker threads isonula +STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor +PROCMON: [ALERT:atev] One of the RAID arrays is degrading. +CONFIG_AGENT: amaliq ept Received put-tree command +BYPASS: Mode set to BYPASS (ectetura). +STM: COOKIE-icab quiado scipit = quiavolu +BYPASS: Mode set to never bypass. +STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success +STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors +INSTALL: Loading the snapshot for admi release. +STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi +STM_WRAPPER: Successfully stopped STM. +PROCMON: Started monitoring +UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available +INSTALL: Loading the snapshot for stru release. +PROCMON: Monitoring links: enp0s6182 +STM_WRAPPER: command(--digest) execution status = quaeratv +STM_WRAPPER: Successfully initialized STM. +eventmgr: Event manager startup succeeded. +STM_WRAPPER: Initializing STM. +STM_WRAPPER: Successfully initialized STM. +PROCMON: Started monitoring +CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa +STM_WRAPPER: Initializing STM. +STM: aps-quam etquasi CreateRC: RC Add policy Success +STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json new file mode 100644 index 00000000000..910233583b1 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json @@ -0,0 +1,1984 @@ +[ + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 0, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to BYPASS (nbyCic).", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 28, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 65, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.1000", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.1000", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 138, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 227, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Initializing STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 270, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151", + "fileset.name": "waf", + "host.ip": "10.16.222.151", + "input.type": "log", + "log.offset": 301, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.16.222.151" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 380, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode change: ccusant,epteurs", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 442, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "Mode change.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 479, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.3971", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.3971", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-doloreeu elillumq CreateServer =loremeum", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 552, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 607, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 668, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.4012", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.4012", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Monitoring links: lo4933", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 741, + "network.interface.name": "lo4933", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "lo4933", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:doconse] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 775, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 837, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 967, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1032, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode change: urEx,labo", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1162, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "Mode change.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1193, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-Maloru lapariat SetServerdmin=oinBCSed", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1236, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully stopped STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1289, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1328, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "ipsaqua", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-isistena Malorum SetSapquelauda=enderit", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1382, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246", + "fileset.name": "waf", + "host.ip": "10.4.65.246", + "input.type": "log", + "log.offset": 1436, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.4.65.246" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:exer] New attack definition version 1.481 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1513, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.481", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.481", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1583, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1626, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: isnisiu aspernat Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1715, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for mquel release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1763, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from ueporr to ptate", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1812, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:onsequ] enp0s7094: link is up", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1866, + "network.interface.name": "enp0s7094", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "enp0s7094", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1912, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2045, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2088, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-mveniam rvelill EnableServer =iame", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2116, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: number of stm worker threads iseuf", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2165, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "euf", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2209, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully stopped STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2283, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30", + "fileset.name": "waf", + "host.ip": "10.58.33.30", + "input.type": "log", + "log.offset": 2322, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.58.33.30" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:uiadolo] eth321: link is up", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2399, + "network.interface.name": "eth321", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "eth321", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: rsi ciduntut Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2443, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2487, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for ris release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2540, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: aliqui rcitat Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2587, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: aeconse Initiating config_agent database commit phase.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2632, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2701, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: iaecon ipexea Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2729, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from nulapa to cillu", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2774, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:ectetura] Firmware storage exceeds didun", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2828, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "didun", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: rcit nul Received put-tree command", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2885, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Received put-tree command.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2934, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.1278", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.1278", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:amei] New attack definition version 1.7778 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3008, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.7778", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.7778", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3079, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.3018", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.3018", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from iceroin to qui", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3153, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from pariatu to issusc", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3206, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized.", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3262, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Committing UI configuration.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3329, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Committing UI configuration.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3371, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60", + "fileset.name": "waf", + "host.ip": "10.126.62.60", + "input.type": "log", + "log.offset": 3460, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.126.62.60" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3541, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3584, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: RespPage Response Page created successfully.", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3663, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:eumfu] eth5074: link is up", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3788, + "network.interface.name": "eth5074", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "eth5074", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: tutlabo Initiating config_agent database commit phase.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3831, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for pli release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3900, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: erit Initiating config_agent database commit phase.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3947, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for mod release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4013, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for lamcolab release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4060, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from estlab to tis", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4112, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:uamqua] Firmware storage exceeds labo", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4164, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "labo", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from tfugit to taspern", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4218, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158", + "fileset.name": "waf", + "host.ip": "10.48.248.158", + "input.type": "log", + "log.offset": 4274, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.48.248.158" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4354, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: number of stm worker threads isonula", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4397, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "onula", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4443, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:atev] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4498, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: amaliq ept Received put-tree command", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4557, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Received put-tree command.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to BYPASS (ectetura).", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4608, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: COOKIE-icab quiado scipit = quiavolu", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4647, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to never bypass.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4691, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to never BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4725, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4803, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for admi release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4903, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4951, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully stopped STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5053, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5092, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5120, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.7781", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.7781", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for stru release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5191, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Monitoring links: enp0s6182", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5239, + "network.interface.name": "enp0s6182", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "enp0s6182", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: command(--digest) execution status = quaeratv", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5276, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "quaeratv", + "rsa.internal.event_desc": "STM_WRAPPER: command execution status.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5335, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5378, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Initializing STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5421, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5452, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5495, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5523, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Initializing STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5654, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: aps-quam etquasi CreateRC: RC Add policy Success", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5685, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5744, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md new file mode 100644 index 00000000000..815d89a2f72 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -0,0 +1,7 @@ +# bluecoat module + +This is a module for Blue Coat Director logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 +at 2020-07-13 17:55:34.664093 +0000 UTC. + diff --git a/x-pack/filebeat/module/bluecoat/_meta/config.yml b/x-pack/filebeat/module/bluecoat/_meta/config.yml new file mode 100644 index 00000000000..b4c71666b1c --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/_meta/config.yml @@ -0,0 +1,19 @@ +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc new file mode 100644 index 00000000000..e2c798214dd --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: bluecoat +:has-dashboards: false + +== Bluecoat module + +experimental[] + +This is a module for receiving Blue Coat Director logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: director + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `director` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9505` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/bluecoat/_meta/fields.yml b/x-pack/filebeat/module/bluecoat/_meta/fields.yml new file mode 100644 index 00000000000..2efac151801 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: bluecoat + title: Blue Coat Director + description: > + bluecoat fields. + fields: diff --git a/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml b/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml new file mode 100644 index 00000000000..7fc587fb028 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Bluecoat" + product: "Director" + type: "Configuration" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/bluecoat/director/config/liblogparser.js + - ${path.home}/module/bluecoat/director/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i %{p0}"); + +var dup3 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}"); + +var dup4 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}"); + +var dup5 = setc("eventcategory","1605000000"); + +var dup6 = setf("msg","$MSG"); + +var dup7 = setc("event_description","bad variable"); + +var dup8 = setc("event_description","This file is automatically generated"); + +var dup9 = setc("eventcategory","1603000000"); + +var dup10 = setc("event_description","authentication failure"); + +var dup11 = linear_select([ + dup3, + dup4, +]); + +var dup12 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup5, + dup6, + dup7, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld1"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld5"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = match("MESSAGE#0:cli/2", "nwparser.p0", ": Processing command: %{action}"); + +var all1 = all_match({ + processors: [ + dup2, + dup11, + part1, + ], + on_success: processor_chain([ + dup5, + dup6, + ]), +}); + +var msg1 = msg("cli", all1); + +var part2 = match("MESSAGE#1:cli:01/2", "nwparser.p0", ": Processing command %{action}"); + +var all2 = all_match({ + processors: [ + dup2, + dup11, + part2, + ], + on_success: processor_chain([ + dup5, + dup6, + ]), +}); + +var msg2 = msg("cli:01", all2); + +var part3 = match("MESSAGE#2:cli:02/2", "nwparser.p0", ": Leaving config mode%{}"); + +var all3 = all_match({ + processors: [ + dup2, + dup11, + part3, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Leaving config mode"), + ]), +}); + +var msg3 = msg("cli:02", all3); + +var part4 = match("MESSAGE#3:cli:03/2", "nwparser.p0", ": Entering config mode%{}"); + +var all4 = all_match({ + processors: [ + dup2, + dup11, + part4, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Entering config mode"), + ]), +}); + +var msg4 = msg("cli:03", all4); + +var part5 = match("MESSAGE#4:cli:04/2", "nwparser.p0", ": CLI exiting%{}"); + +var all5 = all_match({ + processors: [ + dup2, + dup11, + part5, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","CLI exiting"), + ]), +}); + +var msg5 = msg("cli:04", all5); + +var part6 = match("MESSAGE#5:cli:05/2", "nwparser.p0", ": CLI launched%{}"); + +var all6 = all_match({ + processors: [ + dup2, + dup11, + part6, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","CLI launched"), + ]), +}); + +var msg6 = msg("cli:05", all6); + +var part7 = match("MESSAGE#6:Automatically/2", "nwparser.p0", ": Automatically logged out due to keyboard inactivity.%{}"); + +var all7 = all_match({ + processors: [ + dup2, + dup11, + part7, + ], + on_success: processor_chain([ + dup5, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + dup6, + setc("event_description","Automatically logged out due to keyboard inactivity"), + ]), +}); + +var msg7 = msg("Automatically", all7); + +var part8 = match("MESSAGE#7:cli:06/2", "nwparser.p0", ": Entering enable mode%{}"); + +var all8 = all_match({ + processors: [ + dup2, + dup11, + part8, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Entering enable mode"), + ]), +}); + +var msg8 = msg("cli:06", all8); + +var part9 = match("MESSAGE#8:cli:07/2", "nwparser.p0", ": Leaving enable mode%{}"); + +var all9 = all_match({ + processors: [ + dup2, + dup11, + part9, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Leaving enable mode"), + ]), +}); + +var msg9 = msg("cli:07", all9); + +var part10 = match("MESSAGE#9:Processing/2", "nwparser.p0", ": Processing a secure command...%{}"); + +var all10 = all_match({ + processors: [ + dup2, + dup11, + part10, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Processing a secure command"), + ]), +}); + +var msg10 = msg("Processing", all10); + +var msg11 = msg("cli:pam", dup12); + +var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, +]); + +var part11 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([ + dup5, + dup6, +])); + +var msg12 = msg("schedulerd", part11); + +var part12 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([ + dup5, + dup6, + setc("event_description","System time changed, recomputing job run times"), +])); + +var msg13 = msg("schedulerd:01", part12); + +var select3 = linear_select([ + msg12, + msg13, +]); + +var part13 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([ + dup5, + dup6, +])); + +var msg14 = msg("configd:Rotating", part13); + +var part14 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([ + dup5, + dup6, +])); + +var msg15 = msg("configd:Deleting", part14); + +var part15 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([ + dup5, + dup6, +])); + +var msg16 = msg("configd", part15); + +var part16 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg17 = msg("configd:01", part16); + +var part17 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg18 = msg("configd:11", part17); + +var part18 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup5, + dup6, + dup8, +])); + +var msg19 = msg("file", part18); + +var part19 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg20 = msg("configd:02", part19); + +var part20 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg21 = msg("configd:22", part20); + +var part21 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg22 = msg("configd:03", part21); + +var part22 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg23 = msg("configd:33", part22); + +var part23 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([ + dup5, + dup6, + setc("event_description","Backup import command finished for all devices"), +])); + +var msg24 = msg("Backup", part23); + +var part24 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([ + dup5, + dup6, + setc("event_description","Beginning to make backup of cache"), +])); + +var msg25 = msg("Beginning", part24); + +var part25 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([ + dup5, + dup6, + setc("event_description","Inputting overlay"), +])); + +var msg26 = msg("Inputting", part25); + +var part26 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([ + dup5, + dup6, +])); + +var msg27 = msg("Saved", part26); + +var part27 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg28 = msg("Importing", part27); + +var part28 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([ + dup5, + dup6, +])); + +var msg29 = msg("Overlay", part28); + +var part29 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([ + dup5, + dup6, +])); + +var msg30 = msg("Executed", part29); + +var part30 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([ + dup5, + dup6, + setc("event_description","Configuration system online"), +])); + +var msg31 = msg("Configuration", part30); + +var part31 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","Table creation"), +])); + +var msg32 = msg("Create", part31); + +var part32 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([ + dup5, + dup6, + setc("event_description","Loaded config file initial"), +])); + +var msg33 = msg("Loaded", part32); + +var part33 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","Setting set-reply timeout"), +])); + +var msg34 = msg("Setting", part33); + +var part34 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg35 = msg("CCD", part34); + +var part35 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([ + dup5, + dup6, +])); + +var msg36 = msg("Device", part35); + +var part36 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([ + dup5, + dup6, +])); + +var msg37 = msg("Output", part36); + +var part37 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg38 = msg("ssh", part37); + +var part38 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([ + dup5, + dup6, + setc("event_description","Applying overlay to group"), +])); + +var msg39 = msg("Applying", part38); + +var part39 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([ + dup5, + dup6, + setc("event_description","Applying overlay to cache"), +])); + +var msg40 = msg("Applying:01", part39); + +var part40 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","Backup complete for device"), +])); + +var msg41 = msg("configd:backup", part40); + +var part41 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup5, + dup6, + dup8, +])); + +var msg42 = msg("file:01", part41); + +var part42 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([ + dup5, + dup6, + setc("event_description","Connection reset by peer"), +])); + +var msg43 = msg("configd:connection", part42); + +var part43 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([ + dup5, + dup6, + setc("event_description","cd session read failed"), +])); + +var msg44 = msg("configd:failed", part43); + +var select4 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, +]); + +var part44 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([ + dup5, + dup6, + setc("event_description","Querying content system for job results"), +])); + +var msg45 = msg("poller", part44); + +var part45 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg46 = msg("heartbeat", part45); + +var part46 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg47 = msg("heartbeat:01", part46); + +var part47 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([ + dup5, + dup6, + setc("event_description","director heartbeat client exiting"), +])); + +var msg48 = msg("heartbeat:02", part47); + +var part48 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([ + dup5, + dup6, + setc("event_description","director heartbeat client launched"), +])); + +var msg49 = msg("heartbeat:03", part48); + +var part49 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","undefined symbol"), +])); + +var msg50 = msg("heartbeat:crit1", part49); + +var part50 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","No such file or directory"), +])); + +var msg51 = msg("heartbeat:crit2", part50); + +var select5 = linear_select([ + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, +]); + +var part51 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ + dup5, + dup6, +])); + +var msg52 = msg("runner", part51); + +var part52 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg53 = msg("runner:01", part52); + +var part53 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([ + dup5, + dup6, +])); + +var msg54 = msg("runner:02", part53); + +var part54 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([ + dup5, + dup6, +])); + +var msg55 = msg("runner:crit1", part54); + +var part55 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([ + dup5, + dup6, + setc("event_description","File reading failed"), +])); + +var msg56 = msg("runner:crit2", part55); + +var select6 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, +]); + +var part56 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([ + dup5, + dup6, +])); + +var msg57 = msg("ccd", part56); + +var part57 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([ + dup5, + dup6, +])); + +var msg58 = msg("ccd:01", part57); + +var part58 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([ + dup5, + dup6, +])); + +var msg59 = msg("ccd:03", part58); + +var part59 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([ + dup5, + dup6, +])); + +var msg60 = msg("ccd:04", part59); + +var part60 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","info on device connection"), +])); + +var msg61 = msg("ccd:02", part60); + +var part61 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","write to ssh pipe"), +])); + +var msg62 = msg("ccd:05", part61); + +var part62 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","ccd handle read failure"), +])); + +var msg63 = msg("ccd:06", part62); + +var part63 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([ + dup5, + dup6, + setc("event_description","device communication daemon online"), +])); + +var msg64 = msg("ccd:07", part63); + +var part64 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","system memory size"), +])); + +var msg65 = msg("ccd:08", part64); + +var select7 = linear_select([ + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, +]); + +var part65 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([ + dup9, + dup6, +])); + +var msg66 = msg("sshd", part65); + +var part66 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","bad username"), +])); + +var msg67 = msg("sshd:01", part66); + +var part67 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([ + dup5, + dup6, + dup10, +])); + +var msg68 = msg("sshd:02", part67); + +var part68 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([ + dup5, + dup6, + setc("event_description","check pass, user unknown"), +])); + +var msg69 = msg("sshd:03", part68); + +var part69 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([ + dup5, + dup6, + dup10, +])); + +var msg70 = msg("sshd:04", part69); + +var msg71 = msg("sshd:pam", dup12); + +var select8 = linear_select([ + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, +]); + +var part70 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([ + dup5, + dup6, +])); + +var msg72 = msg("dmd", part70); + +var part71 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([ + dup5, + dup6, +])); + +var msg73 = msg("dmd:01", part71); + +var part72 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([ + dup5, + dup6, +])); + +var msg74 = msg("dmd:11", part72); + +var part73 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg75 = msg("dmd:02", part73); + +var part74 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([ + dup9, + dup6, +])); + +var msg76 = msg("dmd:03", part74); + +var select9 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, +]); + +var part75 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","ALERT exited abnormally"), +])); + +var msg77 = msg("logrotate", part75); + +var part76 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","kernel time sync enabled"), +])); + +var msg78 = msg("ntpd", part76); + +var part77 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","time reset"), +])); + +var msg79 = msg("ntpd:01", part77); + +var part78 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([ + dup5, + dup6, +])); + +var msg80 = msg("ntpd:02", part78); + +var part79 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","ntpd exiting on signal"), +])); + +var msg81 = msg("ntpd:03", part79); + +var select10 = linear_select([ + msg78, + msg79, + msg80, + msg81, +]); + +var part80 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","ntpd will start in few secs"), +])); + +var msg82 = msg("pm", part80); + +var part81 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([ + dup5, + dup6, + setc("event_description","ntpd started"), +])); + +var msg83 = msg("pm:01", part81); + +var part82 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","print message"), +])); + +var msg84 = msg("pm:02", part82); + +var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([ + dup5, + dup6, + setc("event_description","service started"), +])); + +var msg85 = msg("pm:03", part83); + +var part84 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","service will start"), +])); + +var msg86 = msg("pm:04", part84); + +var part85 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","check license validity"), +])); + +var msg87 = msg("pm:05", part85); + +var part86 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([ + dup5, + dup6, + setc("event_description","connected to config daemon"), +])); + +var msg88 = msg("pm:06", part86); + +var select11 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, +]); + +var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","updated timestamp"), +])); + +var msg89 = msg("anacron", part87); + +var part88 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","anacron started"), +])); + +var msg90 = msg("anacron:01", part88); + +var part89 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","normal exit"), +])); + +var msg91 = msg("anacron:02", part89); + +var select12 = linear_select([ + msg89, + msg90, + msg91, +]); + +var part90 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([ + dup5, + dup6, + setc("event_description","invalid packet size"), +])); + +var msg92 = msg("epmd", part90); + +var part91 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([ + dup5, + dup6, +])); + +var msg93 = msg("epmd:01", part91); + +var part92 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([ + dup5, + dup6, +])); + +var msg94 = msg("epmd:02", part92); + +var select13 = linear_select([ + msg92, + msg93, + msg94, +]); + +var part93 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg95 = msg("xinetd", part93); + +var part94 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([ + dup5, + dup6, +])); + +var msg96 = msg("xinetd:01", part94); + +var select14 = linear_select([ + msg95, + msg96, +]); + +var part95 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([ + dup5, + dup6, + setc("event_description","Audit daemon rotating log files"), +])); + +var msg97 = msg("auditd", part95); + +var part96 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","Reset file"), +])); + +var msg98 = msg("restorecond", part96); + +var part97 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","handle authd unknown message"), +])); + +var msg99 = msg("authd", part97); + +var part98 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","authd signal handler"), +])); + +var msg100 = msg("authd:01", part98); + +var part99 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","authd close"), +])); + +var msg101 = msg("authd:02", part99); + +var select15 = linear_select([ + msg99, + msg100, + msg101, +]); + +var part100 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}"); + +var part101 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}"); + +var part102 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}"); + +var select16 = linear_select([ + part101, + part102, +]); + +var part103 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}"); + +var all11 = all_match({ + processors: [ + part100, + select16, + part103, + ], + on_success: processor_chain([ + dup5, + dup6, + ]), +}); + +var msg102 = msg("rsyslogd", all11); + +var part104 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","shutting down"), +])); + +var msg103 = msg("shutdown", part104); + +var part105 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","cmd starting"), +])); + +var msg104 = msg("cmd", part105); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "anacron": select12, + "auditd": msg97, + "authd": select15, + "ccd": select7, + "cli": select2, + "cmd": msg104, + "configd": select4, + "dmd": select9, + "epmd": select13, + "heartbeat": select5, + "logrotate": msg77, + "ntpd": select10, + "pm": select11, + "poller": msg45, + "restorecond": msg98, + "rsyslogd": msg102, + "runner": select6, + "schedulerd": select3, + "shutdown": msg103, + "sshd": select8, + "xinetd": select14, + }), +]); + +var part106 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}"); + +var part107 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}"); + +var part108 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}"); + +var select17 = linear_select([ + dup3, + dup4, +]); + +var part109 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup5, + dup6, + dup7, +])); diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml new file mode 100644 index 00000000000..e26891a1ad0 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Blue Coat Director + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/bluecoat/director/manifest.yml b/x-pack/filebeat/module/bluecoat/director/manifest.yml new file mode 100644 index 00000000000..10ad36cde94 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["bluecoat.director", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9505 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log b/x-pack/filebeat/module/bluecoat/director/test/generated.log new file mode 100644 index 00000000000..7035845d2c6 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log @@ -0,0 +1,100 @@ +ntpd[1001]: kernel time sync enabled utl +restorecond: : Reset file context quasiarc: liqua +auditd[5699]: Audit daemon rotating log files +anacron[5066]: Normal exit ehend +restorecond: : Reset file context vol: luptat +heartbeat: : < Processing command: accept +restorecond: : Reset file context nci: ofdeFin +auditd[6668]: Audit daemon rotating log files +anacron[1613]: Normal exit mvolu +ntpd[2959]: ntpd gelit-r tatno +anacron[654]: Updated timestamp for job rmagni to sit +dmd: : < Health state for metric"seq3874.mail.domain" "quid" changed to "fug", reason: "success" +auditd[2067]: Audit daemon rotating log files +pm[5969]: < check_license_validity(), tae +logrotate: : ALERT exited abnormally with temUten +sshd: : < error: Bind to port Duisau on psum failed: failure +configd: : < itaut@rveli: command: accept +authd: : < authd_signal_handler(), quam +xinetd[6547]: Started working: onproide available services +logrotate: : ALERT exited abnormally with tfug +heartbeat: : < Processing command: deny +sshd: : < error: Bind to port erc on amqu failed: unknown +ntpd[4515]: ntpd emp-r aperia +restorecond: : Reset file context run: vol +logrotate: : ALERT exited abnormally with mporain +heartbeat: : < connect: atu +cmd: : < cmd starting adeseru +pm[7061]: < ntpd will start in tlabo +poller[795]: < Querying content system for job results. +runner[6134]: < Processing command: allow +epmd: : epmd: epmd running orpor +runner[602]: < Failed to exec olup +shutdown[2807]: shutting down non +configd: : < sperna@sintocc: command: cancel +auditd[2986]: Audit daemon rotating log files +configd: : < CREATE onsequ +auditd[1243]: Audit daemon rotating log files +xinetd[6599]: Started working: naal available services +xinetd[5850]: Started working: rQu available services +heartbeat: : < queips: undefined symbol: ncidi +authd: : < authd_close(): npr +anacron[6373]: Anacron 1.3962 started on epre +cmd: : < cmd starting isiuta +sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm +ccd: : < Device elitse6672.internal.localdomain: mquisno +runner[1859]: < Failed to exec umSe +shutdown[6110]: shutting down itau +sshd[2415]: PAM lorsita more authentication failure; dolore +heartbeat: : < connect: inimveni +authd: : < authd_close(): psumqu +runner[2558]: < Failed to exec edquiac +anacron[4538]: Updated timestamp for job remips to uisaute +auditd[6837]: Audit daemon rotating log files +pm[1493]: < print_msg(), dic +configd: : < Device "itation4168.api.domain" completed command(s) accept ;; CPL generated by Visual Policy Manager: isciv ;rroqu ; nofd ; dipisci +epmd: : epmd: invalid packet size (mquae) +runner[429]: < File reading failed +shutdown[7595]: shutting down emqu +heartbeat: : < The HB command is accept +authd: : < authd_signal_handler(), isetquas +authd: : < authd_signal_handler(), gnaal +logrotate: : ALERT exited abnormally with voluptas +ntpd[627]: ntpd exiting on signal orin +restorecond: : Reset file context ecillu: mmodoc +sshd: : bad username mquisn +ntpd[1313]: ntpd derit-r orese +ccd: : < Device Communication Daemon online +restorecond: : Reset file context olup: aco +shutdown[609]: shutting down ser +ntpd[2991]: ntpd orinrep-r quiavol +dmd: : < inserted device id = sBonor2001.www5.example and serial number = amc into DB +ccd: : < ccd_handle_read_failure(), uid +cmd: : < cmd starting lmolesti +dmd: : < inserted device id = ersp6625.internal.domain and serial number = seq into DB +cmd: : < cmd starting uipexe +heartbeat: : < The HB command is cancel +anacron[7360]: Normal exit tperspic +dmd: : < Filter on (tetura) things. riosamni +ccd: : < Device eleumiu2454.api.local: tat +schedulerd: : < System time changed, recomputing job run times. +xinetd[3450]: Started working: aconsequ available services +authd: : < handle_authd unknown message =utemvel +ntpd[16]: time reset stquido +ccd: : < Device olu5333.www.domain: orumSe +anacron[80]: Normal exit ici +ntpd[7612]: kernel time sync enabled nturmag +cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor +schedulerd: : < Executing Job "tquo" execution iatnu +logrotate: : ALERT exited abnormally with ntut +poller[7151]: < Querying content system for job results. +ntpd[2314]: ntpd litanim-r rQuisaut +heartbeat: : < Processing command: block +epmd: : epmd: got emp +schedulerd: : < System time changed, recomputing job run times. +dmd: : < Health state for group "lab" changed from "llumq" to "tenim" +pm[5899]: < print_msg(), orem +epmd: : epmd: epmd running inBC +pm[2746]: < print_msg(), ptate +schedulerd: : < Executing Job "CSe" execution exerci +auditd[6012]: Audit daemon rotating log files diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json new file mode 100644 index 00000000000..94a001da91a --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json @@ -0,0 +1,2233 @@ +[ + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[1001]: kernel time sync enabled utl", + "fileset.name": "director", + "input.type": "log", + "log.offset": 0, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1001, + "rsa.internal.event_desc": "kernel time sync enabled", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context quasiarc: liqua", + "file.name": "quasiarc", + "fileset.name": "director", + "input.type": "log", + "log.offset": 41, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[5699]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 91, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5699, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[5066]: Normal exit ehend", + "fileset.name": "director", + "input.type": "log", + "log.offset": 137, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5066, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context vol: luptat", + "file.name": "vol", + "fileset.name": "director", + "input.type": "log", + "log.offset": 170, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < Processing command: accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 216, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context nci: ofdeFin", + "file.name": "nci", + "fileset.name": "director", + "input.type": "log", + "log.offset": 272, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[6668]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 319, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6668, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[1613]: Normal exit mvolu", + "fileset.name": "director", + "input.type": "log", + "log.offset": 365, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1613, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[2959]: ntpd gelit-r tatno", + "fileset.name": "director", + "input.type": "log", + "log.offset": 398, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2959, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[654]: Updated timestamp for job rmagni to sit", + "fileset.name": "director", + "input.type": "log", + "log.offset": 429, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 654, + "rsa.db.index": "rmagni", + "rsa.internal.event_desc": "updated timestamp", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < Health state for metric\"seq3874.mail.domain\" \"quid\" changed to \"fug\", reason: \"success\"", + "fileset.name": "director", + "host.name": "seq3874.mail.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 483, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.change_new": "fug", + "rsa.misc.change_old": "quid", + "rsa.misc.client": "dmd:", + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "seq3874.mail.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[2067]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 598, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2067, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[5969]: < check_license_validity(), tae", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 644, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5969, + "rsa.internal.event_desc": "check license validity", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with temUten", + "fileset.name": "director", + "input.type": "log", + "log.offset": 705, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd: : < error: Bind to port Duisau on psum failed: failure", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 755, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd:", + "rsa.misc.result": "failure", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < itaut@rveli: command: accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 828, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "related.user": [ + "itaut" + ], + "rsa.internal.messageid": "configd", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "configd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": "itaut" + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_signal_handler(), quam", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 882, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "authd signal handler", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[6547]: Started working: onproide available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 934, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6547, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with tfug", + "fileset.name": "director", + "input.type": "log", + "log.offset": 993, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < Processing command: deny", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1040, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd: : < error: Bind to port erc on amqu failed: unknown", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1092, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd:", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[4515]: ntpd emp-r aperia", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1164, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 4515, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context run: vol", + "file.name": "run", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1194, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with mporain", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1237, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < connect: atu", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1287, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "No such file or directory", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting adeseru", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1332, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[7061]: < ntpd will start in tlabo", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1375, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7061, + "rsa.internal.event_desc": "ntpd will start in few secs", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "poller", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "poller[795]: < Querying content system for job results.", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 1430, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 795, + "rsa.internal.event_desc": "Querying content system for job results", + "rsa.internal.messageid": "poller", + "rsa.misc.client": "poller", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[6134]: < Processing command: allow", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1500, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6134, + "rsa.internal.messageid": "runner", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.client": "runner", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: epmd running orpor", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1557, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "orpor", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[602]: < Failed to exec olup", + "file.name": "olup", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1590, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 602, + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[2807]: shutting down non", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1642, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2807, + "rsa.db.index": "non", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < sperna@sintocc: command: cancel", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 1676, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "related.user": [ + "sperna" + ], + "rsa.internal.messageid": "configd", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "configd:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": "sperna" + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[2986]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1735, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2986, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < CREATE onsequ", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1781, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "onsequ", + "rsa.internal.event_desc": "Table creation", + "rsa.internal.messageid": "configd", + "rsa.misc.client": "configd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[1243]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1824, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1243, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[6599]: Started working: naal available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1870, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6599, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[5850]: Started working: rQu available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1925, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5850, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < queips: undefined symbol: ncidi", + "file.name": "queips", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 1979, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "ncidi", + "rsa.internal.event_desc": "undefined symbol", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_close(): npr", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2037, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "npr", + "rsa.internal.event_desc": "authd close", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[6373]: Anacron 1.3962 started on epre", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2083, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "observer.version": "1.3962", + "process.pid": 6373, + "rsa.internal.event_desc": "anacron started", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "rsa.misc.version": "1.3962", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting isiuta", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 2129, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2170, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5227, + "rsa.internal.event_desc": "bad variable", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device elitse6672.internal.localdomain: mquisno", + "fileset.name": "director", + "host.name": "elitse6672.internal.localdomain", + "input.type": "log", + "log.level": "low", + "log.offset": 2226, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "mquisno", + "rsa.internal.event_desc": "info on device connection", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "elitse6672.internal.localdomain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[1859]: < Failed to exec umSe", + "file.name": "umSe", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2293, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1859, + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[6110]: shutting down itau", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2344, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6110, + "rsa.db.index": "itau", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd[2415]: PAM lorsita more authentication failure; dolore", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2379, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2415, + "rsa.db.index": "dolore", + "rsa.internal.event_desc": "authentication failure", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < connect: inimveni", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2439, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "No such file or directory", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_close(): psumqu", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 2486, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "psumqu", + "rsa.internal.event_desc": "authd close", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[2558]: < Failed to exec edquiac", + "file.name": "edquiac", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2531, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2558, + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[4538]: Updated timestamp for job remips to uisaute", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2582, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 4538, + "rsa.db.index": "remips", + "rsa.internal.event_desc": "updated timestamp", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[6837]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2641, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6837, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[1493]: < print_msg(), dic", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2687, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1493, + "rsa.db.index": "dic", + "rsa.internal.event_desc": "print message", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < Device \"itation4168.api.domain\" completed command(s) accept ;; CPL generated by Visual Policy Manager: isciv ;rroqu ; nofd ; dipisci", + "fileset.name": "director", + "host.name": "itation4168.api.domain", + "input.type": "log", + "log.level": "low", + "log.offset": 2730, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "dipisci", + "rsa.internal.event_desc": "This file is automatically generated", + "rsa.internal.messageid": "configd", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "configd:", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "itation4168.api.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: invalid packet size (mquae)", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2889, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "invalid packet size", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[429]: < File reading failed", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2931, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 429, + "rsa.internal.event_desc": "File reading failed", + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[7595]: shutting down emqu", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2985, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7595, + "rsa.db.index": "emqu", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < The HB command is accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 3020, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_signal_handler(), isetquas", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3073, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "authd signal handler", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_signal_handler(), gnaal", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 3132, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "authd signal handler", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with voluptas", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3188, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[627]: ntpd exiting on signal orin", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3239, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 627, + "rsa.internal.event_desc": "ntpd exiting on signal", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context ecillu: mmodoc", + "file.name": "ecillu", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3278, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd: : bad username mquisn", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3327, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "bad username", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[1313]: ntpd derit-r orese", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3355, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1313, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device Communication Daemon online", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 3386, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "device communication daemon online", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context olup: aco", + "file.name": "olup", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3446, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[609]: shutting down ser", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3490, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 609, + "rsa.db.index": "ser", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[2991]: ntpd orinrep-r quiavol", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3523, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2991, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < inserted device id = sBonor2001.www5.example and serial number = amc into DB", + "fileset.name": "director", + "host.name": "sBonor2001.www5.example", + "input.type": "log", + "log.level": "medium", + "log.offset": 3558, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.client": "dmd:", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "sBonor2001.www5.example" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < ccd_handle_read_failure(), uid", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3657, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "uid", + "rsa.internal.event_desc": "ccd handle read failure", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting lmolesti", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 3712, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < inserted device id = ersp6625.internal.domain and serial number = seq into DB", + "fileset.name": "director", + "host.name": "ersp6625.internal.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 3756, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.client": "dmd:", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ersp6625.internal.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting uipexe", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 3858, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < The HB command is cancel", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 3903, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[7360]: Normal exit tperspic", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3952, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7360, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < Filter on (tetura) things. riosamni", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3988, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "riosamni", + "rsa.internal.messageid": "dmd", + "rsa.misc.client": "dmd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device eleumiu2454.api.local: tat", + "fileset.name": "director", + "host.name": "eleumiu2454.api.local", + "input.type": "log", + "log.level": "low", + "log.offset": 4048, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "tat", + "rsa.internal.event_desc": "info on device connection", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "eleumiu2454.api.local" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < System time changed, recomputing job run times.", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4103, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "System time changed, recomputing job run times", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[3450]: Started working: aconsequ available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4184, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 3450, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < handle_authd unknown message =utemvel", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 4243, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "handle authd unknown message", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[16]: time reset stquido", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4305, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 16, + "rsa.internal.event_desc": "time reset", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device olu5333.www.domain: orumSe", + "fileset.name": "director", + "host.name": "olu5333.www.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 4334, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "orumSe", + "rsa.internal.event_desc": "info on device connection", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "olu5333.www.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[80]: Normal exit ici", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4389, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 80, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[7612]: kernel time sync enabled nturmag", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4418, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7612, + "rsa.internal.event_desc": "kernel time sync enabled", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cli", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4463, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7128, + "rsa.internal.event_desc": "bad variable", + "rsa.internal.messageid": "cli", + "rsa.misc.client": "cli", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < Executing Job \"tquo\" execution iatnu", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4519, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.operation_id": "tquo", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with ntut", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4587, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "poller", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "poller[7151]: < Querying content system for job results.", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 4634, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7151, + "rsa.internal.event_desc": "Querying content system for job results", + "rsa.internal.messageid": "poller", + "rsa.misc.client": "poller", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[2314]: ntpd litanim-r rQuisaut", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4701, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2314, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < Processing command: block", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 4737, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: got emp", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4790, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "emp", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < System time changed, recomputing job run times.", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4812, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "System time changed, recomputing job run times", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < Health state for group \"lab\" changed from \"llumq\" to \"tenim\"", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 4893, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.change_new": "tenim", + "rsa.misc.change_old": "llumq", + "rsa.misc.client": "dmd:", + "rsa.misc.group_object": "lab", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[5899]: < print_msg(), orem", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 4978, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5899, + "rsa.db.index": "orem", + "rsa.internal.event_desc": "print message", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: epmd running inBC", + "fileset.name": "director", + "input.type": "log", + "log.offset": 5018, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "inBC", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[2746]: < print_msg(), ptate", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5050, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2746, + "rsa.db.index": "ptate", + "rsa.internal.event_desc": "print message", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < Executing Job \"CSe\" execution exerci", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 5099, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.operation_id": "CSe", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[6012]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 5163, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6012, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/bluecoat/fields.go b/x-pack/filebeat/module/bluecoat/fields.go new file mode 100644 index 00000000000..7c2bc78268d --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package bluecoat + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "bluecoat", asset.ModuleFieldsPri, AssetBluecoat); err != nil { + panic(err) + } +} + +// AssetBluecoat returns asset data. +// This is the base64 encoded gzipped contents of module/bluecoat. +func AssetBluecoat() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dkKhpgito/EWK5FfCa/E00QE4UteSUa2BW6T8RUoJhmteWK/ma/PVPhJDul2TGQZRm8icS/us1fuz+9x2RtILXRIJdKX014dKCnlEGE/f37muEqCXoleYWXhOrm/4ndl3Da4fqSumy9/cSZrQRtsAlX5MZFQa2Ph7g2/7vPa2AqBmxC2gRIx1iZLUADfiZ1XQ244wsqCFTAEnU1IBeQjkZ0KcNvQMxc62a+vak7DJ1syxiLanYIm989bH1Y0tsFqnMfOvv+1cY37DBrnxccOO+R7ghjYGSWEUYrW0T+K/pilRgDJ27f1NLmKrAOKKV+3wHNCFv1ZycAlMl6DghHhbfRepQclq4sARpC0daYsAB4czcDyw3yHOmpAVpjbsfXBpLpW3RMFEcLa8OQbCkdveDIXbc4+SWINSS1YKzBaHEgDFcSbLg1hBK3oP9nVsJxrS7PxkcjY5Ys1CNKImEJWgyhe7c1VQbIO/AUocaJTOtqt5ST9+quXlxQdkVWPNsAN7LSbF+TmzAm5IP4IWFP+Gyh+YkykgBSxAHcFIouXs/tzh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZs8fvwj0/P/2BLKl7gPDG8xKk5TMeTidcU2aJUHO/X3qwEUgdd+DDacHvue2oqbacNYJq/H3Y2MnoyRiAPuikxE7GAPL4SRndkuVx9+Tl/9+T/XviVs2zIfe7vmr6rwIJ2d2WR4Pdkh4i9LKjpsGoRrNMb+/92Zbr/t8PM2OphQqkfYzI0abktmCC7tzhR4IeSKvXjxGxhdOpHiNiXB6GWF6NqZUcj/eklUAPkR552TYDKFPaUCN6TczO7H2xdQs4bAZ6yEBJuJ8VsaOHDKDfYEWMc3HHtXIkLsqeVyXKPs+uAZmJ2EciHLwz+9gx1OpG8i8NbNRo3dEf/rTeNmpPlGTucaBWPXbLdkTcLHlecdjn7olbhs84o/37/FbNydkSpCWXKJxJI0vQzgTREATVgPQZv4aSGLAOyNaPt9cw4wZLuwkD2Pc2WLpNGIC+06YMPYHp/UuHHcwBXXfgyd14sFAmk77aP5e/KmP7IlLsnkgDsuRy3n5oYsem50P6evjLDzlggx+NMvb8YvkToWWpnawcu+67zB1Qb9XXytzlq9zsffX/Lnsdt/LLhl254B1pfW9ZSSiZ8yXIzkn29SoCjkWH+S/yWiDlY1T+vo6IxqhDQ9XrQsOXDHvdDx7iBiPd0zVy+cwvTS7wIj0P3mxLycd1DYTRoQSZAgFuF6DJp3Npf3hFlCa/CEXtjy/JlBo8RW2AbMbnjUbV7wa6D1F3v2K6MQyaz/hM4F9wv56rXG62fdZxu/JX72BQekV1mU2p60m0Htl9Tp5ffN7S9yjRIOjulhJi1sZCFR7RgLaDtgB/Uo1nnvu30nzOJRXtb7a1lRv4kEv/2pMYcX7x+VWEBQH9ASfuz4IOoyGXU7w+m4M6VBwPfX0WQEvQR4ld/4pLkfPT+0RJPb79YCmCOSxW+qidbIIV2f1stFW0zjeKFl4UZ7qcKCEwre1rFMCOew+Qc+POHDeEedZB6TDdUlTfql21hexh9CO0+Co2fSyqaqUMJrtVSpLperBphGj40oCxDqDhVS3WYZ/cl52gJ0DZghheAnn6PbEL3ZCXP//8jKyoIQZAdqvs4cSjUF5vwQlTK2kgHyvYV3MqmGqk7XwKTTX1Qs9dZROFQJ7SqVpCjxlcRjMrW/FmrAZajd4f9tUcmwdmFZS82dXTUjDqm5jm2DkW+Ixw+8/m5fc//Nl4kf6iRgHaIv3PATX/dPbgW7oGTV6SM8lobRrhIyvOpLyTXI9Bv2fwI5JbGVvlx5fk3x25z8mPP5J/J0xppy8jFWHR5+S/C/s/3Re5IdtM+Sa6hVKV8GhtXbmCglEhppRd5dWAPXJSWbw21Hq7wjERZFkrLi2aJhbiCc54OArQWmXKT9vog6YGxqlAjBFTY5V2mrVce63DfbCkgpf+YMSQImSmGlm6F0YAIs/lPChHNyYvbt+IAeQUscBwHfaEjUZ2YS0ULR/LOxfQIYb/AaQCqzmLWB3BFO5/GW1h/9y3Qtg9+9RuNFo1a7dtQn5VK7c1Q5uTS6K0M8asIlcA9Q1MexQv3lfCNK0YGFMseVmUuaKuZ63kmYMETS1e8tJxsGcXLrm2DRXOaN/yvcuIi4NX3JndGCtHZngqwlU/PyXaSWuDDhVkGtVzsN3XbuSE0ZmSnh6cEz4Tbj8ndJZQ0FDwn5+2vtcPUCkL5DKcd6YBH9rpekxQuv+1gZivIPASVipMLXjOzIZHbc4bPlD7H4Vu5mRuxvOOt869AeGst6eutVrCE/JfI8LoxcuMiweI0btVnXF0cfLmIui+jErHHl7VSu9qvASfyK8uDaJ5HO6PT/6pQkMcTfeYK3XblG82P9kY7F7PQct8Ql7+/IqskO8VUEmoEHFfATr1UU3a+I/ICjR4sNQSAdRYouROucg2Ex9cTfy6mRi5qznCtoF3vytdIuMwqwnYQiqh5uvdQNyM64EWS8jPhC2opsx6JrpLvUb80WkuSSNDTo/Y8pmPVtSmLuj2gfqcQYQ9sUu0KCqnZCrZhhE0XY3KNJSsO2olZaix+hiFDD4HxVijW4jGUllSXRKpdEUF/yOW36t0FeVPGbIcDmaRaqaDJ+lOTNpg3SHzQvAZIMURA98AU7IcUbA3210Ym9PPsocgLpmqagE2egBGnagUFXir+Y4Y7NWbaftAB/nSrR09zmNHeftkjh6/Skm7SLRNm/rUVDkvmyyn8oEYfybLHGx3IP9QMne3hT1i0a3eqpg+vfbjLocHIirbjX5DLFzbcPnIErTplVOU+/LAIvt738O2BpqKzE2ZHlO6hDLfOxiSbMIzZboVWx2jzbTpvtiPrw9fK62qCUJtsCjfMJBUc+XV+qoRln9nOWhC61q01S+bXjYVlXQeK80lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/dcDdK9pQ7tq+i9gcTvaIZa/FnzAbidB9yPmJX3OXnXfDC9kqPoPYiZ4uRa0yy2WyhJKFqHjRTyBVqh50SaqPIhQbw/inYX6MXqmbMm+v2O6FXatRvERV/yV4Gyd+/bskQsXiEBori3FekQuNyJn3nScgR8aAYhYXJwqaeE6t8baIXQuvb9u0w+VlqVx/4ePKhUtQrEGMDc8zmxB5RwKCavcsmAscAmrXqgflRBrNZ82FnoSYpijbzzqTlvvP39x0WFqmkzYdZwTPFvbyn1MQ0NwN7/II9PX3yLGLVaAOYa1DQfNJudLL0FPyCX4TWkM6AmdA7byDpnuM6VbHAawWzBeb2f4e+J/3+tboTSZarVyn7V/DbqmN7tG+0mflxdU29Ruug5wao9KuFNqUB16rDulRNmpjbmulKohBBRzvcVvJKECtO2yi/Rm0fA3H94K4qPXBACTkCIKc0mkkt9pqAEtmX3ZD2g2HPPJYY3W7sJ09gruJOpxL7iPsLXhnwFlK24XQVn2sp6c4oJTrDaRRMnv5sr9956XAJWUIqI4ZqSb9oKBLxABh6SaEScdLAczIZcbmbI72KBfWZUH4xNfztcYZ8T4klGfbFMG8RsYTwkTjbHtgQz/GGwT/oQbt5OhJjr4N5zii5+Oq0BH1378DYtb9L4tUz6l7MlNhpfD8hSxINQYxTj6S91uRO1J3LC3/ApeE0rqxdpwRgUpubl6TmqNM1GeE7DsSVxRppoeUnt5x4fe19loWoEFbUhNDXbxMtjIwfciYKqqnBRTW0H7YWkNWLZX3fPvwUNpfL09zPAwefHNVFU3wzuYYdsoWXFZqlXIp2VKMqjt8y6TYpQZAzJnjRBr8qWhwjs/S1VRLoPUkL2FhBp5uvpez1Tq0h7SnUr4lssrKEMtUJuITg16p4KB4j75pkNtwst9GycGXSGyirr+ZCfvlthFoEXvt8uHwuu3OnheyeWwXU8XdAZd8d3BTrldrGFNxNaf//2a9o+JNe0ZF/nveEfyL7had401lA0D0kaOIO5uM6A5FUXkNc32iFzikq3avPs+9h5A98KM+gWAXZmDWg6k8BiH1d1Dt6Bm0d1QpxZGqgwbtvCZv22NTVdmeNJC2mkR5gjplpkYzdyvun8PK02Jk+eScMy5ayQTQLX7EzbC26AWCgiDt1O3hZ03Rx+88GuGfZ4e9YvFVDXlsuub3X+wQtmovsPrteS6Mcf29PW1EURg3ON3nABp5Eqc+NV9T8ZxT6m34LK7xjv2eS/z+Sl57yXN09C4gfhpe6Ho1+H2LK5Xewf0Q/jye+7n81NkaSh568TE0HuwHZHzaYCehIk/RE4WrLiJG6lLs87Zy347qhsKtL26sNePLb3xfcRT41h/0i1Mzk9v1GRT+edu0GQdYi9ludFoJ+TE12eGfqfCf7Bfm0UE9fY3fvgmuOOmje0qN5XtHqNGCjCeM8o/KCtFllRzOhWDKkDflIFLUgs6IggMSJO1P8rWhvZVVb/yxEkqp2G09YXc7fPli/OLXR2ahJax3qMwVpd94EDBW9dCbiItHklyLi255HNJUViMHNFa6ZzNa58M5Jc7pBet7qawqyP+p0Okd5fxlJUqcnDe//aRcMlEU4ITZ2GQrfv5hDw9u6ZVLeA1ufAOEQ8Wpfck7hfByNzRY5vonNo8LXHMuLlyKvcBeN2hFK/nxnwfnoYP3FztCblazedz0PlG2MVZ9rkfCwg4oHa60GAWSpTu9HhbfWTS6Fbo/QiehWHsPUjlpx+8jvGsa8ZxfhovI7l1dJ6pqi6OnHeFuxJyr3CMq/fvmWb6nUNHSaxPneG4GVU2bMxKC2rpA2WN9THvpKXS2HnAyfUWv5EpcVSXK6ofJkNv2FXfSVcaHiJHxEhr5KdOiFLyjrK2n3JcuXUi6Kh2jJLftQqq3i+FvK2ZfKi1BmqS5wYbS22TSnHu/FGUiwczO9ziU3VNePli/P1yL2tzDAwdRp8GjY/9XXBYxK9u+45lnr43OOSnw7l7hzxnXKomVYyzV0di5snvlJOkKZ0OA4/sT4kB5+7MuHUk3gjh5B4xDWNgzKwR5MytT5gqwbgj0Tb7jVsWXJZwnZgBght7mOZ5T9mCC6MpplskpqAxvllRzQVm8EQ8eD7+LueEIhO/c7+NUiYznEM19c2FHkgjDquTp10+Zw3a1KHo1kuYAcuCirBJiG87PD0bKTL0bq7he5w7ocQrX12SV/BV+W+7DymXhpRgKRcRJ8NUNbb3uxHSlDh6bmbrsaVdHhviMf6QWqhqkS2b5w0pYUZDCCh0vmxj+CFb02nFS9CCrrGQy6rwuJKnkRvpPkCrO/waZm0VuPfVG8ttg40ZSZSwjW0wbNh03+uaNIrV8+8wmhrTDLKKqapy9ynPMTrx0AnvJfvWWi156f1nbRe5CsxoIlSp2OGBxrt7y37hYqM1sn5eXlw1uK4x6elhZH27el5Z/y81PdDvdDB5/1tNQwAmfrtqnq9x7ikmFPudv7w4J+cDhaqPRrautaG6ZD8GCQu7umrYeVJD+i7+sJBbHVfuvYgopqrMXfE1qLjbVToCLsThMqIeLdJ3S/AhgyNUnvdcwKF02CfQdvEQPudlF8oZceJVqa3GQRl4gpc/nZLX0V03OZ+pdrr3xSffPacNRGGyxjWwpu9F8KlfU4iVt7ZdmPYlbhzBERL1ipfbDpGuupIuKRd0GMggnSucYH3lDLQembTg79Ahvv50cbdgrFShAZQPwA5ICukGhs8nIxKRV8W0Kct1cv8Mr4qkdUA9uI2Bwxqd7/VSpYeouUrY5WCnxK4wzTEKErjpZ6/6nqu0KbntKus2fdECRrHBdpuKDS9KNuGF/UT6LLHUHFwezSo/+XxGnoZaic+NcLrylAss4MA8sLPrWhn3zWfku6GjQe5GYa6kWsktQ8gAa7CZxXIb+sikTUaP4ILbTQs9aavc34fSpLcwp2xNPo2aa4JPNX2Iovyw8BaLuSQV5XKmaQV70zFqqnFqb/4+CVvK5QUuS96r0idHb9oC9rLOIkiRG7QvTBVwjMhlIW33jXsPK/JrI9GUfKdKEOQpl8vJt88JV+w5mbr/A/d/VFKxNtxMvo3HFy2ri5mgg8n5qXWobQ3/5ILgoujrQjm5bodfqdneRg1WZcXU/3Ua8GzbIBjQ7iBHEVpWaeXuDmaf3/1ONZCPPgH4228/v/v9zYezb7/1ObdLqikfPZMrpa9SlizfeMF+bxfsR9hGnWBUplYiQs1O2i4l3XNAmXsu1hlMmJnSIA1nKQVIz5WUAeMqvRckEh9IBbRYUT4cTnxv7wD2Pk8N1F2f1CXqpplmuhR2WhqrU1e+Y712NodY/y1N9o62NR/5nKSHFrtsBoMNVJpQbLKpewn1Lg7EjI86mlpSszliDyU12o0oQuZueU9cKB/cT/DujguHfND/PwxX3ajMfvLfgxyxsuejD4jsRfJBDkcbx92Hn1JHSNra2tmeXfrUdhntbZYd9sl8hm63wcm9OTLdtqzmx4iHYdHXjHLheN02c7kIMuP8tF/bhp24nDloYR5pYTCeVdjmXBdORTyAnkMSrzHdOlQfnaiqauSuJ2qAnTyscdN9sXsP1/bvENepO9zMYZr1fXG7pLL8m4pHzTa4WWr5IZLh3tgNF95CzjSm5oyrZFmix7LgEfsV1XIYdHjsqBtZ1YXKJYwv37+7IL95P+omKTWOyJejphJc/sdb8qUBPdK7tRGy0LDbqTNvckPPIbomH9qis2haV6els4QPaR+oSj1GwAGtD3Ic3QTVRoJj94Zbph/QQAXVVYbdcmAzuBdonbAAuQPalMmm0m7BTNvtagt0Se2uVnhfuFOQbFFRnaqspIO7rulgfPG9o0+UDdKpksAsFsnPAoNZ2gKqDvBsjq2WMoBV039lgFrT5JMwfMep5McLg+4FT/3ghM5tFTjVMznSsqAMB6OkLz9xsI1MaLz3AE/n9fIneW0Xyd93JgtmdVGapH3Xe9Ad5MMiT7cAvBQ0ucSQBcg5lwmLIoegc+RGy2JWmBW3LLn8kMVMqJWhVfrclT5saZf5oGeIujBZcJlTnHBZg66m62QJ7wPYNbvKA3xJRY6zwuui1sqqIn1ICqEvfyrQ45getsh2N4WaF2UOZjvA6fPfmCwqel1Ym8ptsA3YnWgBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj73zLC/h8ZYf85D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRm2EGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWIZDuHzluJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QDnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+OUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOTaRz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5jkllSobAYapHNwOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuVutsvDbYiVxnkq8+M98f8QzQrQZaZVAkfSlQLrTzKderheKm8BNm00NfU02zHPBypBA2BeSln2+fGi43lsrkc45LY6eNTjUssIUKflZQDqhNclzT69FtTXJqsDi5YZZ+2PWhnQb2wZzTskx9B3iZOqzatg7K8BbxqmBaqSpLVyIHOIOZxqsiT3Jk6HiUg831VfL2TLVJ37KU16bWPDFQQS23TfLsM8ElpGuxs4Fqkk7U6eBi8W16t5ZQvutpMRMq+XPeAc+Q8u9s3uRSxwHNIHGcDZ0B1eS5CULNsxxdOc9ygWulUwuwatrMc1yzihuWQyxUJsuBzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcshyxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDPviuo5mAp2eyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0h+AWIPWZFAzmFKGzzMIXlOn9rIZzXLcA83K5Iq00SzWFTcBYJtuxFYfZmOSd9VcMpm6UCI6Lfa+QH2TztTk27lNf6w80PQRvW6mZ2q46zp5t9amnGbJQ2+0yPAWNgZ0UfLUVe9Zxla0kaEcbLDMWFql9gYvCy6NpbMMmsGSa5tDDV/WMkPrJqt0I1O6WWNt0SIdRd80VpEPjSSDpbvskYzD8j5TwUtyoqHklpxQXYZuhgbbv8fR8ZOzMnJpbEIogsEh+gT7GzAlSKxUp8uH4DIf586qWqg1DAYL3si/mWqSNfW+5RlzPPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD1mMDJWKaulbakmHjUUJWC2oJt6TWMBs7CvdIy73LEIoY44PV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4FT9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgonv8/BQZ2HeDEd2d7cIF/fEGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvoem/O24O5q6JtxhfvGIse82okhY03S7zqu4LPkI1xZvxZi74BjTqEcE0mZw3XucUC3FyMRL7J6bcRw49s81YImGLw0Yu6dp9+HZynfvle9VBhzL41f1EnvXI9XlnW67U/bh5DHC2NjW37FDu3kdpTzl7P+b5xu6xc5PW6GAa8fPBloN6ZJ473iE3eMypQaIT9fusCGDW9XtUvjFw+Aru1HwHeZK+/b1UTYSQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rs5NKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Gbeb1x48+tmR+QPmN6+856dMHmfTsMGsk/9LA7phEGr98PXwP65h42BSUVqPhpb+QTEkJmFtBVtwuxgQFIZHKkE5j13BQedGdTQvHTpQn3RMl1JwzKojDYMT0QSweFjtcamRM48Pxrl6sTRy9XjrbSu1ktaZ+4Kng1BQLld0m8EZcZ67hLJXNUCMnFfsjeOL9AIi/NA5bfNPCIBYmgOrJG2GUM8S37tspBsvJr+EXE/JGrrt/DaBbtOWNtISWE6aqurGg42I4ixvfEZbPPPtmdy9wxuLWhnD7z+bl9z/82dm+p73taDn2TRTtcE6LtBGz2zpu6Bo0+bfOJ2deBDQQufitT13/k//Myw3OW6d+734cmLx8k2x7sjswxa0zIe9/+3jmaAcN3nmC/tKSG6ahppKtnVYZ1DOxmwtCkEPPycd3r8m5tD++fE7O35+e/edr8ulc2lc/kaerxZpI4HYBmrCFMmFUmtIamMVv/fDqf/23Z0+iHAG7yCjjdvmBMnVS0fg4HpP59N3xml/6s3jeIhW/4uXjQrovm27A/MCGcbd+4GP47iimG+vkM9e2oYK8ffM+iuwfSkI+X9ZhJ+P/KAmTOG8dul+NCEVCbhaeuAWP8Q3esw9zamFFH2BEOp7uC/KmLDX6af0pj6HTPb2sqg+Nc943FnJ+8u7Cv0qj4bGKmiNGP7acSl5TDW83Ob9wqIx4vxwPD5wEkYSHbu1xHraaWOGnax1XQPTQpWXJ3Zep2ARse7P84+/cEQ+AMwnxgqtww0+3j8AAlU2udRa97rZPGiXvA4YXSttOJA+EbokBNtwAbtc3S15zZN57erict49JS9a7McZLiNmNx/LiBuzQ8qXGKMadyun9RgMdhzi5rKmcw6QznZiSMz5vNJRkukaYIEvMGorLmfrA1gODotERbTm66CxDvwORUPfvl3AldwBoqJSFImR2p88zSs/aUpqCFj4VPwPo2uo8wGcZjsQsQ7WwyHEdcvU/qTMwlZZF64nLp5bvWvCOjsnuan1nwgNosGd2AVqCJR/XNTwnn9pn7C06wH4kF60DbPAS/DamqbWjeo6gTIyYxi3SwS/+nFAhospEvfkiJrhRjYl5S9DuDeTSKmIsPuZckk/nowKFYYJsNnmVXGQ7oKrOMPbNAdZgUmf0OrAZSlz8i5g6FR397Rmw9aMVCgFynnxSJOLslI+MWuiIBupVHip6ARhJGKYTzAglvyi9oroczukm5M0ck700oe7GX2Mu3RTsCkDGVc/EXRPvGuNWlop+qM4jQ7BlPGZGDCjkMuS5YlpCxa0TS2HERpzEpaDyGHH8Wzgo2wSRnotyQOC2y3ITSVk6C3aOBuz2y5M6UgkMuxAs0/WDu13EnmrLWSOoJtgvmrRIPD27fv1WzdVsFp/+DqywC8i+vVvIfnQL+tvYw/vM4e3QfdPYBUgbksVH0TZNys4Jt0vo8UuOo/7JgB5FWDWWqeNyOiw5jvBlwxgYM4Izdh4/rDnaYYkniBdxKu5c6TWJFCYMcDuGcNrCEXZwdFIJA3ymVtK9K05uxZTD7odkoChtU7VM149u5N2kxHctxZoBwaHs6Al+mB19mEtiuG0i8pNgcQEEER2gLqghtFS1e13sArgmaiU3W+YZZ+m1kqoayavFmRyG+xb1x1UinHLPZenkj9KmYwAlv3AB5E1AbDJgw22cvbIjzN/J0YTxjv4HSVcYZcFlyFpIy4UYjRFGpKx3vwcjfL7eZajXSM2J8YTQqcpZPRAhfgoLuuSqQe2SqarWquIjGYpwbOTOJJ0KLCKbkZP9uHG57MRORiR3MdzSOkkUgS0Mkw6XOQDByPodfrl3t/fKbu7b6LHblFk20u6Ws6XW6EssAy/YIWb9rbQgfI/nIEFz1pKEDMFEv93UAm4X+NTGZruRgOyE/TAxVo8HP1uaDmm79WA0vdxPU1Av/FoZ6Yqapp0RbnkFxsl1r+1pqGE0iBR2IVlTiBs3AhsP3nMb9C2P1iG9ux/saP14O5p+KEyyIae3Ji04jG+icEAbUrwRCLcQBl8vdS9vpE4fde/8RUtCm75555L1Uj2OALlBjncC5Os9jj/evGWpRhscZ8tuJx/1USVIyjt2C/lx1OOYkrbBYeyUeixB2/FTJ6/caeyiqMAu1ANESeiWJ5l4NMLXRjcceylpldXrtCeq80GJ4K91iOw5l5k8If85+fn778nTt6dvLp6RU24sl/OGmwWUWAofxUWoucreF2hfJAyzZWcej7DN+MWRjDGtMnsV99V/ul2NYdDdGPTIJxv6fJfrwjDtv6v77Tn+EKdYzJTKWJv0TaYYFam60+0Q8oGWvDF+BaI0MbzigmovnpzYdHeI4bseL6/Ce254ecxOI/1M+U/uILRexJ2+mJtLnq/O4o3cd9cxrBEqDXv+3+Akwk8GZyE4bqBXllHGXZlK50wMGIRskNVKz6nkf+zJqpb5jsJtmX0Ap/tnaoTdM66jtaSZuv784pbD18K3+PK9i7aymn8FKuyCUQ2k1lCqiksaLbjriacLajlIa25Mjxf0mNS+pQ9KrG/9CHWmg+uuzhMnuGqqLTZD2pC6X6wesdlREDa3kagzKEFTC2WRLKlsz/lwwueXdsUueHah1ZKXXfOw8D1a1yJoqoODEZr/uGdtW6eNKzgbInl5JCq7JUOvP7seITM6PBQzJ5fcR88Xu4r7SAu4TulMORT8rponXKPO1PtRrxJ6HiHU66iosVJDjFXaS3wHrQJLcbUn+K2J+9aTOPUVL0sBx5Ny73C928q5yPb25N5Bcq4dj3Ecci/Car0OQ3LdRmefk1pQt2XufVaagGR6XY95+TEV8gj25C0y6HRnW/6qjCXvKFtwOWLSlTST5Phml9efJGb61xqc+HD6kW9yZibkbUlr8hn/4fWjUklfd/rP4eNJFnQJTnMSQDX50oBeE+xBaGolDbQaVbw41dFb4G+OIy9DDzzmIGvedoGUnnzfl28cz5akI6C6OUAfQnPU22KKU57yOsx2z3jbWnqriZGzDcPDyw3RjZRRO9Y8714eH3n2baRGauwCxCJYmPk3gpIVl6VaGWJqYHzGmfvkeaxOMOTJDi+II8/ju8m5IU+xIyxItnmGMHT5rMct0kh8x9/CnLI1+WS2G992Edhqt5A2eXatW+EIBvvIa983tRAVrFXDQ+ZexAHHuz4Aker/rUpTLOcZsm+b7PwK9Vh3Xq9eRyhGCqMHLfzmAGKPk9c7RmrI8A2u91bWnSHp411Ah9Qcx2HXBQy292aTkOm3YbBD8YYUNxc/Y9lAypGAoxVuSHIJMy6Drx6FE3b1q2g90nQQsTuoUCwTbhsHzI76l1owdj7b3LSHXkojvSk7H7a1lC2qI7fA36yKDCcD66i/HVmGvEy5TDdBLOndcCRjUWHexzMipPplO7gtvo32prw/MrVzgHXet+8GrGuq2zPl/vx8Q8pqwQet1Im7Hc6W9cnvtyLPJp9Z4ttaKL3Ot+F/MTWVf72xY0yLyHYX9VY9jz1Nji1/eYHQb6DtwVSiAVVtv/X9VI2eggKk1ao+RHSUqpkOnAu3OuNhTWdtww3lCIijr+447j08UVVN5bq7j3jtcJy+t1eWoN0zVHA5U3GlgJqr3DVCN8iPHSuyxWwFebuiz77kyhH4pRFiTf6joYLPOJTkFOuevXMwisoKpgVT6oo/UND9d5gSv/7GfqZiTJtP3m12Ew6vG4sq94EjTG++6x+6JcKUneCO9j75Cfm4rj3pG8+BY47fwfHN0zArkjaT3UHb4eAdEfqJibWt3UXmGK66Trncxs57FmulW28/hpg/vB3Z8l6vnMTHqeVFnXcO0R5WuJVv9Ny3aGqlMmki20i5ddx+kJrauGuSyYKalNH+HmAdyukTQ260SLjNPagJd6UzRotGp/KG9GAa0AWdp7MpN6CTP0/boJOmP26DDqc+g2CBawsSVav0xomDn+w0d4reQsNOqkxqjcovcYxawi2Z+xGXRfXqRfjvk4DCi/AfIa8p5vanAnQ8Oy+Q84DRc09MP3iOHtfeqLUBOWUYiOZMKi5noPVI3HVI91Ho6iv+N7I+6p49ApJtX+JZbxsiVwrD2irrlYoscbTjd+bj9u7YfcQMYt3/0z9gmKA1PvCT1wvQx/FHOJ09ZDw9PcHRj8/ICa4fRw20PVKzlBE+n4AOwz9hKwtzT3NeyBo67jGyt+Fu0Sem1yl6707zPw71St69NUp8t8kl/yPureFXmWTK+T/OiIS5stxvYL2gZmQClGHHbivU20q/+PhwQbfV2SZADRJcds5Y2zi9rb+JJ6QYPj9GRcV2f6Nu6uHH0UHLTppwY5rkSidCxmSpfN66+8VQEEPQOqsPdLApfel55hYnlxic3iedjpIh0XUGD1Hkp5eY2rn/MepJz8OQvLv03IPjuAg1RhTLnC/6bkg1OLKjyJSFO3q0Sd6m0eQCzK8gWNSZmht8sxlX0n+QULb+RAzG65Qm55dv/vHugly4d4r8Jkemr2ywzVRJfQi2H1cqji2KIbYAdmUOciLfTgjn7UEWGzrX9evsWoRhGmgYQbiRgnu0XNB80BTyAZRcj0fXFWTUaECcLbXN0SZ89rFcUsFLfxAjSOwKwqN1td4nCJFjV7A2u2I70clvE0gTw15YW5uC4wzaLKBxK3MwhNFHcJv4XLaVL0pzu77hRjFVVVn7xN0Sb49HcAjFS/BXXIPYtTRTu1hWgsrCmIcaeOtW9jL890BtW6MVxdaXGhe14sdIq44h7DEgiAEiFbcGkK1sQaUcNM7I3W4qrIqIjMRsj9S2uXtYwszD39++eR/evRc7y3cPilV61/efvGcbN1fFUokmFwPetHOcZZhz003Gbsf5NpJbQ556JMwz7NaBhb3tRN0d8ASRjlIjmkzS7G3A9ZPkNqQLTLaLDpagMVNg1gjClGRQW2coX/o9HGmvsFrllL6e8c5gb0doO0RrpS1Rjr+//u1NLAU3yvbU507p+fETLHcLDLZcrFPqm51EG8X8/ey3i/ML8o5eV1yW3Vjv+LY62o6ehrk1RHGErEDGgLp9ZHXqU7xkMXl6tq9yLGbHK9h86CL8luTsaseWsyxI5fPT0KU3YLEXQ3G8TXngXgEtxdV/+brhrjBHlkNNMvXtRn+JM6EfKLsxjKtGK74L6la+uPc5MU0kRZ0a8hdjtZLzv04FZVeCGwvlX16Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/af/GwAA///amLxr" +} diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index b5d555b03b5..056512d4769 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -51,3 +51,22 @@ # Set custom paths for the log files when using file input. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index 477bc2f86a1..b5d7a81d900 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -11,6 +11,7 @@ filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. +- `nexus` fileset: supports Cisco Nexus switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in @@ -294,6 +295,51 @@ include::../include/timezone-support.asciidoc[] :fileset_ex!: +[float] +==== `nexus` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9506` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] [[dynamic-script-compilations]] === Dynamic Script Compilations diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 58624e92659..a644fa716ac 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsmU1v4zYQhu/5FXMp0AKOe/ehQOAkQIDmA/VugZ4Mhhxa3FAclRzF639fkJJtWVBkuVHaDWAdglgf8z7k0MN5rUt4wc0MpAmSLgDYsMUZzOuPCoP0pmBDbga/XQAA3JMqLYImD5lwyhq3qm4Hh7wm/wIKX41EsLQK0wsAbdCqMEsPX4ITOe7l4sGbAmew8lQW9ZkO1XjcpkCgPeW14lYiHk2ZppQIYneuS6xHsClKvta8WlzBrfG4FtZOG7e29fcEOYYgVrg06iByhfKCmzX5wys9OABfMmyQ1LHBKHRstEG/Z+pACaXW5vtADPwu8iKuhoAhGHLDGR/TeWFrPRCa0cNPEXgoKJVe4tI4Rq+FxDFmbpFiwi5mSipnCNrSGsgDvqLjXiyFgY0TMf64bNf7wO8C9KXFZfx3DKgHkSOQTghXUmIIMCfHniz8bgInMeBMMOSCZYYKODNhAGWd3TKg/wjWGLfiMiGdqPTq6RxE2Ez0f4bZED2FNRdFgWq5/coUHZytk0cLDHvhghWMajt3d08glPIYwgksGQUePGtalJaXqYzOQAsb8L3MUf4E2oJ8F60lt3ovSQw9hOSgvoycyObqOi2bTar/K6VN+qF5bXJ/RHKbTEczzJlHwUuLr2jH6QNiPEjxUrXIhV0Lj/ArPBM75EiqtZFTeHSp5ryi31xaWk8g/mmFy0mhF4wTyMwqi5tNuj1+GDIsKRhX5DdjjGxex9ptf2+P7DZuits25dX4Mkzqe9rjY0/fhJsAsuwdjyTnUFZfwFH6ta/O/F02G7Q0LJH29F4SI/NiGUU7KELWXs69DHfz+6f05HFBSWoswRhq6Fy/Mc6PKSt/Pj00tOFAu6sXEMXSoySvwmkg7+jwRQhm5VDB9dUTtMW3YJrVqNYm2pqC1ui3xeUaNbqAP4jfuf1y/bn8TgQ++52z3zn7nU/td+BrQLiZL+pLUyd4aoqzDfqXNqhrOn9gf7TDbVw/YQmcvdNxpsNl0Z7ns7M6O6uzszoQPOqsAsrSG+5aNPT8DeXbgi25P8S67vTT5C7quHATd+n+H48+ubv7SMRB7s5QGNXd3T0uDl6YQa+JE6n/XVpzwpY1sA+Mm2vVXcfovWtIC2ls9zrudXCLm/lpGdkKAROsMyOzqjzWbtOjRh/gZ70vihNYPNw/TWDx12ICwsUWpxVWk+fslylc7YNL4eAZQUAmvEqFt3pXOgEBhScmSXYCqYjl1WtW0u1qG9v7TWDMIZDmGGQKdwwKHTEetP91jZeiDLu5rx5t71DVMKcX/wQAAP//vCMXEQ==" + return "eJzsvW1zIzeSIPx9fgUeRzznbofMttsve+Ob3QutpB7rpl+0re723sVEVICoJAmrCqgGUKToX3+BBKpYrEKREgVQ6j3Phwm3SCYSiUQi3/NbcgPrXwjjmsm/EGK4KeAXcub/mYNmileGS/EL+be/EELIG5nXBZCZVGRBRV5wMXdfJwLMSqobksOSMyCFnOvJXwiZcShy/Qv++FsiaAmb5ez/zLqCX8hcybryfwmsav/3CgGRmZKlX7FZwv6vu0x3Kapp+7fQYjsW7C4qlV/z9PqUvOIKVrQoJp2v9tffYFCC1nQOGc+3IDtUbmC9kmr7kx3oEPJhAR1MPGzCcxCGzzioDU4BVHQ9m/HbO6IBt7SsLDdo0JpLcXcc3+HfaeHXI3RmQJH/3yJ8V0RlrRhkXBhQM8ogBuWuESZpYeKhmgWQWSFXRCoCSxBmJ1o5aMMFtfDj4na+AfwgBFVdQGb/MwZSb2kJRM4QhVPGQGtyJoVRsiCvuTa4GDELakhJDVtATsyC6ztg6U+31qBS4GrhOry4xj+49Tw574Rh96CPhmZn0fvgWtKqgjxrrkwVwLP3x70CxigqdEEN5A3tLq8IzXMFWt8Dl4XU5s5Um9G6MBmK0V/IjBYaHoqzXf4e2FZShbAtpJg/FBML+i6YbMmXyAfZ5a77nWYXq8c60i72dz3XLt4pDreL094TNgsF1GQFLKGIowdYeAThobQoabGiCsgLMpVGgLGYzmacTcg7gTJnCWr9bSFXJ8T+Xw9cKXNQ1MAJWfD5wj42+HX7j7tsi1EDc6nWMXZ25mG1z9/4zl7ZR7FRU5Zc1frEf6e/P6Pk71ScEDBs536YFAKYu4BR9LWPgn+uuwoabovim74TE87KKrOLBrDQiz4778Th8uzNFf5y/4JM5rEWtKDuSuuRfaYRK5+u3nbWJltrh3QBWmUKmFS5vh8iD9DwqdZ8LiAn56dXpL94g9jM5FFNG2vWVHIFqhEu5zADoeGJ2DuvPpx/WfaORfhPe+dPe+dPe+eLtnfIRw3k4uzafzQR1Ex49acZdKAZFCLnE7aPWnQ7n9+DBf60nfbjtM0WfTr/aVn9aVn9aVltLbjXstLAasVNiGnk9Hdg4wv2lntPV17TR+Jee7jkwr7Su51HX7h1lxLFO1l3XOqo1t3lu+utgBnZacRR1H+zgt/jybqjHmgfV6ddW+g7eWhGGS/CfLzTgru+OLvfiTQLESPJasHZwolHb20qmIHS5NlsIxRPyPXbN1cn5Pp/X58QKqyK0wM7k8osnk/I6QY4o4JMgVCyoCpHwetipSeEkkpJI5ksTggKsdKFWeWsL22ter/WBkqi5cxYIBNyaUgOQhrYUv+9jGe01i3t3U/7L5Tb5mTAgj6iO2kttEnPLpBLUCvFjX2uVA0Dfh0e0p7Ls+OguizUhJo3puNqAQrwM/+EkQXVZAogiJxqUEvIh/tTW7HhfZsZXr6dWxm/W4i1oNvKyvjqY+uHlujocXreO+ZdK+y6Vb1T+WCttBtYWyuu1tYIloTRytSe/oqu2ouD1h6TJWi7aWk/74Em5LWck3OwT5oKb8TB4n2kDt1OAxcNTavnssiAPcKJqe9J7m48k8LYB9neDy60ocI0aOggjoaXhyCYU9P/YIidt+7tEoQaL05p41UjC240oeQtmN+4EfYZ8Kc/GbBGu1m9kHWREwFLUFaCNnxXUaWBvAFDLWrU5YZslnr2Ws71iyvKbsDo5wPw51wBM8X6xHkeuEXrPThh4ThcdNCcBAk5tDruRsmB8dSj5DlUChiaShaTHGbcKgxSFIiWodPCqu9VGKtSz/tKdlwO9Gf8xt/zy/PvyZIWtb/xrUruvgW3lBmre7jzUoODwN1xVNcct+D37HFUVBnO6oIq/L0/2MkoZwxAH8QpIc4YQB7nlNEjWR73TF7+eSa7z8SumuZAHnZ95fT3DDfSP5Yng92SHiL0kqOmwOm+TxE3S7ZU9/9hmGlDDZQgzFNEjtY5NxkraO8OPxH0QJieb+6JILYY+JueCGJcHIZYWo2pkRxPl9NyoIdIj7Rkm4GLFcSyoUb0mpCd2fli4xaw2Az0kIGS8DAroqeHDKDvsSLGqTgIuR6FiqLjVQmSz5FrsM1I5CMBCt6bfOwYanU9iDY0+/d/Wm8btWdSMPs4UCOfumU7Im6WPK047FL3zC7DZ5zR7n1+Lecu0tDkstQiB4XOUvCCarD1Gb+FnGgwFsjWj7fX0OMGS3MIA9gPNljaQxiAvtehDD2B8f1LhzHmYF/3oMn9aDAIpifhy1+lNl0RWfQ5UoPIuZg3H+oQ23R8SF8OffkhDDb40ShhL6+WPzY5FqPXvU/cwe6N/FKJu/w5NXl//n+XvIN4cxLZ0JcLzpHW9ZblhJI5X4JonWRfriJgSXSY/yKtBZI/ReXvy4hojDo0ZLXOFHxOcNbd4CEeMO57ukYqX7ilyRVepBPvzTaUfFhXQBgdSpApEOBmAYp8vBTm+5+JVORVIan54SWZUo1c1ATIZnxeK1T99uz7EHX3C943hkHTGZ8R/AvBFLijWMfNyl+8g0GqFVV5MqWuI9E62+5S8vLq05a+R4mCgvaPlDS5Le4R9Whjoj04TvX1//bfUvE5x6oL95ttbWUPHVLpXzsSIy6vPv0cIEE4J4dEIEGL0ZDKMV6fDaMOFcdDX58F0BzUUWLXv+JS5PL8IVFSh283WIpgDouVPmknW8Gy5H422ihalxtFCy+KNV3OZFEAM1J9iQLYUu8Rcm4sz3FNmCMd5BbTLUX1teyrLWQHoZ+gxVey6VNRVUupMdmtlIJM14NDI0TB5xo0lj9pXlbF2p+T/TIm6gJlC6J5DuTZd8QsVE1e/vTTc7KimmgA0a6ygxJPQnm9AyV0JYWGdKRgXwxXMFmLtiRO1OXUCT17lXUQAnlGp3IJHWJwEcysbMSbNgpoOXp/2BfDNo9MKsh53dfTYhDqq5Dm2DoW+Ixw88/65Xff/1U7kf6iQgHaIP3PwW7+ae3B13QNirwkF4LRSteFi6xYk/Jecj0E/YHBj0BuZWiVH16Sf7XbPSE//ED+lTCprL6Mu/CLnpD/Vpj/Yb/INdkmylfBIxQyD5QLPxFbV6wgY7QoppTdpNWAHXJNwQA1zq6wRASRV5ILg6aJgXCCMzJHBkrJRPlpG31QV8A4LRBjxFQbqaxmLdZO67AfLGnBc8cYIaQImcla5PaFKQCR52LulaO9yYvbN2IAOUYs0F+HHWGjkVNYF5LmT+Wd8+gQzf8AUoJRnAWsDm8Kd7+MtrB77hshbJ99ajYarZw1xzYhv8qVPZqhzckFkcoaY0aSG4BqD9GexIv3hRBNSSwGW/I8y1NFXS8ayTMHgfWyGsuqamdHe7twyZWpaWGN9i3fuwi4OHjJrdmNsXIkhtuFv+qX50RZaa3RoYJEo2oOpv3aXkpolSjp6dEp0VTr76KEShIKGgr+y/PG9/oeSmmAXHt+ZwrwoZ2uxwQlwT4jLhDzBQRe/EqZrgqeMrPhSZvzmg/U/iehm1mZm5Df8dbZN6Ap0/Rc11gt/gn5rxFhdOJlxotHiNHbVa1xdHV2euV1X1+Uy8tKqr7GS/CJ/OLSIOqn4f7wDRrQEEfTPeRK3Tbl681PNga703PQMp+Qlz/9TFZI9xKoILQowr4CdOqjmrTxH5EVKHBgscEH1YZI0SsX2Sbio6uJXzYRA3c1RdjW0+43qXIkHGY1AVsIWcj5uh+Im3E10GIJ+YmwBVWUGUdEe6nXiD86zQWphc/pKbZ85qMVtbELul2gPmUQYUfsEi2K0iqZUjRhBEVXozINJWtPraQMNVYXoxDe5yAZq1UDURsqcqpyIqQqacH/COX3SlUG6ZP7LIeDSSTr6eBJuheRNli3yLwo+AxwxwEDXwOTIh9RsDfHnWmT0s+yY0NcMFlWBZggA4w6USkq8Ebxnhjs1Jsp80iMfG3XDrLzGCtvc+Yo+5VSmEWkY9rUp8bKedlkOeWPRPgLkacguwX5hxSpuy3sEIt29UbFdOm1H/oUHoioZDf6lBi4Nf7ykSUo3SmnyHflgQXO96HMtgYaa5ubMj0mVQ55unfQJ9n4Z0q3KzY6RpNp036xG18fvlZKlhOEWmNRvmYgqOLSqfVlXRj+reGgCK2qoql+2fSyKamg81BpLiEFhne22vo0raQIN19rIlfCRcYMLau+Z9BjjJ03lRwmH3GjCVtwa93IHPSEvKm1QTOpC9TeSmpG8nKpgQMPaacAm80s3ks4hiaEh9ws6GiHraBAMMcQ1KrWOV/y3Go2yA9hQXbdCLIPPeKFN3lbcXW0HW7O08WCbi0nclOsm75XRqK+ZpFybRl3+kYjHvqoC+fESuNWnk0GS7bpZLKOLYHKgSL3UIgt/WNfFdQgP9dQH42VLHc7LtrIxxXVBJHIR/gGkfs+NlEjKgVbBE0g0+alSfD6zssUuFZZAlSrLIX2XMUURdtAX0aHmkBX6rwij2NC9szH4BszeC7v9eYcKjb3ybVDggWbB6LXDSG2I4iygRIfQ7HWdZE67DRiRcnaMFnCC4dDa7xgVvagASaxfOFIsGVAjjAILGHQCPdoG2tW90WAncjOLpdP2uLFQe9A90q3lS4WGsadKmB8xjeGT1i79U3cR3jK68rps5kCB9C6GHm+KZhoXFS5D7IE8fZm87EO4dO2ld61BKUi7659aizXTUJA369GfF/Y3ugEslUlqSupeUTBcSfeQnNa5K7DFKbyN3d3tAtPXZhhq+zHEkWiLkFxdl9ZFNzbEarYdmysW8nW3gwnltz9HmxtCSKXyifM7tyZnP7+CN1rmtBuoKF5F7H0teADclsJuhsxJ+lT9qr7anghfdW/FzPey7WgbW6xkIZQHBBhkQwn0BZynjWJKo8i1BtGvLdQP0bPlC3Z93dMt8Ku1Sg+woq/LDhbp749O+TCFSLgm2uLYj0il4NjlhIT8H1dACIWFqdSGLhNrbG2CF0K56/b9EOlea7t/+GjSosGoVADmD2PM1tQMYdMwCq1LBgLXMKqE+pHJcQYxae1gY6EGOboa4e61da7z19YdOiqPzvs4VYLK3iytpW7iIaGYD+/yCHT1d8Cxi1WgFmCNQ0H9SbnSy1BTcg1uEOpNagJnQO28vaZ7jOpGhwGsBswTm9nbtyW+32nb4VUZKrkyn7W/NXrms7sGu0nfZlfUWViu+lawLE9Kv5OyUF16LHulCzyVm1MdaVkBT6gmOotPhWEFqBMm12kNov6v7nwlhcfnSYAmIQUUJhzIqT4VkEFaMnsyn5As+GYTw6rlbIXprVX8CRRj3vBXYStCf8MdrbiZuGVZSfryTkuOMVqE0Gk+HYu7X/veAlQSckCimPCfdNOMPAFImCRlDNipYPhoCfkeiNT+oMNupVVaTA+c+V8tbZGjCsZdck2uRe/nvCUsKLWpmFI/4/BMeFPuLYn6WuivX/DKr746bgKdHTtx92wsEXv2jKlU8q+3md4WSzPEQtCtZaMo7/UnkbQnsQDe81v4BdCSbVYa85oQXKub05IpXAmCg4R+zqsKFNFD6m9vOdD7+psFC3BgNKkohq7eGls5OB6ETBZllaKya2g/bC0ZmseGhk+Te49eCyNr3OGCR4mJ76ZLKt6eAcTHBslKy5yufL5tEwKBpU5aTMpRokx2OasLoo1+VzTwjk/c1lSLrzUEJ2FCjnydHW9nrHUpR1btyrhay5uIPe1QE0iOtXonfIGiv3kqxa1Cc93HVwx6AqRVNR1Jzs5t0QfgQa9d9ePhde7ynteyfWwXU8bdAZV8v5gp9QuVr8mYuv4f7em/UNkTXvGi/R3vN3yK1ytvcYK8poBaSJHEHa3aVCcFlngNU32iFzjko3a3H8fOw+gfWFG/QLAbvRBLQdieIz96vahW1C9aG+oVQsDVYY1W7jM36bGpi0zPGsg9VqE2Y20y0y0YvZX7b+HlabEynNBOObc1YIVQJX9EzbC26DmCwg3Q/BcYef+6IMTfvWwz9OTfrGYLKfNJF0523qwfNmousfrhaNej+3p62ojiMC4x+84AdLAlThzq7uejOOeUmfBJXeNt+RzXubLc/LWSZpnvnEDcdP2fNGvxe15WK92DujH8OV33M+X50hSX/LWiomh92A7IufSAN0WJo6JrCxYcR02Upd6nbKX/XZU1xdoO3Vhpx97ZCxy4kt3tpmRe3m+V5ON5Z/bo8laxF6KfKPRTsiZq8/0/U4L98FubRYRVNvf+P4r746b1qat3JSmfYxqUYB2lJHuQVlJsqSK02kxqAJ0TRm4IFVBRwSBBqGT9kfZOtCuqupWnlhJZTWMpr6Q23O+fnF51dehiW8Z6zwKY3XZBw4UvHMt5CbS4pAkl8KQaz4XFIXFCItWUqVsXvv1QH5ZJr1qdDeJXR3xPy0i3bHTlstyGWCct+8+EC5YUedgxZkfZOtG4D+7aAYYXzmHiAOL0nsS9otgZO7osU10Tm2eljBmXN9YlfsAvO5RitdxY771T8N7rm92hFyN4vM5qHQj7MIk+9SNBXgc3IhmBXohi9xyj7PVRyaNboXej+BZGMbevVR+9t7pGM/bZhyX5+EykjtH55ksq+zIeVd4Kj73Cse4Ov+erqffWnSkwPrUmZvNnddszErzaukjZY11MW+lpVTYecDK9Qa/kSlxfhD5oyiAw676M5x97h4iu4mR1sjPrBCl5A1lTT/lsHJrRdBR7Rgpvm0UVLVbCjlbM/pQawVUR88N1oaaOpbi3PqjKC8ezeywi0/lLeH5i/H3y76s9TEwtBh9HDQ+dnfBYhG+us07lnj63oDJz4dz9w55zriQdawYZ6eORM+j3ykrSWM6HQYe2R8jA07dmXGLJU6Lwso9omvGQOtZXZALuz5hMgdtWaJp9hu2LLjI4TYyAQquzWGa5wNlCy6MpphqkJiCwvhmSRUvMIMn4MFz8XcxJxSJ+K39bXBnIgEfyqlrLvRIGrFfnTxr8zkrULryRbdOwgxI5lWETUJ80+Hp+UiRoXNzDd/j1AklTvlqk7y8r8p9235IudAkB0N5EXAyTGVtOr8b2Zosjp6b2XhsaZvHhniMP6QGyqpIls1zSnKYUR8C8p0vmxi+z9a0WvESVEHXWMhlpH9cybPAjbQfoNXtfw2zpgrc+eq14abGxowkuLGNbTBs2PTQ6xo1itXx7zAaG9MEsorJsrT3KQ0bnTnohHeSfSsllzx3/rOmi1wJejQRKpfs8EDj/b1lr3ix0RpZNy8vrBrcVpj09Diyvlk9raz/XU4P9DsdvL3/Jac+ABO+XRVP1zj3HBOK3clfX12Sy4FC1UUjWddaX12yG4OIhV1tNew8qiF9H3+Yz60OK/dORGRTmaeu+BpU3PWVDo8LsbiMqEeL+N0SXMjgCJXnHRewLx12CbRtPITPed6GckaceGVsq3FQBh7h5Y+n5LX7ruqUz1Qz3fvqo+ue0wSiMFnjFljd9SK41K8phMpbmy5MuxI3juAICXrF822HSFtdSZeUF3QYyCCtK5xgfeUMlBqZtODu0CG+/nhxN2+slL4BlAvADrbk0w00n09GJCIvs2md5+vo/hleZlHrgDpwaw2HNTrf6aWKD1FxGbHLQa/ELtP1MQoSuO5mr7qeq7TOuWkr6zZ90TxGocF2m4oNJ0o24YXdm3RZYrEpuDyaVX726YI887USn+rC6spTXmABB+aBXdxWUttvPiffDh0Noh+FuRFyJbYMIQ2sxmYWy23oI5M2GT2CC66fFnrWVLm/9aVJr2FO2Zp8HDXXCj5V9DGK8v3CWyTmgpSUi5miJexMx6iowqm96fskbCmXV7gseStzlxy9aQvYyToLIEX2aF+YKmAJkcpC2u4b9xZW5NdaoCn5RuZQkGdcLCffnBAu2QmZ2v8D+39U0GKtuZ58E44vGlZls4IOJufH1qG2NfyzK4KLoq8L5eS6GX4lZzsbNRiZFFP316nHs2mDoEFZRg4itCzjyt0eZp/e/EYVkA8uAfibbz69+e30/cU337ic2yVVlI/y5Eqqm5gly3sv2G/Ngt0I26gTjIrYSoSv2YnbpaR9Diizz8U6gQkzkwqE5iymAOm4khJgXMb3ggTiA7GAZivKh8OJH+wdwN7nsYHa6xO7RF3X00SXwkxzbVTsynes107mEOu+pdHe0abmI52T9NBil81gsIFK44tNNnUvvt7FgpjxUUdTs9VkjthDtxrsRhTYZr+8JyyUD+4neH/HhUXe6//vh6tuVGY3+e9RWCzv+Og9IjuRfBTmaOK4u/CT8ghJW1sn27FLn5k2o73JssM+mc/R7Tbg3P2R6aZlNT9GPAyLvmaUF5bWTTOXKy8zLs+7tW3YicuagwbmgRYG41mFTc51ZlXEA/ZzSOI1plv76qMzWZa16HuiBtiJwxo3PRS7t3Br/g5hnbrFTR+mWT8Ut2sq8n+X4ajZBjdDDT9EMjwYu+HCW8jpWleccRktS/RYFjxiv6JKDIMOTx11Lcoqk6mE8fXbN1fknfOjbpJSw4h8PmoqwfV/vCafa1AjvVvrQmQK+p060yY3dByia/K+KToLpnW1WjqL+JB2gcrYYwQs0Oogx9E+qCYQHHsw3Dz+gAZaUFUmOC0LNoF7gVYRC5BboHUebSrtFsy43a62QOfU9LXCh8KdgmCLkqpYZSUt3HVFB+OLHxx9omyQThUFZraIzgsMZnELqFrAszm2WkoAVk5/TwC1otEnYbiOU9HZC4PuGY/94PjObSVY1TM60iKjDAejxC8/sbC1iGi8dwBP59XyR3FrFtHfdyYyZlSW66h91zvQLeTDIk93ALwsaHSJITIQcy4iFkUOQafIjRbZLNMrblh0+SGyWSFXmpbxc1e6sIVZpoOeIOrCRMZFSnHCRQWqnK6jJbwPYFfsJg3wJS1S8AqvskpJI7P4ISmEvvwxQ49jfNhFsrtZyHmWpyC2BRw//42JrKS3mTGx3AbbgC1HF5DgUSi5SIQ0F+mQrgqdFdMiix0W3YL9XULg0TuDd2DH7oXYhR27qrcL+6eEsH9OCPtfEsL+7wlh/zUNbCOrgk4hhUhpocc3z0RW1gUq39N1gneyAV7dJNBLyrrg87JKo31bLZMW89hJSB4yT6GUaPjM4vtGRKZdQmKCE9SKpbEmLeA01qRe67pKMIuUibasOompaqSxpgfcJhAhRhprmKWCjWZNEuC14LeCCqmBJWDC5c+WKokeheXPsjILoHkCt5osq4wVCXzYFnCCIAnCVdO1ie8WtZB1EshVnSWIaTDFDWe0SFBApDM6B8HWEbOuurAFLdZ/QD5NgfcywzagSSC7djBpsHaJtUmgT+fV8uc0PmidTbn5a5JGY0xncWfF9QArGV1U6yTXHKECU/Gr3LTz8UebtdUBDGbh/PzxnSMOOKp9SYC7bvLxOsh1YM94ASlsGJ3NUhwin8Uszt4GnEI30BmvMEkxSyLqeLX8MdemGjTzjwRbK5YEdsFnkMKM0ehoLiHn0QpGt2FzkYZLSpnXBWgmU1DbA+fzBLJJVnpFTdSZ/x3ooQzyKIAVzLk2isb3hGxgJ9D4FFSpSK2S0VpjJ3KVSL66zHzH4gmgGwW0TKBIulKgVGinU65XC8l15ibMxoe+poomYfB8pBA2BuSlm28fGy7Xhoroc45zbaa1ijUssIEKblZQCqh1dFzj69FNTXJssDi5YRZ/2PWhnQZ2wZzTPI99B3geO6zatA5K8BbxMmNKyjJJVyILOIGZxsssTXKk73iUgszVTfT2TJWO37KUV7pSPDLQghpu6ujZZwUXEK/FzgaqjjpRp4WLxbfx3VqFdF1Ps1khoz/nLfAEKf/W5o0udSzQBBLH2tAJUI2em1DIeRLWFfMkF7iSKrYAK6f1PMU1K7lmKcRCqZMwbIo5EAIMNleKDje6DHcNoGNn/DmosdPxxGoV2wJJUlEm3QDo6JaojK8ZScXnWWAe14PhrgSo+G9WlbmhvNHBRp1MvQHrRrwmYbIEhZt+Jk5sYeDBxpYGVeYcSdHRpVrbDzO2iFXnPwANtxWPHgioQJVzRYUZ9NyNAXmVBHD8p9d1Ivv4sTcFNAJgJecZ1VXEgQFd0IrGhqqAFin0OwUM6eC6jiYCHp/IFnLcFq4dyFLlCTCO78jUCXzD2vmGE+QDaIidCOAGHicwTjR8js8AoQat0aAmMKU0nycQvLqK7WXTiqW4B4rl0RVprVioK24EwCbeiK0uzFpH76q5ZCJ2oURwWuxDgbomnbG3b+YmPls5oPEjeu1Mz9hw11X0bq11Pk2Sh16rIsFbWGtQWc5jV70nGVvRRIZSkMEwbWgZ2xu8zLjQhs4SaAZLrkwKNXxZiQStm4xUtYjpZg21RQt0FD2tjSTva0EGS7fZIwmH5X2iBc/JmYKcG3JGVe67GWps/x5Gx03OSkilsQmhCAaH6BPsb8BkQUKlOm0+BBfpKHdRVoVcw2Cw4F76zWQdran3HXnM0tD5jHDemYI53JKS9hstbGKxYl73h4EkR7LgGoczNKv7o8cGSkTXVSWVIcPGo4SsFtQQbkilYDbGCg9Iy73PEIoQ4b3V0aJAuPCd3Uf6QhdcpJ7I30HVrtbFUxMj52AWoCab7+uFrAcvGiEClqDacURGkooqDeQNGIoTwd1dpS0Jnr2Wc/3iypW9PifnfsTXCTGLwJQibAb8HvzoY0RbkLdgfuNGgA6f85CpkxBvhiO721uEi7vNaqCKLSZc8CB+OHP3CP21e+ITZ2FgMsSLgtYCZ/3Oa5zj2jRxDzdw7/Vr37Gn9O242z21Tbj9/OIRY98eRBaxpulunVdxWfIBbg3eijF3wTGmUY8IpM3gurc4oVoUIxMvsXtuwnHg2D9XgyEKPtegzY6m3YdnK9+/V75TGXAsj1vVSey+R6rNO912p+zCyWGEsbGtv2OHdv1LcOcxZ//vn29oF7s8b4QCrh3mDbQa4iXx3pOF7eMypRqIS9dusSGDW9Wekv/F4+Ar2lHwLeZSufb1QTISQjXRADjujO6eV6Wo0JQdYbzvoMO0W1qg2rthGlYrnIC2C+kKVMmdunEspDdLusEcfMkLmAMpYAkFoVrzuXAHt5nXH2Z9bMn8iPIb19/B6dNHmfRsMasF/1xDf0wiDV++Dr6HdUw8bApKo9Hw3F1IJoUAzK0gK24WY4KCkEBlSKuxKziovOjepoUlJ8qT9okq5JwzWhCLwYjpg1g8Lna41MiYxsejXbVY6zB6nXS2lexltcZ+4GnBqc4WMrlN4Iy41lzDWSqboUZWKnZH8IT7ARB3aSy2+Kb5QSysAKomp4WW1hDfum/nGCwnv/pfTMipWLf/GkA3aMtrYQjNJ0yWVW1AhcVwEje+3Vg68+yr/lngjMWtA+Hmn/XL777/q7V9zzvH0VDsqyDank+zuBGzuzpu6BoU+ZfWJ6dfeDQQufCtj13/k57nxQbnLa7feR4HJi/vk21f9wem2HUm5O27Dxd276DAOU/QX5pzzRRUVLC11Sq9elb0c0EIUuiEfHjzC7kU5oeXJ+Ty7fnFf/5CPl4K8/OP5NlqsSYCuFmAImwhtR+VJpUCZvBb3//8P/+/518HKQJmkVDG9emBMnVS0vA4Hp2Y++55za8dL142SIWveP60kO7Kpj2YH9gw7s4PfAjfnmK6sU4+cWVqWpDXp2+DyP4hBaTzZR3GGf9HCpiEaWvR/WJEKG5kv/DEI3iKb/COc5hTAyv6CCPSkbuvyGmeK/TTOi4PodM+vaysDo1zPjQWcnn25sq9SqPhsZLqI0Y/tpxKTlP1bze5vLKojHi/LA0PnAQRhYZ27XEaNppY5qZrHVdAdNClec7tl2mxCdh2ZvmH37kjMoA1CfGCS3/Dz7dZYIDKJtc6iV531yeNkrcewyupTCuSB0I3xwAbHgA36/2SVx+Z9m4/XMybx6TZ1psxwgsI2Y3H8uJ67NDypVpLxq3K6fxGAx2HWLmsqJjDpDWdmBQzPq8V5GS6RpggcswaCsuZ6sDWA4Oi0RFtObjoLEG/gyKi7t8t4YruAFBQSgOZz+yOn2cUn7S50BnNXCp+AtCVUWmAzxKwxCxBtXCR4jqk6n9SJSAqzbPGE5dOLe9b8HYfk/5qXWfCI2iwF2YBSoAhH9YVnJCPzTP2Gh1gP5CrxgE2eAnejWlqzaieIygTI6Zxg7T3i58QWhRBZaLafBET3KjCxLwlKPsGcmEk0QYfcy7Ix8tRgcIwQTaZvIousi1QWSUY+2YBK9CxM3ot2AQlLu5FjJ2Kjv72BNi60QpZAWIefVIk4myVj4Ra6IgG6lQeWnQCMIIwTCeYEUpeSbWiKh/O6SbkdI7JXopQe+NvMZduCmYFIMKqZ+SuifeNcUtDi26oziFDsGU8ZkYMdsiFz3PFtISSGyuW/IiN8BaXBRXHiOPfwUHZJIh0XJSDDW67LDeRlKW1YOdowG6/PLEjlcCwC8EyXj+4u0XsqTKc1QVVBPtFkwaJZxe3v7yWczmbhae/A8vMApIf7xayH+yC7jZ28L6weFt0T2uzAGF8svgo2rqO2Tnhbgk9bslx1D9qUKMIy9oweVxK+yXHEb6uGQOtR3DGzuOHNUc7LPEE8SJWxZ1LtSaBwoQBbscQTls4Qg9HK5UwwKcrKey7YuVWSDlsf0gGitL2rpbx+tGNvJuUuK6lWDNQcMjb/Xg/TE8f5oJobuqA/CRYXABeRHuoC6oJzWVlXxezAK6IXInNkTnCGXorhSxH8mpxJofmrkX9cZUIq9xzkVv5I5VuCUDJK14AOfWITQZkuIuzV7Qbc3dyNGG83f+jpCuMkuDaZy3EpUJojwFCxKx3fwAhXL7eta/XiE2J8YTQqUxZPRDY/BQWdMlljdolk2WlZMlHMhTh2MhdCDotsIhsRs5248bFshU7CZHsY7ildZIgAlsYRh0ucwCCgfVb/FKfbueV3dy3UbbblFnWwvTL2WJr9DmWgWfsELP+TloQvsdzEKA4a7aEBMFEv35qATcLfGpDs92IR3bCvp9oo8aDn82eDmm79Wh7erl7T169cGsl3FfQNG2NcMNL0FauO21PQQWjQSR/CtGaQuw9CGw8+MBjUHdkrUN6dz8aa/1wtz19n+loQ07vvDXvMN63w8HecMcbgXAHYfDl7u7l3t2po56du2hR9qb2n1y0XqrHESB75HgrQL5cdvxh/5HFGm1wnCO7m3xUR5UgMe/YHeTHUdkx5t4GzNgq9ViC1vNTR6/cqc0iK8Es5CNESeiWJ5k4NPzXRg8ceykpmdTrtCOq814W3l9rEdnBl4k8If85+em778iz1+enV8/JOdeGi3nN9QJyLIUP4lLIuUzeF2hXJAyzZWcOD3/M+MWRjDElE3sVd9V/2lMNYdDeGPTIRxv6fJ/rwjDtv6377Tj+EKdQzJSKUJv0TaYYLWJ1p+tt5D3Nea3dCkQqonnJC6qceLJi094hhu96uLwK77nm+TE7jXQz5T9aRmi8iL2+mJtLnq7O4lTsuusY1vCVhh3/r3cS4ScDXvCOG+iUZeRhV6ZUKRMDBiEbJLVUcyr4HzuyqkU6VrgrsQ+gdJenRsg94ypYS5qo688ruxy+Fq7Fl+tdtJXV/CvQwiwYVUAqBbksuaDBgruOeLqihoMwem96fEGPudvX9FE361o/QpWIce3V+doKrooqg82QNlvdLVaP2OzIC5u7SNQZ5KCogTyLllS2gz+s8HnVrNgGz66UXPK8bR7mv0erqvCa6oAxfPMf+6xt67RhBWezSZ4faZftkr7Xn1mPbDM4PBQzJ5fcRc8XfcV9pAVcq3TGHAp+X80TblFn6vyoUwk9D2zU6aiosVJNtJHKSXwLrQRDcbWv8VsT+62vw7sveZ4XcDwp9wbXu6ucCxxvR+4dJOea8RjH2e6VX63TYUism+jsCakKao/Mvs9SERBMrasxLz+mQh7BnrxDBp1qbctfpTbkDWULLkZMupwmkhxf9Wn9UWCmf6XAig+rH7kmZ3pCXue0Ip/wH04/yqVwdaf/HD6eZEGXYDWnAqgin2tQa4I9CHUlhYZGowoXp9r9Zvib48hL3wOPWciKN10ghdu+68s3jmezpSOgumGg97456l0xxSlPaR1mfR5vWktvNTGytqF/eLkmqhYiaMfqk/blcZFn10ZqpMbOQ8y8hZn+IChZcZHLlSa6AsZnnNlPTkJ1gj5PdnhB7PYcvpucG/IMO8KCYJtnCEOXzzvUIrXAd/w1zClbk496u/FtG4Et+4W00bNr7QpHMNhHXvuuqYWoYK0aMpl9EQcUb/sABKr/typNsZxnSL7tbadXqMe68zr1OrBj3GGQ0fxvDtjscfJ6x7bqM3y9672RdRe49fEuoMPdHMdh1wYMts9mk5DpjmFwQuGGFPuLn7FsIOZIwNEKN9xyDjMuvK8ehRN29StpNdJ0ELE7qFAsEW4bB0xP/YstGFufbeq9+15KI70pWx+2MZQtyiO3wN+sigQnA+uoexxJhrxMuYg3QSzq3bBbxqLCtI9nQEh1y3bwWFwb7U15f2Bq5wDrtG/fHqwrqhqesn8+2WxlteCDVurE3g5ry7rk9zttz0SfWeLaWki1Tnfgf9MVFf+2t2NMg8h2F/VGPQ89TZYsf3uB0Pfs7dFUosGumn7ru3c1ygUZCKNkdYjoyGU9HTgX7sTjfk1rbcOecgTE0VV3HPcensmyomLd3ke8djhO39krS1D2Gcq4mMmwUkD1TeoaoT3yo2dFNpitIG1X9NnnVDkCr+qiWJP/qGnBZxxyco51z845GERlBdOMSXnDHyno/htMiVt/Yz/TYkybj95tdhMOr2qDKveBI0z33/X37RJ+yo53Rzuf/IR8WFdu6xvPgSWOO8Hxw1Mwy6I2k+2hbXFwjgj1tQ61re0jcwxXXatcbmPnPIuVVI23H0PM71+PHHmnV05kdmpoUaWdQ7SDFHblvZ77Bk0lZSJNZBspu449D1JRE3ZNMpFRHTPa3wGsfDl9ZMi1KiIecwdqxFNpjdGsVrG8IR2YGlRG5/Fsyg3o6M/TNuio6Y/boD3XJxAscGtAoGoV3zix8KNxc6voLRT0UmVia1RuiWPUEm7J3A+4LKpXL/x/n3kUXvj/8HlNIbc/LUCFs/P8dh4xeu420w2eo8e1M2ptsJ3cD0SzJhUXM1BqJO463PdR9tVV/PeSPuiePQKSTV/iWecYAlcKw9oy6ZUKLHE09rtwcXvLdh8wg1h1//QPGCZojQ/85NUC1HH8EVZn9xlPz85w9ONzcobrh1EDZY7ULGWEzmeg/PBP2MrC3NGcF5KGjjuE7By4XfRr3ekUvfOk+R+HeiXv3xolfNrkmv8R9tbwm0Qy5fIfF0TAXBruDrBaUD0yAUqzY7cV6hylW3x8uKA96mQToAYJLj0eaxqnN/U34YQUzefHqKjY7m/UTj38MDpo2UoTrnUdXelEyJgslc5b97AYCmIISiX1gQ4OpSs9L+zi5BqD07uk01EyJNrO4D6K/OwaUzt3P0Yd6XkYkveXnjtwHBehWhfZMuWL3g+pekd2EJk8s6xH6+htGnUqwPwGvEWdqLnBV5txJd0HCWXrj0RjvE4qcnl9+o83V+TKvlPknRiZvrLBNlEl9SHYfljJMLYohtgC2I0+yIl8NyGctgdZaOhc26+zbRGGaaB+BOFGCu7QckHxQVPIR1ByHR5tV5BRowFxNtTUR5vw2cVySQueO0YMINEXhEfrar1LECLFbmCt+2I7Euc3CaSRYS+MqXTGcQZtEtB4lCkIwugTuE18LprKF6m4We+5UUyWZdI+cXfE2+HhHULhEvwVV1D0Lc3YLpZVQUWm9WMNvLUrOxn+m99tU6MVxNaVGmeV5MdIqw4h7DAgiAEiFbYGkKxsQYUYNM5I3W7Kr4qIjMRsj9S2uX1Y/MzD316fvvXv3ove8u2DYqTq+/6j92zj+iZbyqJORYDTZo6z8HNu2snYzTjfWnCjyTOHhH6O3TqwsLeZqNsDTxDp4G6KOpE0e+1x/Si48ekCk+2igyUozBSY1QVhUjCojDWUr90ZjrRXWK1SSl9HeGuwNyO0LaKVVIZIS99f//00lIIbJHtsvpNqfvwEy36BwZaLdUpds5Ngo5i/X7y7urwib+htyUXejvUOH6vd29HTMLeGKI5sy29jsLtd22rVp3DJYvT0bFflmM2OV7D52EX4zZaTqx1bzjIvlS/PfZdej8VODIvjHcoj9wpodlz+l68bbgtzRD7UJGPfbvSXWBP6kbIb/bhqtOLboG7pintPiK4DKepUk79po6SY/9u0oOym4NpA/rcX/m8n7adczICFP5pxBStaBBUZOi06vyFU5ERLMsKWCuZcG7W2lv0xhUVFzcI3629xIH0cBkiiU+pYaLpCaFevxaTqdCFv9ckWcxBGrf/yfwMAAP//iL61wg==" } diff --git a/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml b/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml new file mode 100644 index 00000000000..5608926d955 --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Nexus" + type: "Switches" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/cisco/nexus/config/liblogparser.js + - ${path.home}/module/cisco/nexus/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} Hit-count = %{dclass_counter1}"); + +var dup61 = setc("dclass_counter1_string","Hit Count"); + +var dup62 = setc("eventcategory","1603100000"); + +var dup63 = setc("eventcategory","1701020000"); + +var dup64 = setc("eventcategory","1801000000"); + +var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + +var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + +var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + +var dup68 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + +var dup69 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); + +var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + +var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + +var dup72 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + +var dup73 = setc("ec_outcome","Error"); + +var dup74 = setc("eventcategory","1703000000"); + +var dup75 = setc("obj_type","vPC"); + +var dup76 = setc("ec_subject","OS"); + +var dup77 = setc("ec_activity","Start"); + +var dup78 = setc("eventcategory","1801010000"); + +var dup79 = setc("ec_activity","Receive"); + +var dup80 = setc("ec_activity","Send"); + +var dup81 = setc("ec_activity","Create"); + +var dup82 = setc("event_description","Switchover completed."); + +var dup83 = setc("event_description","Invalid user"); + +var dup84 = setc("eventcategory","1401000000"); + +var dup85 = setc("ec_subject","Service"); + +var dup86 = setc("event_description","Duplicate address Detected."); + +var dup87 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var dup88 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup89 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup90 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup91 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup92 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var dup93 = linear_select([ + dup27, + dup28, +]); + +var dup94 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var dup95 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var dup96 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup97 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var dup98 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var dup99 = linear_select([ + dup47, + dup48, +]); + +var dup100 = linear_select([ + dup50, + dup51, +]); + +var dup101 = linear_select([ + dup55, + dup56, +]); + +var dup102 = linear_select([ + dup58, + dup59, +]); + +var dup103 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup104 = linear_select([ + dup66, + dup67, +]); + +var dup105 = linear_select([ + dup68, + dup69, +]); + +var dup106 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup107 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup108 = linear_select([ + dup71, + dup72, +]); + +var dup109 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup62, + dup2, + dup3, + dup4, +])); + +var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0007"), +])); + +var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0012"), +])); + +var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0008"), +])); + +var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ + setc("header_id","0011"), +])); + +var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0009"), +])); + +var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0013"), +])); + +var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0010"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, +]); + +var msg1 = msg("LOG-7-SYSTEM_MSG", dup87); + +var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, +])); + +var msg2 = msg("SYSTEM_MSG", part1); + +var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, +])); + +var msg3 = msg("SYSTEM_MSG:12", part2); + +var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, +])); + +var msg4 = msg("SYSTEM_MSG:01", part3); + +var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, +])); + +var msg5 = msg("SYSTEM_MSG:11", part4); + +var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); + +var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); + +var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); + +var select2 = linear_select([ + part6, + part7, +]); + +var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); + +var all1 = all_match({ + processors: [ + part5, + select2, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + ]), +}); + +var msg6 = msg("SYSTEM_MSG:19", all1); + +var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var msg7 = msg("SYSTEM_MSG:02", part9); + +var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); + +var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); + +var select3 = linear_select([ + part10, + part11, +]); + +var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); + +var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); + +var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); + +var select4 = linear_select([ + part13, + part14, +]); + +var part15 = match("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "%{agent}"); + +var all2 = all_match({ + processors: [ + select3, + part12, + select4, + part15, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), +}); + +var msg8 = msg("SYSTEM_MSG:03", all2); + +var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg9 = msg("SYSTEM_MSG:04", part16); + +var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); + +var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); + +var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); + +var select5 = linear_select([ + part18, + part19, +]); + +var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); + +var all3 = all_match({ + processors: [ + part17, + select5, + part20, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), +}); + +var msg10 = msg("SYSTEM_MSG:05", all3); + +var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg11 = msg("SYSTEM_MSG:06", part21); + +var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, +])); + +var msg12 = msg("SYSTEM_MSG:07", part22); + +var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ + dup9, + dup2, + dup3, + dup4, +])); + +var msg13 = msg("SYSTEM_MSG:09", part23); + +var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg14 = msg("SYSTEM_MSG:10", part24); + +var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg15 = msg("SYSTEM_MSG:13", part25); + +var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg16 = msg("SYSTEM_MSG:14", part26); + +var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup11, + dup12, +])); + +var msg17 = msg("SYSTEM_MSG:15", part27); + +var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup11, + dup13, + dup12, + dup14, +])); + +var msg18 = msg("SYSTEM_MSG:16", part28); + +var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); + +var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); + +var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); + +var select6 = linear_select([ + part30, + part31, +]); + +var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); + +var all4 = all_match({ + processors: [ + part29, + select6, + part32, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg19 = msg("SYSTEM_MSG:17", all4); + +var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, +])); + +var msg20 = msg("SYSTEM_MSG:20", part33); + +var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + setc("ec_subject","Password"), + dup16, + dup12, + dup17, +])); + +var msg21 = msg("SYSTEM_MSG:21", part34); + +var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, +])); + +var msg22 = msg("SYSTEM_MSG:22", part35); + +var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, +])); + +var msg23 = msg("SYSTEM_MSG:23", part36); + +var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); + +var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{username}'%{p0}"); + +var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{username}'%{p0}"); + +var select7 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "%{}- %{agent}[%{process_id}]"); + +var all5 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup20, + dup17, + ]), +}); + +var msg24 = msg("SYSTEM_MSG:24", all5); + +var part41 = match("MESSAGE#24:SYSTEM_MSG:08/1_0", "nwparser.p0", "%{event_description->} - %{agent}"); + +var select8 = linear_select([ + part41, + dup22, +]); + +var all6 = all_match({ + processors: [ + dup21, + select8, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg25 = msg("SYSTEM_MSG:08", all6); + +var select9 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, +]); + +var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); + +var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + setc("action","activated"), + setc("event_description","Policy is activated by profile"), +])); + +var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); + +var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg28 = msg("POLICY_COMMIT_EVENT", part44); + +var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ + setc("eventcategory","1701070000"), + dup2, + dup3, + dup4, + setc("action","de-activated"), + setc("event_description","Policy is de-activated by last referring profile"), +])); + +var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); + +var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); + +var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg31 = msg("POLICY_LOOKUP_EVENT", part47); + +var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); + +var select10 = linear_select([ + msg30, + msg31, + msg32, +]); + +var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup88); + +var msg34 = msg("MTSERROR", dup87); + +var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); + +var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup89); + +var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup90); + +var select11 = linear_select([ + msg36, + msg37, +]); + +var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup91); + +var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup92); + +var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + dup26, +])); + +var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); + +var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup90); + +var select12 = linear_select([ + msg40, + msg41, +]); + +var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup92); + +var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup89); + +var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface duplex mode changed"), +])); + +var msg44 = msg("IF_DUPLEX", part51); + +var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); + +var all7 = all_match({ + processors: [ + part52, + dup93, + dup29, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Receive Flow Control state changed"), + ]), +}); + +var msg45 = msg("IF_RX_FLOW_CONTROL", all7); + +var part53 = match("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg46 = msg("IF_SEQ_ERROR", part53); + +var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); + +var all8 = all_match({ + processors: [ + part54, + dup93, + dup29, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Transmit Flow Control state changed"), + ]), +}); + +var msg47 = msg("IF_TX_FLOW_CONTROL", all8); + +var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up in mode"), +])); + +var msg48 = msg("IF_UP", part55); + +var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up"), +])); + +var msg49 = msg("IF_UP:01", part56); + +var select13 = linear_select([ + msg48, + msg49, +]); + +var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational speed changed"), +])); + +var msg50 = msg("SPEED", part57); + +var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg51 = msg("CREATED", part58); + +var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ + dup31, + dup2, + dup3, + dup4, +])); + +var msg52 = msg("FOP_CHANGED", part59); + +var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg53 = msg("PORT_DOWN", part60); + +var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg54 = msg("PORT_UP", part61); + +var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); + +var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); + +var msg57 = msg("MTS_DROP", dup88); + +var msg58 = msg("SYSLOG_LOG_WARNING", dup88); + +var msg59 = msg("IM_SEQ_ERROR", dup94); + +var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup88); + +var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup88); + +var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup88); + +var msg63 = msg("IMG_DNLD_COMPLETE", dup88); + +var msg64 = msg("IMG_DNLD_STARTED", dup88); + +var part64 = match("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "%{result}", processor_chain([ + dup32, + dup2, + dup3, + dup4, +])); + +var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); + +var msg66 = msg("MSM_CRIT", dup94); + +var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, +])); + +var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); + +var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup88); + +var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg69 = msg("MOD_FAIL", part66); + +var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var msg70 = msg("MOD_MAJORSWFAIL", part67); + +var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); + +var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg72 = msg("MOD_WARNING:01", part69); + +var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg73 = msg("MOD_WARNING", part70); + +var select14 = linear_select([ + msg72, + msg73, +]); + +var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg74 = msg("ACTIVE_SUP_OK", part71); + +var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg75 = msg("MOD_OK", part72); + +var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg76 = msg("MOD_RESTART", part73); + +var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute resolved for port on VLAN"), +])); + +var msg77 = msg("DISPUTE_CLEARED", part74); + +var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute detected on port on VLAN"), +])); + +var msg78 = msg("DISPUTE_DETECTED", part75); + +var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup88); + +var msg80 = msg("CHASSIS_CLKMODOK", dup88); + +var msg81 = msg("CHASSIS_CLKSRC", dup88); + +var msg82 = msg("FAN_OK", dup88); + +var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg83 = msg("MOD_DETECT", part76); + +var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg84 = msg("MOD_PWRDN", part77); + +var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg85 = msg("MOD_PWRUP", part78); + +var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg86 = msg("MOD_REMOVE", part79); + +var msg87 = msg("PFM_MODULE_POWER_ON", dup88); + +var msg88 = msg("PFM_SYSTEM_RESET", dup88); + +var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup95); + +var msg90 = msg("PFM_VEM_REMOVE_RESET", dup95); + +var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup95); + +var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup95); + +var msg93 = msg("PFM_VEM_UNLICENSED", dup88); + +var msg94 = msg("PS_FANOK", dup88); + +var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg95 = msg("PS_OK", part80); + +var part81 = match("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "%{event_description}", processor_chain([ + dup32, + dup2, + dup3, + dup4, +])); + +var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); + +var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg97 = msg("FAN_DETECT", part82); + +var msg98 = msg("MOD_STATUS", dup88); + +var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC configured vlans changed"), +])); + +var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); + +var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg100 = msg("PEER_VPC_DELETED", part84); + +var msg101 = msg("PFM_VEM_DETECTED", dup88); + +var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg102 = msg("PS_FOUND", part85); + +var part86 = match("MESSAGE#102:PS_STATUS/1_0", "nwparser.p0", "PowerSupply %{fld1->} current-status is %{disposition}"); + +var select15 = linear_select([ + part86, + dup22, +]); + +var all9 = all_match({ + processors: [ + dup21, + select15, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg103 = msg("PS_STATUS", all9); + +var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); + +var msg105 = msg("PS_CAPACITY_CHANGE", dup88); + +var select16 = linear_select([ + msg104, + msg105, +]); + +var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup89); + +var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup90); + +var select17 = linear_select([ + msg106, + msg107, +]); + +var msg108 = msg("IF_DOWN_INITIALIZING", dup91); + +var msg109 = msg("IF_DOWN_INITIALIZING:01", dup96); + +var select18 = linear_select([ + msg108, + msg109, +]); + +var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var msg110 = msg("IF_DOWN_NONE", part88); + +var msg111 = msg("IF_DOWN_NONE:01", dup97); + +var select19 = linear_select([ + msg110, + msg111, +]); + +var msg112 = msg("IF_DOWN_NOS_RCVD", dup89); + +var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup90); + +var select20 = linear_select([ + msg112, + msg113, +]); + +var msg114 = msg("IF_DOWN_OFFLINE", dup89); + +var msg115 = msg("IF_DOWN_OLS_RCVD", dup89); + +var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup32, + dup2, + dup3, + dup4, +])); + +var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); + +var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup91); + +var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg118 = msg("IF_TRUNK_DOWN", part90); + +var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg119 = msg("IF_TRUNK_DOWN:01", part91); + +var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg120 = msg("IF_TRUNK_DOWN:02", part92); + +var select21 = linear_select([ + msg118, + msg119, + msg120, +]); + +var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg121 = msg("IF_TRUNK_UP", part93); + +var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg122 = msg("IF_TRUNK_UP:01", part94); + +var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg123 = msg("IF_TRUNK_UP:02", part95); + +var select22 = linear_select([ + msg121, + msg122, + msg123, +]); + +var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup98); + +var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); + +var msg126 = msg("STANDBY_SUP_OK", dup88); + +var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Loops detected in the network among ports"), +])); + +var msg127 = msg("STM_LOOP_DETECT", part97); + +var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg128 = msg("SYNC_COMPLETE", part98); + +var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup98); + +var msg130 = msg("MESG", dup88); + +var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var msg131 = msg("ERR_MSG", part99); + +var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup98); + +var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); + +var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg134 = msg("CFGWRITE_FAILED", part101); + +var msg135 = msg("CFGWRITE_ABORTED", dup88); + +var msg136 = msg("CFGWRITE_DONE", dup88); + +var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", " %{event_description->} (PID %{process_id})."); + +var part103 = match("MESSAGE#136:CFGWRITE_STARTED/0_1", "nwparser.payload", "%{event_description}"); + +var select23 = linear_select([ + part102, + part103, +]); + +var all10 = all_match({ + processors: [ + select23, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg137 = msg("CFGWRITE_STARTED", all10); + +var msg138 = msg("IF_ATTACHED", dup88); + +var msg139 = msg("IF_DELETE_AUTO", dup95); + +var part104 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg140 = msg("IF_DETACHED", part104); + +var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup95); + +var msg142 = msg("IF_DOWN_INACTIVE", dup89); + +var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup89); + +var part105 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part105); + +var part106 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ + dup37, + dup2, + dup3, + dup4, +])); + +var msg145 = msg("CONN_CONNECT", part106); + +var part107 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup3, + dup4, +])); + +var msg146 = msg("CONN_DISCONNECT", part107); + +var part108 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg147 = msg("DVPG_CREATE", part108); + +var part109 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg148 = msg("DVPG_DELETE", part109); + +var msg149 = msg("DVS_HOSTMEMBER_INFO", dup88); + +var part110 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg150 = msg("DVS_NAME_CHANGE", part110); + +var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup88); + +var part111 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg152 = msg("VPC_DELETED", part111); + +var part112 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","VPC is up"), +])); + +var msg153 = msg("VPC_UP", part112); + +var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); + +var part114 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); + +var part115 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "%{saddr}"); + +var select24 = linear_select([ + part114, + part115, +]); + +var all11 = all_match({ + processors: [ + part113, + select24, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); + +var part116 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part116); + +var select25 = linear_select([ + msg154, + msg155, +]); + +var part117 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part117); + +var part118 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup23, + dup38, + dup39, + dup17, + dup2, + dup3, + dup4, + dup40, + dup41, +])); + +var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part118); + +var part119 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","program start"), +])); + +var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part119); + +var part120 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part120); + +var part121 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part121); + +var part122 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part122); + +var part123 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, +])); + +var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part123); + +var part124 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part124); + +var part125 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part125); + +var part126 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part126); + +var part127 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part127); + +var part128 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part128); + +var part129 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part129); + +var part130 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup42, +])); + +var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part130); + +var part131 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part131); + +var part132 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup42, +])); + +var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part132); + +var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); + +var part134 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); + +var select26 = linear_select([ + part133, + part134, +]); + +var all12 = all_match({ + processors: [ + dup43, + select26, + dup44, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup45, + ]), +}); + +var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); + +var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); + +var part136 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); + +var select27 = linear_select([ + part135, + part136, +]); + +var all13 = all_match({ + processors: [ + dup43, + select27, + dup44, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup45, + ]), +}); + +var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); + +var part137 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part137); + +var part138 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Added user"), + dup45, +])); + +var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part138); + +var part139 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Deleted user"), + dup45, +])); + +var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part139); + +var part140 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part140); + +var part141 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part141); + +var part142 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part142); + +var part143 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part143); + +var part144 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part144); + +var part145 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part145); + +var part146 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","shell terminated"), +])); + +var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part146); + +var part147 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part147); + +var part148 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part148); + +var part149 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part149); + +var select28 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, +]); + +var all14 = all_match({ + processors: [ + dup46, + dup99, + dup49, + dup100, + dup52, + dup99, + dup53, + dup100, + dup54, + dup101, + dup57, + dup102, + dup60, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Log Flow Interval"), + dup61, + ]), +}); + +var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); + +var part150 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part150); + +var all15 = all_match({ + processors: [ + dup46, + dup99, + dup49, + dup100, + dup52, + dup99, + dup53, + dup100, + dup54, + dup101, + dup57, + dup102, + dup60, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Lof New Flow"), + dup61, + ]), +}); + +var msg189 = msg("ACLLOG_NEW_FLOW", all15); + +var part151 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), +])); + +var msg190 = msg("DUP_VADDR_SRC_IP", part151); + +var part152 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg191 = msg("IF_ERROR_VLANS_REMOVED", part152); + +var part153 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part153); + +var part154 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg193 = msg("IF_DOWN_CFG_CHANGE", part154); + +var part155 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg194 = msg("PFM_CLOCK_CHANGE", part155); + +var part156 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part156); + +var part157 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg196 = msg("snmpd", part157); + +var part158 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg197 = msg("snmpd:01", part158); + +var select29 = linear_select([ + msg196, + msg197, +]); + +var part159 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg198 = msg("CFGWRITE_USER_ABORT", part159); + +var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup96); + +var part160 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","last message repeated number of times."), + setc("dclass_counter1_string","Number of times repeated"), +])); + +var msg200 = msg("last", part160); + +var part161 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg201 = msg("SERVICE_CRASHED", part161); + +var part162 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("event_description","Service lost on WCCP Client"), +])); + +var msg202 = msg("SERVICELOST", part162); + +var part163 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part163); + +var part164 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); + +var part165 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); + +var part166 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); + +var select30 = linear_select([ + part165, + part166, +]); + +var part167 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "%{}(Serial number %{serial_number})"); + +var all16 = all_match({ + processors: [ + part164, + select30, + part167, + ], + on_success: processor_chain([ + dup24, + dup2, + dup3, + dup4, + ]), +}); + +var msg204 = msg("PS_FAIL", all16); + +var msg205 = msg("INFORMATION", dup88); + +var msg206 = msg("EVENT", dup88); + +var part168 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg207 = msg("NATIVE_VLAN_MISMATCH", part168); + +var part169 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg208 = msg("NEIGHBOR_ADDED", part169); + +var part170 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg209 = msg("NEIGHBOR_REMOVED", part170); + +var part171 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg210 = msg("IF_BANDWIDTH_CHANGE", part171); + +var part172 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part172); + +var part173 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg212 = msg("PORT_INDIVIDUAL_DOWN", part173); + +var part174 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg213 = msg("PORT_SUSPENDED", part174); + +var part175 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","status"), +])); + +var msg214 = msg("FEX_PORT_STATUS_NOTI", part175); + +var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup103); + +var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup88); + +var msg217 = msg("ADJCHANGE", dup88); + +var part176 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg218 = msg("PORT_ADDED", part176); + +var part177 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg219 = msg("PORT_DELETED", part177); + +var part178 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ + dup63, + dup2, + dup3, + dup4, +])); + +var msg220 = msg("PORT_ROLE", part178); + +var part179 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","Port state"), +])); + +var msg221 = msg("PORT_STATE", part179); + +var part180 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part180); + +var part181 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup23, + dup38, + dup39, + dup17, + dup2, + dup3, + dup4, + dup40, + dup41, +])); + +var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part181); + +var part182 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part182); + +var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); + +var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); + +var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); + +var select31 = linear_select([ + part184, + part185, +]); + +var part186 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); + +var all17 = all_match({ + processors: [ + part183, + select31, + part186, + ], + on_success: processor_chain([ + dup64, + dup2, + dup4, + ]), +}); + +var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); + +var part187 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part187); + +var part188 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup64, + dup2, + dup4, + setc("event_description","Performing configuration copy"), +])); + +var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part188); + +var part189 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); + +var all18 = all_match({ + processors: [ + dup65, + dup104, + part189, + dup105, + ], + on_success: processor_chain([ + dup64, + dup2, + dup4, + setc("event_description","shell terminated because of session timeout"), + ]), +}); + +var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); + +var part190 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); + +var all19 = all_match({ + processors: [ + dup65, + dup104, + part190, + dup105, + ], + on_success: processor_chain([ + dup64, + dup2, + dup4, + ]), +}); + +var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); + +var select32 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, +]); + +var msg230 = msg("TACACS_ERROR_MESSAGE", dup103); + +var msg231 = msg("IF_SFP_WARNING", dup106); + +var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup107); + +var msg233 = msg("FCIP_PEER_CAVIUM", dup88); + +var msg234 = msg("IF_DOWN_PEER_CLOSE", dup107); + +var msg235 = msg("IF_DOWN_PEER_RESET", dup107); + +var part191 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","configuration is not consistent in domain"), +])); + +var msg236 = msg("INTF_CONSISTENCY_FAILED", part191); + +var part192 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","configuration is consistent in domain"), +])); + +var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part192); + +var msg238 = msg("INTF_COUNTERS_CLEARED", dup106); + +var msg239 = msg("IF_HARDWARE", dup106); + +var part193 = match("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ + setc("eventcategory","1604010000"), + dup2, + dup3, + dup4, +])); + +var msg240 = msg("HEARTBEAT_FAILURE", part193); + +var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup88); + +var msg242 = msg("PFM_FAN_FLTR_STATUS", dup88); + +var msg243 = msg("MOUNT", dup88); + +var msg244 = msg("LOG_CMP_UP", dup88); + +var part194 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "%{}Temperature Warning cleared"); + +var all20 = all_match({ + processors: [ + dup70, + dup108, + part194, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg245 = msg("IF_XCVR_WARNING", all20); + +var msg246 = msg("IF_XCVR_WARNING:01", dup109); + +var select33 = linear_select([ + msg245, + msg246, +]); + +var part195 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "%{}Temperature Alarm cleared"); + +var all21 = all_match({ + processors: [ + dup70, + dup108, + part195, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg247 = msg("IF_XCVR_ALARM", all21); + +var msg248 = msg("IF_XCVR_ALARM:01", dup109); + +var select34 = linear_select([ + msg247, + msg248, +]); + +var msg249 = msg("MEMORY_ALERT", dup88); + +var msg250 = msg("MEMORY_ALERT_RECOVERED", dup88); + +var part196 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "%{}Rx Power Alarm cleared"); + +var all22 = all_match({ + processors: [ + dup70, + dup108, + part196, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg251 = msg("IF_SFP_ALARM", all22); + +var msg252 = msg("IF_SFP_ALARM:01", dup109); + +var select35 = linear_select([ + msg251, + msg252, +]); + +var part197 = match("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "%{event_description}", processor_chain([ + dup62, + dup2, + dup3, + dup4, +])); + +var msg253 = msg("NBRCHANGE_DUAL", part197); + +var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{device->} %{action}: System %{p0}"); + +var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "%{device->} System %{p0}"); + +var select36 = linear_select([ + part198, + part199, +]); + +var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "%{}minor alarm on fans in fan tray %{dclass_counter1}"); + +var all23 = all_match({ + processors: [ + dup21, + select36, + part200, + ], + on_success: processor_chain([ + dup62, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","System minor alarm on fans in fan tray"), + ]), +}); + +var msg254 = msg("SOHMS_DIAG_ERROR", all23); + +var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ + dup62, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","FEX-System minor alarm on power supply."), +])); + +var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); + +var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ + dup62, + dup39, + dup73, + dup2, + dup3, + dup4, +])); + +var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); + +var select37 = linear_select([ + msg254, + msg255, + msg256, +]); + +var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ + dup74, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Failed to program the mac table"), +])); + +var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); + +var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ + dup19, + dup11, + dup20, + setc("ec_theme","UserGroup"), + dup2, + dup3, + dup4, + setc("event_description","deleting expired user account"), +])); + +var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); + +var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ + dup31, + dup35, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","Interface is admin up."), +])); + +var msg259 = msg("IF_ADMIN_UP", part205); + +var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ + dup31, + dup35, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","vPC is configured"), + dup75, +])); + +var msg260 = msg("VPC_CFGD", part206); + +var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ + dup31, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","System Manager has received notification of local module becoming online."), +])); + +var msg261 = msg("MODULE_ONLINE", part207); + +var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ + dup31, + dup76, + dup77, + dup2, + dup3, + dup4, + setc("event_description","System booted from Primary BIOS Flash"), +])); + +var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); + +var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ + dup78, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC is down"), + dup75, +])); + +var msg263 = msg("PEER_VPC_DOWN", part209); + +var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); + +var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); + +var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); + +var select38 = linear_select([ + part211, + part212, +]); + +var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); + +var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); + +var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); + +var select39 = linear_select([ + part214, + part215, +]); + +var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); + +var all24 = all_match({ + processors: [ + part210, + select38, + part213, + select39, + part216, + ], + on_success: processor_chain([ + dup37, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive received on interface"), + ]), +}); + +var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); + +var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ + dup37, + dup35, + dup79, + dup36, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive receive is successful"), +])); + +var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); + +var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup78, + dup35, + dup79, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer keep-alive receive has failed"), +])); + +var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); + +var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ + dup37, + dup35, + dup80, + dup36, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive sent on interface"), +])); + +var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); + +var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ + dup37, + dup35, + dup80, + dup36, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive send is successful"), +])); + +var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); + +var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ + dup31, + dup35, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Peer keep-alive status changed."), + setc("change_attribute","peer keep-alive status"), +])); + +var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); + +var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Ejectors' status in slot has changed."), +])); + +var msg270 = msg("EJECTOR_STAT_CHANGED", part222); + +var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ + dup30, + setc("ec_activity","Detect"), + dup39, + dup2, + dup3, + dup4, + setc("event_description","Xbar detected"), +])); + +var msg271 = msg("XBAR_DETECT", part223); + +var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ + dup15, + dup76, + dup77, + dup2, + dup3, + dup4, + setc("event_description","Xbar powered up"), +])); + +var msg272 = msg("XBAR_PWRUP", part224); + +var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ + dup15, + dup76, + setc("ec_activity","Stop"), + dup2, + dup3, + dup4, + setc("event_description","Xbar powered down"), +])); + +var msg273 = msg("XBAR_PWRDN", part225); + +var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Xbar is online"), +])); + +var msg274 = msg("XBAR_OK", part226); + +var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU start, locking configuration"), +])); + +var msg275 = msg("VPC_ISSU_START", part227); + +var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), +])); + +var msg276 = msg("VPC_ISSU_END", part228); + +var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup63, + dup2, + dup3, + dup4, + setc("obj_type","new_role"), +])); + +var msg277 = msg("PORT_RANGE_ROLE", part229); + +var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup63, + dup2, + dup3, + dup4, + setc("obj_type","new_state"), +])); + +var msg278 = msg("PORT_RANGE_STATE", part230); + +var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ + dup25, + dup35, + dup20, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Interface removed from MST."), +])); + +var msg279 = msg("PORT_RANGE_DELETED", part231); + +var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ + dup30, + dup35, + dup81, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Interface added to MST."), +])); + +var msg280 = msg("PORT_RANGE_ADDED", part232); + +var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ + dup25, + dup35, + dup20, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Port removed as MST Boundary port"), +])); + +var msg281 = msg("MST_PORT_BOUNDARY", part233); + +var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Non-transactional PIXM Error"), +])); + +var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); + +var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("obj_type"," Interface state"), +])); + +var msg283 = msg("IM_INTF_STATE", part235); + +var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ + dup63, + dup35, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","VDC state changed."), + setc("obj_type"," VDC state"), +])); + +var msg284 = msg("VDC_STATE_CHANGE", part236); + +var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup82, +])); + +var msg285 = msg("SWITCHOVER_OVER", part237); + +var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ + dup63, + dup16, + dup39, + dup2, + dup3, + dup4, + dup82, + setc("obj_type"," New Module type"), +])); + +var msg286 = msg("VDC_MODULETYPE", part238); + +var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ + dup78, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Unable to sync HA sequence number for service"), +])); + +var msg287 = msg("HASEQNO_SYNC_FAILED", part239); + +var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ + dup1, + dup35, + dup80, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failure in sending message to standby causing standby to reset."), +])); + +var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); + +var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Failed to lock the local module to avoid reset"), +])); + +var msg289 = msg("MODULE_LOCK_FAILED", part241); + +var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ + dup1, + dup35, + dup80, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), +])); + +var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); + +var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ + dup30, + dup81, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), +])); + +var msg291 = msg("SERVER_ADDED", part243); + +var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ + dup25, + dup20, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Server on local port has been removed"), +])); + +var msg292 = msg("SERVER_REMOVED", part244); + +var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup24, + dup35, + dup73, + dup2, + dup3, + dup4, + dup26, +])); + +var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); + +var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","port is operationally individual"), +])); + +var msg294 = msg("PORT_INDIVIDUAL", part246); + +var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup24, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + dup26, +])); + +var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); + +var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + setc("event_description","Interface is being recovered from error disabled state"), +])); + +var msg296 = msg("IF_ERRDIS_RECOVERY", part248); + +var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Non-Cisco transceiver on interface is detected"), +])); + +var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); + +var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Active supervisor is running with less memory than standby supervisor."), +])); + +var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); + +var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Configuration update started."), +])); + +var msg299 = msg("READCONF_STARTED", part251); + +var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Supervisor is running with less memory than active supervisor."), +])); + +var msg300 = msg("SUP_POWERDOWN", part252); + +var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Starting linecard upgrade"), +])); + +var msg301 = msg("LC_UPGRADE_START", part253); + +var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Rebooting linecard as a part of upgrade"), +])); + +var msg302 = msg("LC_UPGRADE_REBOOT", part254); + +var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Runtime database controller started."), +])); + +var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); + +var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Runtime database successfully restored."), +])); + +var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); + +var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module started"), +])); + +var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); + +var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module ended"), +])); + +var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); + +var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ + dup64, + dup35, + dup79, + dup36, + dup2, + dup3, + dup4, + setc("event_description","Recieved insert for lc mod"), +])); + +var msg307 = msg("FIPS_POST_INFO_MSG", part259); + +var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ + dup31, + dup35, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","peer vPC is configured"), + dup75, +])); + +var msg308 = msg("PEER_VPC_CFGD", part260); + +var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ + dup74, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Potential Interop issue on interface."), +])); + +var msg309 = msg("SYN_COLL_DIS_EN", part261); + +var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","FEX OFFLINE"), +])); + +var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); + +var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","FEX ONLINE"), +])); + +var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); + +var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Fex is online"), +])); + +var msg312 = msg("FEX_STATUS_online", part264); + +var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Fex is offline"), +])); + +var msg313 = msg("FEX_STATUS_offline", part265); + +var select40 = linear_select([ + msg312, + msg313, +]); + +var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ + dup74, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), +])); + +var msg314 = msg("PS_PWR_INPUT_MISSING", part266); + +var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Power redundancy operational mode changed."), + setc("change_attribute","operational mode"), +])); + +var msg315 = msg("PS_RED_MODE_RESTORED", part267); + +var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","All ejectors open, Module will not be powered up."), +])); + +var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); + +var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Fex pinning information is changed"), +])); + +var msg317 = msg("PINNING_CHANGED", part269); + +var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","FEX-100 Module -Cold boot"), +])); + +var msg318 = msg("SATCTRL", part270); + +var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Client register more than once with same pid"), +])); + +var msg319 = msg("DUP_REGISTER", part271); + +var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Unknown mtype"), +])); + +var msg320 = msg("UNKNOWN_MTYPE", part272); + +var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, +])); + +var msg321 = msg("SATCTRL_IMAGE", part273); + +var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup1, + setc("ec_subject","Process"), + dup14, + dup2, + dup3, + dup4, +])); + +var msg322 = msg("API_FAILED", part274); + +var part275 = match("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "%{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg323 = msg("SENSOR_MSG1", part275); + +var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup31, + dup2, + dup3, + dup4, +])); + +var msg324 = msg("API_INIT_SEM_CLEAR", part276); + +var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","vdc has come online"), +])); + +var msg325 = msg("VDC_ONLINE", part277); + +var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ + dup78, + dup35, + dup79, + dup36, + dup73, + dup2, + dup3, + dup4, + setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), +])); + +var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); + +var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg327 = msg("dstats", part279); + +var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ + dup78, + dup35, + setc("ec_activity","Logoff"), + dup36, + dup2, + dup3, + dup4, +])); + +var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); + +var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ + dup78, + dup35, + dup13, + dup36, + dup2, + dup3, + dup4, +])); + +var msg329 = msg("MSG_PORT_LOGGED_IN", part281); + +var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup97); + +var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var msg331 = msg("ZS_MERGE_FAILED", part282); + +var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup97); + +var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ + dup24, + dup35, + dup36, + dup2, + dup3, + dup4, + setc("change_attribute","Port"), +])); + +var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); + +var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg334 = msg("zone", part284); + +var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ + dup1, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg335 = msg("ERROR", part285); + +var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ + dup78, + dup35, + dup79, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg336 = msg("INVAL_IP", part286); + +var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); + +var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ + dup78, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg338 = msg("DUPLEX_MISMATCH", part288); + +var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ + dup78, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg339 = msg("NOHMS_DIAG_ERROR", part289); + +var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ + dup15, + dup35, + dup36, + dup2, + dup3, + dup4, +])); + +var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); + +var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ + dup78, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg341 = msg("UDLD_PORT_DISABLED", part291); + +var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg342 = msg("ntpd", part292); + +var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg343 = msg("ntpd:01", part293); + +var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg344 = msg("ntpd:02", part294); + +var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg345 = msg("ntpd:03", part295); + +var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg346 = msg("ntpd:04", part296); + +var select41 = linear_select([ + msg342, + msg343, + msg344, + msg345, + msg346, +]); + +var part297 = match("MESSAGE#340:PFM_ALERT", "nwparser.payload", "%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, +])); + +var msg347 = msg("PFM_ALERT", part297); + +var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Client"), +])); + +var msg348 = msg("SERVICEFOUND", part298); + +var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Router"), +])); + +var msg349 = msg("ROUTERFOUND", part299); + +var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Authentication failed"), +])); + +var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); + +var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup18, + dup2, + dup12, + dup3, + dup4, + setc("event_description","New user added"), +])); + +var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); + +var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, +])); + +var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); + +var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + setc("event_description","session opened for user"), +])); + +var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); + +var select42 = linear_select([ + msg352, + msg353, +]); + +var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg354 = msg("%USER-3-SYSTEM_MSG", part304); + +var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup83, +])); + +var msg355 = msg("%USER-6-SYSTEM_MSG", part305); + +var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup83, +])); + +var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); + +var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Failed none for invalid user"), +])); + +var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); + +var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, + setc("event_description","Accepted password for user"), +])); + +var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); + +var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, + setc("event_description","No such file or directory"), +])); + +var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); + +var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, + setc("event_description","Could not load host key"), +])); + +var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); + +var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, +])); + +var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); + +var select43 = linear_select([ + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, +]); + +var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ + dup31, + dup2, + dup4, + setc("ec_activity","Disable"), +])); + +var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); + +var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ + dup31, + dup2, + dup4, + dup38, +])); + +var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); + +var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg364 = msg("PS_ABSENT", part314); + +var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg365 = msg("PS_DETECT", part315); + +var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg366 = msg("SUBPROC_TERMINATED", part316); + +var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ + dup15, + dup2, + dup4, + dup85, + dup17, +])); + +var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); + +var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ + dup31, + dup2, + dup4, +])); + +var msg368 = msg("UPDOWN", part318); + +var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ + dup31, + dup2, + dup4, + setc("change_attribute","Interface"), +])); + +var msg369 = msg("L2FM_MAC_MOVE2", part319); + +var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ + dup31, + dup2, + dup4, + dup39, +])); + +var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); + +var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ + dup31, + dup2, + dup4, + dup39, +])); + +var msg371 = msg("PS_RED_MODE_CHG", part321); + +var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg372 = msg("INVAL_MAC", part322); + +var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ + dup15, + dup2, + dup4, + setc("change_attribute","Service status"), +])); + +var msg373 = msg("SRVSTATE_CHANGED", part323); + +var part324 = match("MESSAGE#367:INFO", "nwparser.payload", "%{event_description}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg374 = msg("INFO", part324); + +var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ + dup15, + dup2, + dup4, + dup85, + dup77, + dup17, +])); + +var msg375 = msg("SERVICE_STARTED", part325); + +var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup86, +])); + +var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); + +var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup86, +])); + +var msg377 = msg("DUP_SRCIP_PROBE", part327); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "%AUTHPRIV-3-SYSTEM_MSG": msg350, + "%AUTHPRIV-5-SYSTEM_MSG": msg351, + "%AUTHPRIV-6-SYSTEM_MSG": select42, + "%USER-3-SYSTEM_MSG": msg354, + "%USER-6-SYSTEM_MSG": select43, + "AAA_ACCOUNTING_MESSAGE": select28, + "ACLLOG_FLOW_INTERVAL": msg187, + "ACLLOG_MAXFLOW_REACHED": msg188, + "ACLLOG_NEW_FLOW": msg189, + "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, + "ACTIVE_SUP_OK": msg74, + "ADDON_IMG_DNLD_COMPLETE": msg60, + "ADDON_IMG_DNLD_STARTED": msg61, + "ADDON_IMG_DNLD_SUCCESSFUL": msg62, + "ADJCHANGE": msg217, + "API_FAILED": msg322, + "API_INIT_SEM_CLEAR": msg324, + "BIOS_DAEMON_LC_PRI_BOOT": msg262, + "CFGWRITE_ABORTED": msg135, + "CFGWRITE_ABORTED_LOCK": msg133, + "CFGWRITE_DONE": msg136, + "CFGWRITE_FAILED": msg134, + "CFGWRITE_STARTED": msg137, + "CFGWRITE_USER_ABORT": msg198, + "CHASSIS_CLKMODOK": msg80, + "CHASSIS_CLKSRC": msg81, + "CONN_CONNECT": msg145, + "CONN_DISCONNECT": msg146, + "CREATED": msg51, + "DELETE_STALE_USER_ACCOUNT": msg258, + "DISPUTE_CLEARED": msg77, + "DISPUTE_DETECTED": msg78, + "DOMAIN_CFG_SYNC_DONE": msg79, + "DUPLEX_MISMATCH": msg338, + "DUP_REGISTER": msg319, + "DUP_SRCIP_PROBE": msg377, + "DUP_VADDR_SRCIP_PROBE": msg376, + "DUP_VADDR_SRC_IP": msg190, + "DVPG_CREATE": msg147, + "DVPG_DELETE": msg148, + "DVS_HOSTMEMBER_INFO": msg149, + "DVS_NAME_CHANGE": msg150, + "EJECTOR_STAT_CHANGED": msg270, + "ERROR": msg335, + "ERR_MSG": msg131, + "EVENT": msg206, + "FAN_DETECT": msg97, + "FAN_OK": msg82, + "FCIP_PEER_CAVIUM": msg233, + "FEX_PORT_STATUS_NOTI": msg214, + "FEX_STATUS": select40, + "FIPS_POST_INFO_MSG": msg307, + "FOP_CHANGED": msg52, + "HASEQNO_SYNC_FAILED": msg287, + "HEARTBEAT_FAILURE": msg240, + "IF_ADMIN_UP": msg259, + "IF_ATTACHED": msg138, + "IF_BANDWIDTH_CHANGE": msg210, + "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, + "IF_DELETE_AUTO": msg139, + "IF_DETACHED": msg140, + "IF_DETACHED_MODULE_REMOVED": msg141, + "IF_DOWN_ADMIN_DOWN": select11, + "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, + "IF_DOWN_CFG_CHANGE": msg193, + "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, + "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, + "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, + "IF_DOWN_ERROR_DISABLED": msg35, + "IF_DOWN_FCOT_NOT_PRESENT": select17, + "IF_DOWN_INACTIVE": msg142, + "IF_DOWN_INITIALIZING": select18, + "IF_DOWN_INTERFACE_REMOVED": msg39, + "IF_DOWN_LINK_FAILURE": select12, + "IF_DOWN_MODULE_REMOVED": msg42, + "IF_DOWN_NONE": select19, + "IF_DOWN_NON_PARTICIPATING": msg143, + "IF_DOWN_NOS_RCVD": select20, + "IF_DOWN_OFFLINE": msg114, + "IF_DOWN_OLS_RCVD": msg115, + "IF_DOWN_PARENT_ADMIN_DOWN": msg211, + "IF_DOWN_PEER_CLOSE": msg234, + "IF_DOWN_PEER_RESET": msg235, + "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, + "IF_DOWN_SOFTWARE_FAILURE": msg116, + "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, + "IF_DOWN_SUSPENDED_BY_SPEED": msg293, + "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, + "IF_DOWN_VEM_UNLICENSED": msg144, + "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, + "IF_DUPLEX": msg44, + "IF_ERRDIS_RECOVERY": msg296, + "IF_ERROR_VLANS_REMOVED": msg191, + "IF_ERROR_VLANS_SUSPENDED": msg192, + "IF_HARDWARE": msg239, + "IF_NON_CISCO_TRANSCEIVER": msg297, + "IF_PORTPROFILE_ATTACHED": msg125, + "IF_RX_FLOW_CONTROL": msg45, + "IF_SEQ_ERROR": msg46, + "IF_SFP_ALARM": select35, + "IF_SFP_WARNING": msg231, + "IF_TRUNK_DOWN": select21, + "IF_TRUNK_UP": select22, + "IF_TX_FLOW_CONTROL": msg47, + "IF_UP": select13, + "IF_XCVR_ALARM": select34, + "IF_XCVR_WARNING": select33, + "IMG_DNLD_COMPLETE": msg63, + "IMG_DNLD_STARTED": msg64, + "IM_INTF_STATE": msg283, + "IM_SEQ_ERROR": msg59, + "INFO": msg374, + "INFORMATION": msg205, + "INTF_CONSISTENCY_FAILED": msg236, + "INTF_CONSISTENCY_SUCCESS": msg237, + "INTF_COUNTERS_CLEARED": msg238, + "INVAL_IP": msg336, + "INVAL_MAC": msg372, + "L2FMC_NL_MTS_SEND_FAILURE": msg290, + "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, + "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, + "L2FM_MAC_MOVE2": msg369, + "LACP_SUSPEND_INDIVIDUAL": msg326, + "LCM_MODULE_UPGRADE_END": msg306, + "LCM_MODULE_UPGRADE_START": msg305, + "LC_UPGRADE_REBOOT": msg302, + "LC_UPGRADE_START": msg301, + "LOG-7-SYSTEM_MSG": msg1, + "LOG_CMP_AAA_FAILURE": msg67, + "LOG_CMP_UP": msg244, + "LOG_LIC_N1K_EXPIRY_WARNING": msg68, + "M2FIB_MAC_TBL_PRGMING": msg257, + "MAC_MOVE_NOTIFICATION": msg333, + "MEMORY_ALERT": msg249, + "MEMORY_ALERT_RECOVERED": msg250, + "MESG": msg130, + "MODULE_LOCK_FAILED": msg289, + "MODULE_ONLINE": msg261, + "MOD_BRINGUP_MULTI_LIMIT": msg96, + "MOD_DETECT": msg83, + "MOD_FAIL": msg69, + "MOD_MAJORSWFAIL": msg70, + "MOD_OK": msg75, + "MOD_PWRDN": msg84, + "MOD_PWRFAIL_EJECTORS_OPEN": msg316, + "MOD_PWRUP": msg85, + "MOD_REMOVE": msg86, + "MOD_RESTART": msg76, + "MOD_SRG_NOT_COMPATIBLE": msg71, + "MOD_STATUS": msg98, + "MOD_WARNING": select14, + "MOUNT": msg243, + "MSG_PORT_LOGGED_IN": msg329, + "MSG_PORT_LOGGED_OUT": msg328, + "MSG_SEND_FAILURE_STANDBY_RESET": msg288, + "MSM_CRIT": msg66, + "MST_PORT_BOUNDARY": msg281, + "MTSERROR": msg34, + "MTS_DROP": msg57, + "NATIVE_VLAN_MISMATCH": msg207, + "NBRCHANGE_DUAL": msg253, + "NEIGHBOR_ADDED": msg208, + "NEIGHBOR_REMOVED": msg209, + "NEIGHBOR_UPDATE_AUTOCOPY": msg33, + "NOHMS_DIAG_ERROR": msg339, + "NOHMS_DIAG_ERR_PS_FAIL": msg215, + "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, + "NOHMS_ENV_FEX_OFFLINE": msg310, + "NOHMS_ENV_FEX_ONLINE": msg311, + "PEER_KEEP_ALIVE_RECV_FAIL": msg266, + "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, + "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, + "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, + "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, + "PEER_KEEP_ALIVE_STATUS": msg269, + "PEER_VPC_CFGD": msg308, + "PEER_VPC_CFGD_VLANS_CHANGED": msg99, + "PEER_VPC_DELETED": msg100, + "PEER_VPC_DOWN": msg263, + "PFM_ALERT": msg347, + "PFM_CLOCK_CHANGE": msg194, + "PFM_FAN_FLTR_STATUS": msg242, + "PFM_MODULE_POWER_ON": msg87, + "PFM_PS_RED_MODE_CHG": msg370, + "PFM_SYSTEM_RESET": msg88, + "PFM_VEM_DETECTED": msg101, + "PFM_VEM_REMOVE_NO_HB": msg89, + "PFM_VEM_REMOVE_RESET": msg90, + "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, + "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, + "PFM_VEM_UNLICENSED": msg93, + "PINNING_CHANGED": msg317, + "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, + "POLICY_ACTIVATE_EVENT": msg27, + "POLICY_COMMIT_EVENT": msg28, + "POLICY_DEACTIVATE_EVENT": msg29, + "POLICY_LOOKUP_EVENT": select10, + "PORT_ADDED": msg218, + "PORT_DELETED": msg219, + "PORT_DOWN": msg53, + "PORT_INDIVIDUAL": msg294, + "PORT_INDIVIDUAL_DOWN": msg212, + "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, + "PORT_RANGE_ADDED": msg280, + "PORT_RANGE_DELETED": msg279, + "PORT_RANGE_ROLE": msg277, + "PORT_RANGE_STATE": msg278, + "PORT_ROLE": msg220, + "PORT_SOFTWARE_FAILURE": msg65, + "PORT_STATE": msg221, + "PORT_SUSPENDED": msg213, + "PORT_UP": msg54, + "PS_ABSENT": msg364, + "PS_CAPACITY_CHANGE": select16, + "PS_DETECT": msg365, + "PS_FAIL": msg204, + "PS_FANOK": msg94, + "PS_FOUND": msg102, + "PS_OK": msg95, + "PS_PWR_INPUT_MISSING": msg314, + "PS_RED_MODE_CHG": msg371, + "PS_RED_MODE_RESTORED": msg315, + "PS_STATUS": msg103, + "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, + "READCONF_STARTED": msg299, + "RM_VICPP_RECREATE_ERROR": msg132, + "ROUTERFOUND": msg349, + "RUNTIME_DB_RESTORE_STARTED": msg303, + "RUNTIME_DB_RESTORE_SUCCESS": msg304, + "SATCTRL": msg318, + "SATCTRL_IMAGE": msg321, + "SENSOR_MSG1": msg323, + "SERVER_ADDED": msg291, + "SERVER_REMOVED": msg292, + "SERVICEFOUND": msg348, + "SERVICELOST": msg202, + "SERVICE_CRASHED": msg201, + "SERVICE_STARTED": msg375, + "SOHMS_DIAG_ERROR": select37, + "SPEED": msg50, + "SRVSTATE_CHANGED": msg373, + "STANDBY_SUP_OK": msg126, + "STM_LEARNING_RE_ENABLE": msg340, + "STM_LOOP_DETECT": msg127, + "SUBGROUP_ID_PORT_ADDED": msg55, + "SUBGROUP_ID_PORT_REMOVED": msg56, + "SUBPROC_SUCCESS_EXIT": msg367, + "SUBPROC_TERMINATED": msg366, + "SUP_POWERDOWN": msg300, + "SWITCHOVER_OVER": msg285, + "SYNC_COMPLETE": msg128, + "SYNC_FAILURE_STANDBY_RESET": msg195, + "SYN_COLL_DIS_EN": msg309, + "SYSLOG_LOG_WARNING": msg58, + "SYSLOG_SL_MSG_WARNING": msg337, + "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, + "SYSTEM_MSG": select9, + "TACACS_ACCOUNTING_MESSAGE": select32, + "TACACS_ERROR_MESSAGE": msg230, + "UDLD_PORT_DISABLED": msg341, + "UNKNOWN_MTYPE": msg320, + "UPDOWN": msg368, + "VDC_HOSTNAME_CHANGE": msg26, + "VDC_MODULETYPE": msg286, + "VDC_ONLINE": msg325, + "VDC_STATE_CHANGE": msg284, + "VMS_PPM_SYNC_COMPLETE": msg151, + "VPC_CFGD": msg260, + "VPC_DELETED": msg152, + "VPC_ISSU_END": msg276, + "VPC_ISSU_START": msg275, + "VPC_UP": msg153, + "VSHD_SYSLOG_CONFIG_I": select25, + "XBAR_DETECT": msg271, + "XBAR_OK": msg274, + "XBAR_PWRDN": msg273, + "XBAR_PWRUP": msg272, + "ZS_MERGE_FAILED": msg331, + "dstats": msg327, + "last": msg200, + "ntpd": select41, + "snmpd": select29, + "zone": msg334, + }), +]); + +var part328 = match("MESSAGE#24:SYSTEM_MSG:08/0", "nwparser.payload", "%{} %{p0}"); + +var part329 = match("MESSAGE#24:SYSTEM_MSG:08/1_1", "nwparser.p0", "%{event_description}"); + +var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); + +var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); + +var part332 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); + +var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); + +var part334 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); + +var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); + +var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); + +var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); + +var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); + +var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); + +var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); + +var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); + +var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); + +var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); + +var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); + +var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); + +var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); + +var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); + +var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); + +var part349 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); + +var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + +var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + +var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + +var part353 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + +var part354 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); + +var part355 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + +var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + +var part357 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + +var part358 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var part359 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part360 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var part361 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var part362 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part363 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var select44 = linear_select([ + dup27, + dup28, +]); + +var part364 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var part365 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var part366 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part367 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var part368 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var select45 = linear_select([ + dup47, + dup48, +]); + +var select46 = linear_select([ + dup50, + dup51, +]); + +var select47 = linear_select([ + dup55, + dup56, +]); + +var select48 = linear_select([ + dup58, + dup59, +]); + +var part369 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var select49 = linear_select([ + dup66, + dup67, +]); + +var select50 = linear_select([ + dup68, + dup69, +]); + +var part370 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part371 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var select51 = linear_select([ + dup71, + dup72, +]); + +var part372 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup62, + dup2, + dup3, + dup4, +])); diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml new file mode 100644 index 00000000000..33dda070fcb --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Cisco Nexus + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cisco/nexus/manifest.yml b/x-pack/filebeat/module/cisco/nexus/manifest.yml new file mode 100644 index 00000000000..37ec55fcf9f --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["cisco.nexus", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9506 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md new file mode 100644 index 00000000000..1c8c3a2b2dc --- /dev/null +++ b/x-pack/filebeat/module/citrix/README.md @@ -0,0 +1,7 @@ +# citrix module + +This is a module for Citrix XenApp logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 +at 2020-07-13 17:55:35.817587 +0000 UTC. + diff --git a/x-pack/filebeat/module/citrix/_meta/config.yml b/x-pack/filebeat/module/citrix/_meta/config.yml new file mode 100644 index 00000000000..d894a18356d --- /dev/null +++ b/x-pack/filebeat/module/citrix/_meta/config.yml @@ -0,0 +1,19 @@ +- module: citrix + virtualapps: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9507 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/citrix/_meta/docs.asciidoc b/x-pack/filebeat/module/citrix/_meta/docs.asciidoc new file mode 100644 index 00000000000..fd7f80791a0 --- /dev/null +++ b/x-pack/filebeat/module/citrix/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: citrix +:has-dashboards: false + +== Citrix module + +experimental[] + +This is a module for receiving Citrix XenApp logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: virtualapps + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `virtualapps` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "citrixxa" device revision 79. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9507` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/citrix/_meta/fields.yml b/x-pack/filebeat/module/citrix/_meta/fields.yml new file mode 100644 index 00000000000..836b1bbca37 --- /dev/null +++ b/x-pack/filebeat/module/citrix/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: citrix + title: Citrix XenApp + description: > + citrix fields. + fields: diff --git a/x-pack/filebeat/module/citrix/fields.go b/x-pack/filebeat/module/citrix/fields.go new file mode 100644 index 00000000000..d82bbef0ac6 --- /dev/null +++ b/x-pack/filebeat/module/citrix/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package citrix + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "citrix", asset.ModuleFieldsPri, AssetCitrix); err != nil { + panic(err) + } +} + +// AssetCitrix returns asset data. +// This is the base64 encoded gzipped contents of module/citrix. +func AssetCitrix() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZztbVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69eEcav59Z8IsdwKeE1O8N/kHyDf1PWfCCnBMM1ry5V8Tf76J0JI+AmZcRClmfyJhP96jR+6/31HJK3gNZFgV0pfTbi0oGeUwcT9vfsaIWoJeqW5hdfE6qb/iV3X8NphuFK67P29hBlthC1wyddkRoWBrY8H2Lb/e08rIGpG7AJaxEiHGFktQAN+ZjWdzTgjC2rIFEASNTWgl1BOBvRpQ+9AzFyrpr49KbtM3SyLWEsqtsgbX31s/dgSm0UqM9/6+/4VxjdssCsfF9y47xFuSGOgJFYRRmvbBP5ruiIVGEPn7t/UEqYqMI5o5T7fAU3IWzUnp8BUCTpOiIfFd5E6lJwWLixB2sKRlhhwQDgz9wPLDfKcKWlBWuPuB5fGUmlbNEwUR8urQxAsqd39YIgd9zi5JQi1ZLXgbEEoMWAMV5IsuDWEkvdgf+dWgjHt7k8GR6Mj1ixUI0oiYQmaTKE7dzXVBsg7sNShRslMq6q31NO3am5eXFB2BdY8G4A/5RqYFevnxAa8KfkAXlj4Ey57aE6ijBSwBHEAJ4WSu/dzi5OnUGtg1AZMSphxCSVRUiBalk4FkIrWcawqMy+SXZg9e/wu3PPz0x/Ikoom3HhegrR8xsPphGvKLBFq7vdLDzYCqeMOfDgt+D23HTXVlrNGUI2/Dxs7GT0ZA9AHnZTYyRhAHj8po1uyPO6evPz/e7J/T9yqeTbkftdXTf9VICG72/JosFvSQ4RedtQ0GNVoluntvT/bct3/+2FmLLVQgbSPETnalNwWTNCdO/xI0ANp9foxIrZwOtVjRIzLwxDLqzG1kuPxnrQS6CHSIy/bZgBlShtqRK+J2Zm9L7ZuAYfNQA8ZKAn3syJ29JAB9BusiHEu7rhWjsRF2fOqRNnn2TUgMxH7SISDd2YfO4Za3Uj+pYGNGq07+sOf1ttG7YmSzD0O1KrHbtmOiJslzysO+9w9ccvwGWe0f5/fqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4s/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/O3Kfkx9/JP9OmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8DSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Ryy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qFk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0ITWtWirXza9bCoq6TxWmkuIwPBOay96pDyuhnD7xBC1kj4yZmlV73oGA8ZuNYfi8PZZQ9iCO+tGlWAm5F1jLJpJfaDuVlI7kpdLLRy4SXsF2Gzm8F7CMTQh3OR2Qc87DTPQIJk/ENSp1iVf8tJpNnge4oLsshVkH3eYFyfyuub6aBRu9tPHgq7dSeRWrD2xxgk9p685pPCA7veNJtz0URfOcyeNO3k2GSzZpZOpJrUEqgaK3H0hdvxPfVVQg/zSQHO0o+ROtz9FG/m4ooYgEuXIuUHkfkjN1IRKwRZDM8i0eWUzvL7zKgeudZEB1brIoT3XKUXRNtCXyaFm0JV6r8jDmJA75mP0jRk8l3d6cw4VmzfJtUOCBZsHYqcbQmpHEGUDJT6FYm0akTvsNGJFqcYyVcELj0NnvGBWtpoNTgiVgQVbBuTIAYElaG5zlo7sIaxdPRQB9iI7+1w+eYsXB70D/SvdVbo4aBh3qoHxGd8YPnHt1gdzxnqqBF05fzZTZAM6FyMvNwUTrYuqDEGWKN7BbD7WJnzettL7lqDS5LfLkBrLTZsQsOtXw/XbHRqrkjS1Mjyh4LjV2UJzWpa+wxSm8rd3d7QLTyNska910R1FkWwq0JzdVRZFaTtCFdsewvqVbN3N8GLJ3+8BaUuQpdIhYXYvZWr6rwfoXtOGdtX0X8DidrRDLH8t+IDdToLuR8xL+py96r4ZXshQ9R/ETPByLWiXWyyVJZQsQseLeAKtUPOiTVR5EKHeHsQ7C/Vj9EzZkn1/w3Qr7FqN4iOu+CvB2Tr37dkjFy4QgdBcW4r1iFxuRM686TgDPzQCELG4OFXSwnVujbVD6Fx6f92mHyotS+P+Dx9VKlqEYg1gbnic2YLKORQSVrllwVjgEla9UD8qIdZqPm0s9CTEMEffeNSdtt5//uKiw9Q0mbDrOCd4traV+5iGhuBufpFHpq+/RYxbrABzDGsbDppNzpdegp6QS/Cb0hjQEzoHbOUdMt1nSrc4DGC3YLzezvD3xP++17dCaTLVauU+a/8adE1vdo32kz4vL6i2qd10HeDUHpVwp9SgOvRYd0qJslMbc10pVUMIKOZ6i99IQgVo22UX6c2i4W8+vBXER68JACYhRRTmkkglv9NQA1oy+7If0Gw45pPDGq3dhensFdxJ1ONecB9ha8M/A8pW3C6CsuxlPTnFBadYbSKJkt/NlfvvPS8BKilFRHHMSDftBQNfIAIOSTUjTjpYDmZCLjcyZXewQb+yKg/GJ76crzHOiPEloz7ZpgziNzCeEiYaY9sDGf4x2Cb8CTduJ0NNdPBvOMUXPx1XgY6u/fgbFrfofVumfErZk5sML4flKWJBqDGKcfSXut2I2pO4YW/5FbwmlNSLteGMClJyc/Wc1BpnojwnYNmTuKJMNT2k9vKOD72vs9G0AgvakJoa7OJlsJGD70XAVFU5Kaa2gvbD0hqwbK+659+Dh9L4enuY4WHy4pupqm6GdzDDtlGy4rJUq5BPy5RkUNvnXSbFKDMGZM4aIdbkS0OFd36WqqJcBqkhewsJNfJ09b2eqdSlPaQ7lfAtl1dQhlqgNhGdGvROBQPFffJNh9qEl/s2Tgy6QmQVdf3JTt4tsYtAi95vlw+F12918LySy2G7ni7oDLriu4OdcrtYw5qIrT//+zXtHxNr2jMu8t/xjuRfcLXuGmsoGwakjRxB3N1mQHMqishrmu0RucQlW7V5933sPYDuhRn1CwC7Mge1HEjhMQ6ru4duQc2iu6FOLYxUGTZs4TN/2xqbrszwpIW00yLMEdItMzGauV91/x5WmhInzyXhmHPXSCaAavcnbIS3QS0UEAZvp24LO2+OPnjh1wz7PD3qF4upaspl1ze7/2CFslF9h9dryXVjju3p62sjiMC4x+84AdLIlTjxq/uejOOeUm/BZXeNd+zzXubzU/LeS5qnoXED8dP2QtGvw+1ZXK/2DuiH8OX33M/np8jSUPLWiYmh92A7IufTAD0JE3+InCxYcRM3UpdmnbOX/XZUNxRoe3Vhrx9beuP7iKfGsf6kW5icn96oyabyz92gyTrEXspyo9FOyImvzwz9ToX/YL82iwjq7W/88E1wx00b21VuKts9Ro0UYDxnlH9QVoosqeZ0KgZVgL4pA5ekFnREEBiQJmt/lK0N7auqfuWJk1ROw2jrC7nb58sX5xe7OjQJLWO9R2GsLvvAgYK3roXcRFo8kuRcWnLJ55KisBg5orXSOZvXPhnIL3dIL1rdTWFXR/xPh0jvLuMpK1Xk4Lz/7SPhkommBCfOwiBb9/MJeXp2TatawGty4R0iHixK70ncL4KRuaPHNtE5tXla4phxc+VU7gPwukMpXs+N+T48DR+4udoTcrWaz+eg842wi7Pscz8WEHBA7XShwSyUKN3p8bb6yKTRrdD7ETwLw9h7kMpPP3gd41nXjOP8NF5GcuvoPFNVXRw57wp3JeRe4RhX798zzfQ7h46SWJ86w3EzqmzYmJUW1NIHyhrrY95JS6Wx84CT6y1+I1PiqC5XVD9Mht6wq76TrjQ8RI6IkdbIT50QpeQdZW0/5bhy60TQUe0YJb9rFVS9Xwp5WzP5UGsN1CTPDTaW2iaV4tz5oygXD2Z2uMWn6prw8sX4++Ve1uYYGDqMPg0aH/u74LCIX932Hcs8fW9wyE+Hc/cOec64VE2qGGevjsTMk98pJ0lTOh0GHtmfEgPO3Zlx60i8EcLJPWIaxsCYWSPImVufMFWCcUeibfYbtyy4LOE6MQMEN/YwzfOesgUXRlNMt0hMQWN8s6KaC8zgiXjwfPxdzglFJn7nfhulTGY4h2rqmws9kEYcVidPu3zOGrSpQ9GtlzADlgUVYZMQ33Z4ejZSZOjdXMP3OHdCiVe+uiSv4Kvy33YfUi4NKcFSLiJOhqlqbO93I6QpcfTczNZjS7s8NsRj/CG1UNUiWzbPG1LCjIYQUOh82cbwQ7am04qXoAVdYyGXVeFxJU8jN9J9gFZ3+DXM2ipw76s3ltsGGzOSKGEb22DYsOm+1zVpFKvn32E0NaYZZBVTVeXuU55jdOKhE95L9q21WvLS+8/aLnIVmNFEqFKxwwONd/eW/cLFRmtk/by8uGpwXWPS08PI+nb1vLL+X2p6oN/pYPL+t5qGAEz8dtU8X+PcU0wo9jt/eXFOzgcKVR+NbF1rQ3XJfgwSFnZ11bDzpIb0XfxhIbc6rtx7EVFMVZm74mtQcberdARciMNlRD1apO+W4EMGR6g877mAQ+mwT6Dt4iF8zssulDPixKtSW42DMvAEL386Ja+ju25yPlPtdO+LT757ThuIwmSNa2BN34vgU7+mECtvbbsw7UvcOIIjJOoVL7cdIl11JV1SLugwkEE6VzjB+soZaD0yacHfoUN8/enibsFYqUIDKB+AHZAU0g0Mn09GJCKvimlTluvk/hleFUnrgHpwGwOHNTrf66VKD1FzlbDLwU6JXWGaYxQkcNPPXvU9V2lTcttV1m36ogWMYoPtNhUbXpRswgv7ifRZYqk5uDyaVX7y+Yw8DbUSnxvhdOUpF1jAgXlgZ9e1Mu6bz8h3Q0eD3I3CXEm1kluGkAHWYDOL5Tb0kUmbjB7BBbebFnrSVrm/D6VJb2FO2Zp8GjXXBJ9q+hBF+WHhLRZzSSrK5UzTCvamY9RU49Te/H0StpTLC1yWvFelT47etAXsZZ1FkCI3aF+YKuAYkctC2u4b9x5W5NdGoin5TpUgyFMul5NvnxOu2HMydf8H7v+opGJtuJl8G48vWlYXM0EHk/NT61DbGv7JBcFF0deFcnLdDr9Ss72NGqzKiqn/6zTg2bZBMKDdQY4itKzSyt0dzD6/+51qIB99AvC3335+9/ubD2fffutzbpdUUz56JldKX6UsWb7xgv3eLtiPsI06wahMrUSEmp20XUq654Ay91ysM5gwM6VBGs5SCpCeKykDxlV6L0gkPpAKaLGifDic+N7eAex9nhqouz6pS9RNM810Key0NFanrnzHeu1sDrH+W5rsHW1rPvI5SQ8tdtkMBhuoNKHYZFP3EupdHIgZH3U0taRmc8QeSmq0G1GEzN3ynrhQPrif4N0dFw75oP9/GK66UZn95L8HOWJlz0cfENmL5IMcjjaOuw8/pY6QtLW1sz279KntMtrbLDvsk/kM3W6Dk3tzZLptWc2PEQ/Doq8Z5cLxum3mchFkxvlpv7YNO3E5c9DCPNLCYDyrsM25LpyKeAA9hyReY7p1qD46UVXVyF1P1AA7eVjjpvti9x6u7d8grlN3uJnDNOv74nZJZfkfKh412+BmqeWHSIZ7YzdceAs505iaM66SZYkey4JH7FdUy2HQ4bGjbmRVFyqXML58/+6C/Ob9qJuk1DgiX46aSnD5n2/Jlwb0SO/WRshCw26nzrzJDT2H6Jp8aIvOomldnZbOEj6kfaAq9RgBB7Q+yHF0E1QbCY7dG26ZfkADFVRXGXbLgc3gXqB1wgLkDmhTJptKuwUzbberLdAltbta4X3hTkGyRUV1qrKSDu66poPxxfeOPlE2SKdKArNYJD8LDGZpC6g6wLM5tlrKAFZN/5UBak2TT8LwHaeSHy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOc4Kr4taK6uK9CEphL78qUCPY3rYItvdFGpelDmY7QCnz39jsqjodWFtKrfBNmB3ogVkeBQqLjMhzWU+pGthCjEVReqw6Bbs7zMCT94ZvAc7dS/EPuzUVb192D9nhP0qI+x/ywj7f2SE/ec8sK2qBZ1CDpHSQU9vnsmiagQq39N1hneyBV5fZdBLqkbweVXn0b6dlknFPHUSUoDMcyglBr6w9L4RWRifkJhhB41meaxJBziPNWnWpqkzzCJlsiurzmKqWmWd6QHXGUSIVdYZZrlgo1mTBXgj+bWkUhlgGQ7h8pXjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8B5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvnLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjl2EQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZ55RUqmwEGKZycDsA5/MMsknVZkVt0pn/PeixDPIkgDXMubGapveEbGBn0Pg01LlYrbPx2mAncp1JvvrMfH/EM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc1ywMuRQtgUkJd+vn1quNxYKpPPOS6NnTY61bDAFir4WUE5oDbJcU2vR7c1yanB4uSGWfph14d2GtgHc07LMvUd4GXqsGrbOijDW8SrgmmlqixdiRzgDGYar4o8yZGh41EONtdXydsz1SZ9y1Jem1rzxEAFtdw2ybPPBJeQrsXOBqpJOlGng4vFt+ndWkL5rqfFTKjkz3kHPEPKv7N5k0sdBzSDxHE2dAZUk+cmCDXPcnTlPMsFrpVOLcCqaTPPcc0qblgOsVCZLAc2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMcsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQz54LuOZgKenskOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJfwBiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U5Nv5zb9sfJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKwwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KyKWxCaEIBofoE+xvwJQgsVKdLh+Cy3ycO6tqodYwGCx4I/9mqknW1PuWZ8zx0PuMcN6Zhjlck4ruNlrYxGLlvNkdBpIdScENDmdoVw9bjw2UiGnqWmlLho1HCVktqCXcklrDbOwo3CMt9y5DKGKMD1ZHhwLhMnR2H+kLLbjMPZG/h6pbrY+nIVbNwS5ATzbfNwvVDF40QiQsQXfjiKwiNdUGyDuwFCeC+7tKOxY8favm5sWFL3t9Rk7DiK/nxC4iU4qwGfAHCKOPEW1J3oP9nVsJJr7Pw0OdhXkzHNnd3SJc3BNrgGq2mHDJo/jhzN0j9NfeEZ84CwOTIV4I2kic9TtvcI5r28Q93sB9p1/7Hpryt+PuaOqacIf5xSPGvtuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nWU8pSz/2+eb+gWOz9thQKuHT8baDWkS+K94xF2j8uUGiA+XbvDhgxuVbdL4RcPg6/sRsF3mCvt29dH2UgINcQA4Lgzun9elabSUHaE8b6DDtN+aYlq7+bQsEbjBLR9SNegK+7VjWMhvVnSD+bgSy5gDkTAEgShxvC59Bu3mdcfP/rYkvkB5Teuv+ekTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw7UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND8e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+EsbnxHWD7z7JvdvcAZi1sbwu0/m5ff//BnZ/ue9raj5dg3UbTDOS3SRsxu67iha9Dk3zqfnHkR0EDk4rc+df1P/jMvNzhvnfq9+3Fg8vJNsu3J7sAUt86EvP/t45mjHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBDj0nH9+9JufS/vjyOTl/f3r2j9fk07m0r34iT1eLNZHA7QI0YQtlwqg0pTUwi9/64dX/+m/PnkQ5AnaRUcbt8gNl6qSi8XE8JvPpu+M1v/Rn8bxFKn7Fy8eFdF823YD5gQ3jbv3Ax/DdUUw31slnrm1DBXn75n0U2T+UhHy+rMNOxv9REiZx3jp0vxoRioTcLDxxCx7jG7xnH+bUwoo+wIh0PN0X5E1ZavTT+lMeQ6d7ellVHxrnvG8s5Pzk3YV/lUbDYxU1R4x+bDmVvKYa3m5yfuFQGfF+OR4eOAkiCQ/d2uM8bDWxwk/XOq6A6KFLy5K7L1OxCdj2ZvnH37kjHgBnEuIFV+GGn24fgQEqm1zrLHrdbZ80St4HDC+Utp1IHgjdEgNsuAHcrm+WvObIvPf0cDlvH5OWrHdjjJcQsxuP5cUN2KHlS41RjDuV0/uNBjoOcXJZUzmHSWc6MSVnfN5oKMl0jTBBlpg1FJcz9YGtBwZFoyPacnTRWYZ+ByKh7t8v4UruANBQKQtFyOxOn2eUnrWlNAUtfCp+BtC11XmAzzIciVmGamGR4zrk6n9SZ2AqLYvWE5dPLd+14B0dk93V+s6EB9Bgz+wCtARLPq5reE4+tc/YW3SA/UguWgfY4CX4bUxTa0f1HEGZGDGNW6SDX/w5oUJElYl680VMcKMaE/OWoN0byKVVxFh8zLkkn85HBQrDBNls8iq5yHZAVZ1h7JsDrMGkzuh1YDOUuPgXMXUqOvrbM2DrRysUAuQ8+aRIxNkpHxm10BEN1Ks8VPQCMJIwTCeYEUp+UXpFdTmc003Imzkme2lC3Y2/xly6KdgVgIyrnom7Jt41xq0sFf1QnUeGYMt4zIwYUMhlyHPFtISKWyeWwoiNOIlLQeUx4vi3cFC2CSI9F+WAwG2X5SaSsnQW7BwN2O2XJ3WkEhh2IVim6wd3u4g91ZazRlBNsF80aZF4enb9+q2aq9ksPv0dWGEXkH17t5D96Bb0t7GH95nD26H7prELkDYki4+ibZqUnRNul9DjlxxH/ZMBPYqwaixTx+V0WHIc4cuGMTBmBGfsPH5Yc7TDEk8QL+JU3LnSaxIpTBjgdgzhtIUj7ODopBIG+EytpHtXnNyKKYfdD8lAUdqmapmuH93Iu0mJ71qKNQOCQ9nRE/wwO/owl8Rw20TkJ8HiAggiOkBdUENoqWr3utgFcE3USm62zDPO0mslVTWSV4szOQz3LeqPq0Q45Z7L0skfpU3HAEp+4QLIm4DYZMCG2zh7ZUeYv5OjCeMd/Q+SrjDKgsuQtZCWCzEaI4xIWe9+D0b4fL3LUK+RmhPjCaFTlbN6IEL8FBZ0yVWD2iVTVa1VxUcyFOHYyJ1JOhVYRDYjJ/tx43LZiZ2MSO5iuKV1kigCWxgmHS5zAIKR9Tv8cu9u75Xd3LfRY7cps2yk3S1nS63Rl1gGXrBDzPpbaUH4Hs9BguasJQkZgol+u6kF3C7wqY3NdiMB2Qn7YWKsHg9+tjQd0nbrwWh6uZ+moF74tTLSFTVNOyPc8gqMk+te29NQw2gQKexCsqYQN24ENh685zboWx6tQ3p3P9jR+vF2NP1QmGRDTm9NWnAY30ThgDakeCMQbiEMvl7qXt5InT7q3vmLloQ2ffPOJeulehwBcoMc7wTI13scf7x5y1KNNjjOlt1OPuqjSpCUd+wW8uOoxzElbYPD2Cn1WIK246dOXrnT2EVRgV2oB4iS0C1PMvFohK+Nbjj2UtIqq9dpT1TngxLBX+sQ2XMuM3lC/jH5+fvvydO3p28unpFTbiyX84abBZRYCh/FRai5yt4XaF8kDLNlZx6PsM34xZGMMa0yexX31X+6XY1h0N0Y9MgnG/p8l+vCMO2/q/vtOf4Qp1jMlMpYm/RNphgVqbrT7RDygZa8MX4FojQxvOKCai+enNh0d4jhux4vr8J7bnh5zE4j/Uz5T+4gtF7Enb6Ym0uer87ijdx31zGsESoNe/7f4CTCTwZnIThuoFeWUcZdmUrnTAwYhGyQ1UrPqeR/7MmqlvmOwm2ZfQCn+2dqhN0zrqO1pJm6/vzilsPXwrf48r2LtrKafwUq7IJRDaTWUKqKSxotuOuJpwtqOUhrbkyPF/SY1L6lD0qsb/0IdaaD667OEye4aqotNkPakLpfrB6x2VEQNreRqDMoQVMLZZEsqWzP+XDC55d2xS54dqHVkpdd87DwPVrXImiqg4MRmv+4Z21bp40rOBsieXkkKrslQ68/ux4hMzo8FDMnl9xHzxe7ivtIC7hO6Uw5FPyumidco87U+1GvEnoeIdTrqKixUkOMVdpLfAetAktxtSf4rYn71pM49RUvSwHHk3LvcL3byrnI9vbk3kFyrh2PcRxyL8JqvQ5Dct1GZ5+TWlC3Ze59VpqAZHpdj3n5MRXyCPbkLTLodGdb/qqMJe8oW3A5YtKVNJPk+GaX158kZvrXGpz4cPqRb3JmJuRtSWvyGf/h9aNSSV93+s/h40kWdAlOcxJANfnSgF4T7EFoaiUNtBpVvDjV0Vvgb44jL0MPPOYga952gZSefN+XbxzPlqQjoLo5QB9Cc9TbYopTnvI6zHbPeNtaequJkbMNw8PLDdGNlFE71jzvXh4fefZtpEZq7ALEIliY+TeCkhWXpVoZYmpgfMaZ++R5rE4w5MkOL4gjz+O7ybkhT7EjLEi2eYYwdPmsxy3SSHzH38KcsjX5ZLYb33YR2Gq3kDZ5dq1b4QgG+8hr3ze1EBWsVcND5l7EAce7PgCR6v+tSlMs5xmyb5vs/Ar1WHder15HKEYKowct/OYAYo+T1ztGasjwDa73VtadIenjXUCH1BzHYdcFDLb3ZpOQ6bdhsEPxhhQ3Fz9j2UDKkYCjFW5IcgkzLoOvHoUTdvWraD3SdBCxO6hQLBNuGwfMjvqXWjB2PtvctIdeSiO9KTsftrWULaojt8DfrIoMJwPrqL8dWYa8TLlMN0Es6d1wJGNRYd7HMyKk+mU7uC2+jfamvD8ytXOAdd637wasa6rbM+X+/HxDymrBB63Uibsdzpb1ye+3Is8mn1ni21oovc634X8xNZV/vbFjTIvIdhf1Vj2PPU2OLX95gdBvoO3BVKIBVW2/9f1UjZ6CAqTVqj5EdJSqmQ6cC7c642FNZ23DDeUIiKOv7jjuPTxRVU3luruPeO1wnL63V5ag3TNUcDlTcaWAmqvcNUI3yI8dK7LFbAV5u6LPvuTKEfilEWJN/rOhgs84lOQU6569czCKygqmBVPqij9Q0P13mBK//sZ+pmJMm0/ebXYTDq8biyr3gSNMb77rH7olwpSd4I72PvkJ+biuPekbz4Fjjt/B8c3TMCuSNpPdQdvh4B0R+omJta3dReYYrrpOudzGznsWa6Vbbz+GmD+8HdnyXq+cxMep5UWddw7RHla4lW/03LdoaqUyaSLbSLl13H6Qmtq4a5LJgpqU0f4eYB3K6RNDbrRIuM09qAl3pTNGi0an8ob0YBrQBZ2nsyk3oJM/T9ugk6Y/boMOpz6DYIFrCxJVq/TGiYOf7DR3it5Cw06qTGqNyi9xjFrCLZn7EZdF9epF+O+TgMKL8B8hrynm9qcCdDw7L5DzgNFzT0w/eI4e196otQE5ZRiI5kwqLmeg9UjcdUj3UejqK/43sj7qnj0Ckm1f4llvGyJXCsPaKuuViixxtON35uP27th9xAxi3f/T32GYoDU+8JPXC9DH8Uc4nT1kPD09wdGPz8gJrh9HDbQ9UrOUET6fgA7DP2ErC3NPc17IGjruMbK34W7RJ6bXKXrvTvM/DvVK3r01Sny3ySX/I+6t4VeZZMr538+IhLmy3G9gvaBmZAKUYcduK9TbSr/4+HBBt9XZJkANElx2zljbOL2tv4knpBg+P0ZFxXZ/o27q4cfRQctOmnBjmuRKJ0LGZKl83rr7xVAQQ9A6qw90sCl96XnmFieXGJzeJ52OkiHRdQYPUeSnl5jauf8x6knPw5C8u/Tcg+O4CDVGFMucL/puSDU4sqPIlIU7erRJ3qbR5ALMryBY1JmaG3yzGVfSf5BQtv5EDMbrlCbnl2/+/u6CXLh3ivwmR6avbLDNVEl9CLYfVyqOLYohtgB2ZQ5yIt9OCOftQRYbOtf16+xahGEaaBhBuJGCe7Rc0HzQFPIBlFyPR9cVZNRoQJwttc3RJnz2sVxSwUt/ECNI7ArCo3W13icIkWNXsDa7YjvRyW8TSBPDXlhbm4LjDNosoHErczCE0Udwm/hctpUvSnO7vuFGMVVVWfvE3RJvj0dwCMVL8Fdcg9i1NFO7WFaCysKYhxp461b2Mvz3QG1boxXF1pcaF7Xix0irjiHsMSCIASIVtwaQrWxBpRw0zsjdbiqsioiMxGyP1La5e1jCzMPf3755H969FzvLdw+KVXrX95+8Zxs3V8VSiSYXA960c5xlmHPTTcZux/k2kltDnnokzDPs1oGFve1E3R3wBJGOUiOaTNLsbcD1k+Q2pAtMtosOlqAxU2DWCMKUZFBbZyhf+j0caa+wWuWUvp7xzmBvR2g7RGulLVGOv7/+x5tYCm6U7anPndLz4ydY7hYYbLlYp9Q3O4k2ivnb2W8X5xfkHb2uuCy7sd7xbXW0HT0Nc2uI4ghZgYwBdfvI6tSneMli8vRsX+VYzI5XsPnQRfgtydnVji1nWZDK56ehS2/AYi+G4nib8sC9AlqKq//ydcNdYY4sh5pk6tuN/hJnQj9QdmMYV41WfBfUrXxx73NimkiKOjXkL8ZqJed/nQrKrgQ3Fsq/vAh/e959yuUMWPyjGdewoiKqyNCp6P2GUFkSo8jIsdQw58bqtbPsjyksamoXoVl/hwPZxWGAJDqljoWmL4T29VpM6V4X8k6f7DAHafX6T/83AAD//3X+uUc=" +} diff --git a/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml b/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/input.yml b/x-pack/filebeat/module/citrix/virtualapps/config/input.yml new file mode 100644 index 00000000000..a70d6b3c181 --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Citrix" + product: "Virtual" + type: "Virtualization" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/citrix/virtualapps/config/liblogparser.js + - ${path.home}/module/citrix/virtualapps/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([ + dup1, + dup2, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%citrixxa: %{hdatetime}^^%{messageid}^^%{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdatetime"), + constant("^^"), + field("messageid"), + constant("^^"), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%citrixxa: %{hdatetime}^^%{msgIdPart1->} %{msgIdPart2}^^%{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + ], + }), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdatetime"), + constant("^^"), + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant("^^"), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var part1 = match("MESSAGE#0:CONFIGINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{administrator}^^%{shost}^^%{hostname}^^%{operation_id}^^%{obj_type}^^%{obj_name}", processor_chain([ + dup1, + dup2, + lookup({ + dest: "nwparser.operation_id", + map: map_operationtype, + key: field("operation_id"), + }), + lookup({ + dest: "nwparser.obj_type", + map: map_AdminTaskType, + key: field("obj_type"), + }), +])); + +var msg1 = msg("CONFIGINFO", part1); + +var part2 = match("MESSAGE#1:SESSIONINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{username}^^%{hostname}^^%{saddr}^^%{application}^^%{fld4->} %{fld5}.%{fld6}", processor_chain([ + dup1, + date_time({ + dest: "starttime", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + date_time({ + dest: "endtime", + args: ["fld4","fld5"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), +])); + +var msg2 = msg("SESSIONINFO", part2); + +var part3 = match("MESSAGE#2:APPINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{domain}^^%{group_object}^^%{hostname}^^%{application}", processor_chain([ + dup1, + dup2, +])); + +var msg3 = msg("APPINFO", part3); + +var msg4 = msg("Broker_SDK", dup3); + +var msg5 = msg("ConfigurationLogging", dup3); + +var msg6 = msg("Monitor", dup3); + +var msg7 = msg("Analytics", dup3); + +var msg8 = msg("Storefront", dup3); + +var msg9 = msg("Configuration", dup3); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "APPINFO": msg3, + "Analytics": msg7, + "Broker_SDK": msg4, + "CONFIGINFO": msg1, + "Configuration": msg9, + "ConfigurationLogging": msg5, + "Monitor": msg6, + "SESSIONINFO": msg2, + "Storefront": msg8, + }), +]); + +var part4 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([ + dup1, + dup2, +])); diff --git a/x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml b/x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml new file mode 100644 index 00000000000..9b7b503ea67 --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Citrix XenApp + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/citrix/virtualapps/manifest.yml b/x-pack/filebeat/module/citrix/virtualapps/manifest.yml new file mode 100644 index 00000000000..05766fb7f5a --- /dev/null +++ b/x-pack/filebeat/module/citrix/virtualapps/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["citrix.virtualapps", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9507 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md new file mode 100644 index 00000000000..64bd6cf1be2 --- /dev/null +++ b/x-pack/filebeat/module/cylance/README.md @@ -0,0 +1,7 @@ +# cylance module + +This is a module for CylanceProtect logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 +at 2020-07-13 17:55:36.066402 +0000 UTC. + diff --git a/x-pack/filebeat/module/cylance/_meta/config.yml b/x-pack/filebeat/module/cylance/_meta/config.yml new file mode 100644 index 00000000000..f48f72b6065 --- /dev/null +++ b/x-pack/filebeat/module/cylance/_meta/config.yml @@ -0,0 +1,19 @@ +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc new file mode 100644 index 00000000000..ffb6b412573 --- /dev/null +++ b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: cylance +:has-dashboards: false + +== Cylance module + +experimental[] + +This is a module for receiving CylanceProtect logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: protect + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `protect` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cylance" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9508` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/cylance/_meta/fields.yml b/x-pack/filebeat/module/cylance/_meta/fields.yml new file mode 100644 index 00000000000..9cd4579d60e --- /dev/null +++ b/x-pack/filebeat/module/cylance/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: cylance + title: CylanceProtect + description: > + cylance fields. + fields: diff --git a/x-pack/filebeat/module/cylance/fields.go b/x-pack/filebeat/module/cylance/fields.go new file mode 100644 index 00000000000..5ef2571c158 --- /dev/null +++ b/x-pack/filebeat/module/cylance/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package cylance + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "cylance", asset.ModuleFieldsPri, AssetCylance); err != nil { + panic(err) + } +} + +// AssetCylance returns asset data. +// This is the base64 encoded gzipped contents of module/cylance. +func AssetCylance() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JWwsqGfyFEMutgNfkxP/hQisLzP6FkBIM07y2XMnX5N/+Qghpf0RmHERpJn8h4b9e46fuf98RSSt4TSTYldJXEy4t6BllMHF/775GiFqCXmlu4TWxuul/Ytc1vHZIrpQue38vYUYbYQtc8jWZUWFg6+MBuu3/3tMKiJoRu4AWMdIhRlYL0ICfWU1nM87IghoyBZBETQ3oJZSTAX3a0DsQM9eqqW9Pyi5TN8si1pKKLfLGVx9bP7bEZpHKzLf+vn+F8Q0b7MrHBTfue4Qb0hgoiVWE0do2gf+arkgFxtC5+ze1hKkKjCNauc93QBPyVs3JKTBVgo4T4mHxXaQOJaeFC0uQtnCkJQYcEM7M/cBygzxnSlqQ1rj7waWxVNoWDRPF0fLqEARLanc/GGLHPU5uCUItWS04WxBKDBjDlSQLbg2h5D3Y37mVYEy7+5PB0eiINQvViJJIWIImU+jOXU21AfIOLHWoUTLTquot9fStmpsXF5RdgTXPBuBPuQZmxfo5sQFvSj6AFxb+hMsempMoIwUsQRzASaHk7v3c4uQp1BoYtQGTEmZcQkmUFIiWpVMBpKJ1HKvKzItkF2bPHr8L9/z89AeypKIJN56XIC2f8XA64ZoyS4Sa+/3Sg41A6rgDH04Lfs9tR0215awRVOPvw8ZORk/GAPRBJyV2MgaQx0/K6JYsj7snL///nuzfE7dqng253/VV0z8KJGR3Wx4Ndkt6iNDLjpoGoxrNMr2992dbrvt/P8yMpRYqkPYxIkebktuCCbpzhx8JeiCtXj9GxBZOp3qMiHF5GGJ5NaZWcjzek1YCPUR65GXbDKBMaUON6DUxO7P3xdYt4LAZ6CEDJeF+VsSOHjKAfoMVMc7FHdfKkbgoe16VKPs8uwZkJmIfiXDwzuxjx1CrG8m/NLBRo3VHf/jTetuoPVGSuceBWvXYLdsRcbPkecVhn7snbhk+44z27/NbNSdnS5CWXKJwJo0sQTsTREMQVAPSZ/waSmLAOiBbP95ew4wbLO0mDGDf22DpNmEA+k6bMvQEpvcvHXYwB3TdgSd348FCmUz6av9c/qqM7YtIsXsiDciSy3n7oYkdm54P6evhLz/kgA1+NMrY84vlT4SWpXaycuy67zJ3QL1VXytzl69ys/fV/7vsddzKLxt25YJ3pPW9ZSWhZM6XIDsn2derCDgWHea/yGuBlI9R+fs6IhqjDg1VrwsNXzLsdT94iBuMdE/XyOUzvzS5wIv0PHizLSUf1zUQRocSZAoEuF2AJp/Opf3hFVGa/CIUtT++JFNq8BS1AbIZnzcaVb8b6D5E3f2K6cYwaD7jM4F/wf16rnK52fZZx+3KX72DQekV1WU2pa4n0Xpk9zl5fvF5S9+jRIOgu1tKiFkbC1V4RAPaDtoC/Ek1nnnu30rzOZdUtL/Z1lZu4EMu/WtPYsT5xedXERYE9AecuD8LOoyGXE7x+mwO6lBxPPT1WQAtQR8ldv0rLkXOT+8TJfX49oOlCOawWOmjdrIJVmT3s9FW0TrfKFp4UZzpcqKEAGaV/hoFsOPeA+TcuDPHDWGedVA6TLcU1bdqV20hexj9CC2+ik0fi6paKYPJbpWSZLoebBohGr40YKwDaHhVi3XYJ/dlJ+gJULYghpdAnn5P7EI35OXPPz8jK2qIAZDdKns48SiU11twwtRKGsjHCvbVnAqmGmk7n0JTTb3Qc1fZRCGQp3SqltBjBpfRzMpWvBmrgVaj94d9NcfmgVkFJW929bQUjPompjl2jgU+I9z+s3n5/Q9/NV6kv6hRgLZI/3NAzT+dPfiWrkGTl+RMMlqbRvjIijMp7yTXY9DvGfyI5FbGVvnxJflXR+5z8uOP5F8JU9rpy0hFWPQ5+e/C/k/3RW7INlO+iW6hVCU8WltXrqBgVIgpZVd5NWCPnFQWrw213q5wTARZ1opLi6aJhXiCMx6OArRWmfLTNvqgqYFxKhBjxNRYpZ1mLdde63AfLKngpT8YMaQImalGlu6FEYDIczkPytGNyYvbN2IAOUUsMFyHPWGjkV1YC0XLx/LOBXSI4X8CqcBqziJWRzCF+19GW9g/960Qds8+tRuNVs3abZuQX9XKbc3Q5uSSKO2MMavIFUB9A9MexYv3lTBNKwbGFEteFmWuqOtZK3nmIEFTi5e8dBzs2YVLrm1DhTPat3zvMuLi4BV3ZjfGypEZnopw1c9PiXbS2qBDBZlG9Rxs97UbOWF0pqSnB+eEz4TbzwmdJRQ0FPznp63v9QNUygK5DOedacCHdroeE5Tuf20g5isIvISVClMLnjOz4VGb84YP1P5HoZs5mZvxvOOtc29AOOvtqWutlvCE/NeIMHrxMuPiAWL0blVnHF2cvLkIui+j0rGHV7XSuxovwSfyq0uDaB6H++OTf6rQEEfTPeZK3Tblm81PNga713PQMp+Qlz+/IivkewVUEipE3FeATn1Ukzb+I7ICDR4stUQANZYouVMuss3EB1cTv24mRu5qjrBt4N3vSpfIOMxqAraQSqj5ejcQN+N6oMUS8jNhC6ops56J7lKvEX90mkvSyJDTI7Z85qMVtakLun2gPmcQYU/sEi2KyimZSrZhBE1XozINJeuOWkkZaqw+RiGDz0Ex1ugWorFUllSXRCpdUcH/jOX3Kl1F+VOGLIeDWaSa6eBJuhOTNlh3yLwQfAZIccTAN8CULEcU7M12F8bm9LPsIYhLpqpagI0egFEnKkUF3mq+IwZ79WbaPtBBvnRrR4/z2FHePpmjx69S0i4SbdOmPjVVzssmy6l8IMafyTIH2x3IP5XM3W1hj1h0q7cqpk+v/bjL4YGIynaj3xAL1zZcPrIEbXrlFOW+PLDI/t73sK2BpiJzU6bHlC6hzPcOhiSb8EyZbsVWx2gzbbov9uPrw9dKq2qCUBssyjcMJNVcebW+aoTl31kOmtC6Fm31y6aXTUUlncdKcwkRGN5p7UWPlMfVEG6fGKJW0kfGLK3qXc9gwNit5lAc3j5rCFtwZ92oEsyEvGuMRTOpD9TdSmpH8nKphQM3aa8Am80c3ks4hiaEm9wu6HmnYQYaJPMHgjrVuuRLXjrNBs9DXJBdtoLs4w7z4kRe11wfjcLNfvpY0LU7idyKtSfWOKHn9DWHFB7Q/b7RhJs+6sJ57qRxJ88mgyW7dDLVpJZA1UCRuy/Ejv+prwpqkF8aaI52lNzp9qdoIx9X1BBEohw5N4jcD6mZmlAp2GJoBpk2r2yG13de5cC1LjKgWhc5tOc6pSjaBvoyOdQMulLvFXkYE3LHfIy+MYPn8k5vzqFi8ya5dkiwYPNA7HRDSO0IomygxKdQrE0jcoedRqwo1VimKnjhceiMF8zKVrPBCaEysGDLgBw5ILAEzW3O0pE9hLWrhyLAXmRnn8snb/HioHegf6W7ShcHDeNONTA+4xvDJ67d+mDOWE+VoCvnz2aKbEDnYuTlpmCidVGVIcgSxTuYzcfahM/bVnrfElSa/HYZUmO5aRMCdv1quH67Q2NVkqZWhicUHLc6W2hOy9J3mMJU/vbujnbhaYQt8rUuuqMokk0FmrO7yqIobUeoYttDWL+SrbsZXiz5+z0gbQmyVDokzO6lTE3/eIDuNW1oV03/8K2O44jlrwUfsNtJ0P2IeUmfs1fdN8MLGar+g5gJXq4F7XKLpbKEkkXoeBFPoBVqXrSJKg8i1NuDeGehfoyeKVuy7++YboVdq1F8xBV/JThb5749e+TCBSIQmmtLsR6Ry43ImTcdZ+CHRgAiFhenSlq4zq2xdgidS++v2/RDpWVp3P/ho0pFi1CsAcwNjzNbUDmHQsIqtywYC1zCqhfqRyXEWs2njYWehBjm6BuPutPW+89fXHSYmiYTdh3nBM/WtnIf09AQ3M0v8sj09beIcYsVYI5hbcNBs8n50kvQE3IJflMaA3pC54CtvEOm+0zpFocB7BaM19sZ/p743/f6VihNplqt3GftX4Ou6c2u0X7S5+UF1Ta1m64DnNqjEu6UGlSHHutOKVF2amOuK6VqCAHFXG/xG0moAG277CK9WTT8zYe3gvjoNQHAJKSIwlwSqeR3GmpAS2Zf9gOaDcd8clijtbswnb2CO4l63AvuI2xt+GdA2YrbRVCWvawnp7jgFKtNJFHyu7ly/73nJUAlpYgojhnppr1g4AtEwCGpZsRJB8vBTMjlRqbsDjboV1blwfjEl/M1xhkxvmTUJ9uUQfwGxlPCRGNseyDDPwbbhD/hxu1kqIkO/g2n+OKn4yrQ0bUff8PiFr1vy5RPKXtyk+HlsDxFLAg1RjGO/lK3G1F7EjfsLb+C14SSerE2nFFBSm6unpNa40yU5wQsexJXlKmmh9Re3vGh93U2mlZgQRtSU4NdvAw2cvC9CJiqKifF1FbQflhaA5btVff8e/BQGl9vDzM8TF58M1XVzfAOZtg2SlZclmoV8mmZkgxq+7zLpBhlxoDMWSPEmnxpqPDOz1JVlMsgNWRvIaFGnq6+1zOVurSHdKcSvuXyCspQC9QmolOD3qlgoLhPvulQm/By38aJQVeIrKKuP9nJuyV2EWjR++3yofD6rQ6eV3I5bNfTBZ1BV3x3sFNuF2tYE7H153+/pv1jYk17xkX+O96R/Auu1l1jDWXDgLSRI4i72wxoTkUReU2zPSKXuGSrNu++j70H0L0wo34BYFfmoJYDKTzGYXX30C2oWXQ31KmFkSrDhi185m9bY9OVGZ60kHZahDlCumUmRjP3q+7fw0pT4uS5JBxz7hrJBFDt/oSN8DaohQLC4O3UbWHnzdEHL/yaYZ+nR/1iMVVNuez6ZvcfrFA2qu/wei25bsyxPX19bQQRGPf4HSdAGrkSJ35135Nx3FPqLbjsrvGOfd7LfH5K3ntJ8zQ0biB+2l4o+nW4PYvr1d4B/RC+/J77+fwUWRpK3joxMfQebEfkfBqgJ2HiD5GTBStu4kbq0qxz9rLfjuqGAm2vLuz1Y0tvfB/x1DjWn3QLk/PTGzXZVP65GzRZh9hLWW402gk58fWZod+p8B/s12YRQb39jR++Ce64aWO7yk1lu8eokQKM54zyD8pKkSXVnE7FoArQN2XgktSCjggCA9Jk7Y+ytaF9VdWvPHGSymkYbX0hd/t8+eL8YleHJqFlrPcojNVlHzhQ8Na1kJtIi0eSnEtLLvlcUhQWI0e0Vjpn89onA/nlDulFq7sp7OqI/+kQ6d1lPGWlihyc9799JFwy0ZTgxFkYZOt+PiFPz65pVQt4TS68Q8SDRek9iftFMDJ39NgmOqc2T0scM26unMp9AF53KMXruTHfh6fhAzdXe0KuVvP5HHS+EXZxln3uxwICDqidLjSYhRKlOz3eVh+ZNLoVej+CZ2EYew9S+ekHr2M865pxnJ/Gy0huHZ1nqqqLI+dd4a6E3Csc4+r9e6aZfufQURLrU2c4bkaVDRuz0oJa+kBZY33MO2mpNHYecHK9xW9kShzV5Yrqh8nQG3bVd9KVhofIETHSGvmpE6KUvKOs7accV26dCDqqHaPkd62CqvdLIW9rJh9qrYGa5LnBxlLbpFKcO38U5eLBzA63+FRdE16+GH+/3MvaHANDh9GnQeNjfxccFvGr275jmafvDQ756XDu3iHPGZeqSRXj7NWRmHnyO+UkaUqnw8Aj+1NiwLk7M24diTdCOLlHTMMYGDNrBDlz6xOmSjDuSLTNfuOWBZclXCdmgODGHqZ53lO24MJoiukWiSlojG9WVHOBGTwRD56Pv8s5ocjE79xvo5TJDOdQTX1zoQfSiMPq5GmXz1mDNnUouvUSZsCyoCJsEuLbDk/PRooMvZtr+B7nTijxyleX5BV8Vf7b7kPKpSElWMpFxMkwVY3t/W6ENCWOnpvZemxpl8eGeIw/pBaqWmTL5nlDSpjREAIKnS/bGH7I1nRa8RK0oGss5LIqPK7kaeRGug/Q6g6/hllbBe599cZy22BjRhIlbGMbDBs23fe6Jo1i9fw7jKbGNIOsYqqq3H3Kc4xOPHTCe8m+tVZLXnr/WdtFrgIzmghVKnZ4oPHu3rJfuNhojayflxdXDa5rTHp6GFnfrp5X1v+hpgf6nQ4m73+raQjAxG9XzfM1zj3FhGK/85cX5+R8oFD10cjWtTZUl+zHIGFhV1cNO09qSN/FHxZyq+PKvRcRxVSVuSu+BhV3u0pHwIU4XEbUo0X6bgk+ZHCEyvOeCziUDvsE2i4ewue87EI5I068KrXVOCgDT/Dyp1PyOrrrJucz1U73vvjku+e0gShM1rgG1vS9CD71awqx8ta2C9O+xI0jOEKiXvFy2yHSVVfSJeWCDgMZpHOFE6yvnIHWI5MW/B06xNefLu4WjJUqNIDyAdgBSSHdwPD5ZEQi8qqYNmW5Tu6f4VWRtA6oB7cxcFij871eqvQQNVcJuxzslNgVpjlGQQI3/exV33OVNiW3XWXdpi9awCg22G5TseFFySa8sJ9InyWWmoPLo1nlJ5/PyNNQK/G5EU5XnnKBBRyYB3Z2XSvjvvmMfDd0NMjdKMyVVCu5ZQgZYA02s1huQx+ZtMnoEVxwu2mhJ22V+/tQmvQW5pStyadRc03wqaYPUZQfFt5iMZekolzONK1gbzpGTTVO7c3fJ2FLubzAZcl7Vfrk6E1bwF7WWQQpcoP2hakCjhG5LKTtvnHvYUV+bSSaku9UCYI85XI5+fY54Yo9J1P3f+D+j0oq1oabybfx+KJldTETdDA5P7UOta3hn1wQXBR9XSgn1+3wKzXb26jBqqyY+r9OA55tGwQD2h3kKELLKq3c3cHs87vfqQby0ScAf/vt53e/v/lw9u23Pud2STXlo2dypfRVypLlGy/Y7+2C/QjbqBOMytRKRKjZSdulpHsOKHPPxTqDCTNTGqThLKUA6bmSMmBcpfeCROIDqYAWK8qHw4nv7R3A3uepgbrrk7pE3TTTTJfCTktjderKd6zXzuYQ67+lyd7RtuYjn5P00GKXzWCwgUoTik02dS+h3sWBmPFRR1NLajZH7KGkRrsRRcjcLe+JC+WD+wne3XHhkA/6/4fhqhuV2U/+e5AjVvZ89AGRvUg+yOFo47j78FPqCElbWzvbs0uf2i6jvc2ywz6Zz9DtNji5N0em25bV/BjxMCz6mlEuHK/bZi4XQWacn/Zr27ATlzMHLcwjLQzGswrbnOvCqYgH0HNI4jWmW4fqoxNVVY3c9UQNsJOHNW66L3bv4dr+HeI6dYebOUyzvi9ul1SW/67iUbMNbpZafohkuDd2w4W3kDONqTnjKlmW6LEseMR+RbUcBh0eO+pGVnWhcgnjy/fvLshv3o+6SUqNI/LlqKkEl//xlnxpQI/0bm2ELDTsdurMm9zQc4iuyYe26Cya1tVp6SzhQ9oHqlKPEXBA64McRzdBtZHg2L3hlukHNFBBdZVhtxzYDO4FWicsQO6ANmWyqbRbMNN2u9oCXVK7qxXeF+4UJFtUVKcqK+ngrms6GF987+gTZYN0qiQwi0Xys8BglraAqgM8m2OrpQxg1fSPDFBrmnwShu84lfx4YdC94KkfnNC5rQKneiZHWhaU4WCU9OUnDraRCY33HuDpvF7+JK/tIvn7zmTBrC5Kk7Tveg+6g3xY5OkWgJeCJpcYsgA55zJhUeQQdI7caFnMCrPiliWXH7KYCbUytEqfu9KHLe0yH/QMURcmCy5zihMua9DVdJ0s4X0Au2ZXeYAvqchxVnhd1FpZVaQPSSH05U8FehzTwxbZ7qZQ86LMwWwHOH3+G5NFRa8La1O5DbYBuxMtIMOjUHGZCWku8yFdC1OIqShSh0W3YH+fEXjyzuA92Kl7IfZhp67q7cP+OSPsVxlh/0tG2P8jI+y/5oFtVS3oFHKIlA56evNMFlUjUPmerjO8ky3w+iqDXlI1gs+rOo/27bRMKuapk5ACZJ5DKTHwhaX3jcjC+ITEDDtoNMtjTTrAeaxJszZNnWEWKZNdWXUWU9Uq60wPuM4gQqyyzjDLBRvNmizAG8mvJZXKAMtwCJevHFcyPQrLV6q2C6BlBreaquqCiQw+bAc4Q5AE4erp2qZ3izrIJgvkuikyxDSY5pYzKjIUEJmCzkGydcKsqz5sScX6TyinOfBeFtgGNAtk3w4mD9Y+sTYL9Om8Xr7K44M2xZTbv2ZpNMZMkXZW3A5grZKLapPlmiNUYDp9lZvxPv5ks7Z6gMEuvJ8/vXPEA0e1Lwtw300+XQe5HuwZF5DDhjHFLMcm8lnK4uxtwDl0A1PwGpMUiyyijtfLn0pj60Ez/0SwjWZZYAs+gxxmjEFHcwUlT1Ywug2byzynpFJlI8AwlYPbATifZ5BNqjYrapPO/O9Bj2WQJwGsYc6N1TS9J2QDO4PGp6HOxWqdjdcGO5HrTPLVZ+b7I54ButVAqwyKpC8FyoV2PuV6tVDcFH7CbHroa6pplgNejhTCpoC89PPtU8PlxlKZfM5xaey00amGBbZQwc8KygG1SY5rej26rUlODRYnN8zSD7s+tNPAPphzWpap7wAvU4dV29ZBGd4iXhVMK1Vl6UrkAGcw03hV5EmODB2PcrC5vkrenqk26VuW8trUmicGKqjltkmefSa4hHQtdjZQTdKJOh1cLL5N79YSync9LWZCJX/OO+AZUv6dzZtc6jigGSSOs6EzoJo8N0GoeZajK+dZLnCtdGoBVk2beY5rVnHDcoiFymQ5sDnmQEiw2FwpOdzkMtw3gE6d8eehpk7Hk6tVagskS0WZ8gOgk1uiKr1mpDSfF5F5XPeGu5Kg079ZdeGH8iYHm3Qy9QasH/Ga5ZBlKNwMM3FSC4MANrU0qAvvSEqOLjXGfViwRao6/wFouK558kBADbqaayrtoOduCsirLIDTP72+E9mnTztTQBMA1mpeUFMnHBjQB61paqgaqMih32lgyAffdTQT8PRMdpDTtnDtQVa6zIBxekemyeAbNt43nCEfwEDqRAA/8DiDcWLgS/oDEGvQmgxqBlPK8HkGwWvq1F42o1mOe6BZmVyRNprFuuImAGzTjdjqw2xM8q6aSyZTF0pEp8XeF6hv0pmafDu36Y+VB5o+otfN9EwNd10n79balNMseeiNFhnewsaALkqeuuo9y9iKNjKUgw2WGUur1N7gZcGlsXSWQTNYcm1zqOHLWmZo3WSVbmRKN2usLVqko+ibxiryoZFksHSXPZJxWN5nKnhJTjSU3JITqsvQzdBg+/c4On5yVkYujU0IRTA4RJ9gfwOmBImV6nT5EFzm49xZVQu1hsFgwRv5N1NNsqbetzxjjofeZ4TzzjTM4ZpUdLfRwiYWK+fN7jCQ7EgKbnA4Q7t62HpsoERMU9dKWzJsPErIakEt4ZbUGmZjR+Eeabl3GUIRY3ywOjoUCJehs/tIX2jBZe6J/D1U3Wp9PA2xag52AXqy+b5ZqGbwohEiYQm6G0dkFampNkDegaU4EdzfVdqx4OlbNTcvLnzZ6zNyGkZ8PSd2EZlShM2AP0AYfYxoS/Ie7O/cSjDxfR4e6izMm+HI7u4W4eKeWANUs8WESx7FD2fuHqG/9o74xFkYmAzxQtBG4qzfeYNzXNsm7vEG7jv92vfQlL8dd0dT14Q7zC8eMfbdRhQJa5pu13kVlyUf4drirRhzFxxjGvWIQNoMrnuPE6qlGJl4id1zM44Dx/65BizR8KUBY/c07T48W/nuvfK9yoBjefyqXmLveqS6vNNtd8o+nDxGGBvb+jt2aDevo5SnnP1/83xDt9j5aSsUcO342UCrIV0S7x2PsHtcptQA8enaHTZkcKu6XQq/eBh8ZTcKvsNcad++PspGQqghBgDHndH986o0lYayI4z3HXSY9ktLVHs3h4Y1Gieg7UO6Bl1xr24cC+nNkn4wB19yAXMgApYgCDWGz6XfuM28/vjRx5bMDyi/cf09J336IJOeHWaN5F8a2B2TSOOXr4fvYR0TD5uC0mo0vPQXkikpAXMryIrbxZigICRSGdJp7BoOKi+6s2nh2InypHuihJpzRgVxGIyYPojFw2KHS42MaXw43tWLtYmj10tnW6mdrNbUDzwVnJpiobLbBN6I68w1nKWyGWrkpGJ/BE+8HwDxl8Zhi29aGMTCBFA9eSOMcob41n07xWA5+TX8YkLeyHX3rwF0i7a8kZbQcsJUVTcWdFwMZ3HjO8LymWff7O4Fzljc2hBu/9m8/P6Hvzrb97S3HS3HvomiHc5pkTZidlvHDV2DJv/S+eTMi4AGIhe/9anrf/KfebnBeevU792PA5OXb5JtT3YHprh1JuT9bx/PHO2gwTtP0F9acsM01FSytdMqg3omdnNBCHLoOfn47jU5l/bHl8/J+fvTs/98TT6dS/vqJ/J0tVgTCdwuQBO2UCaMSlNaA7P4rR9e/a//9uxJlCNgFxll3C4/UKZOKhofx2Myn747XvNLfxbPW6TiV7x8XEj3ZdMNmB/YMO7WD3wM3x3FdGOdfObaNlSQt2/eR5H9U0nI58s67GT8HyVhEuetQ/erEaFIyM3CE7fgMb7Be/ZhTi2s6AOMSMfTfUHelKVGP60/5TF0uqeXVfWhcc77xkLOT95d+FdpNDxWUXPE6MeWU8lrquHtJucXDpUR75fj4YGTIJLw0K09zsNWEyv8dK3jCogeurQsufsyFZuAbW+Wf/ydO+IBcCYhXnAVbvjp9hEYoLLJtc6i1932SaPkfcDwQmnbieSB0C0xwIYbwO36Zslrjsx7Tw+X8/Yxacl6N8Z4CTG78Vhe3IAdWr7UGMW4Uzm932ig4xAnlzWVc5h0phNTcsbnjYaSTNcIE2SJWUNxOVMf2HpgUDQ6oi1HF51l6HcgEur+/RKu5A4ADZWyUITM7vR5RulZW0pT0MKn4mcAXVudB/gsw5GYZagWFjmuQ67+J3UGptKyaD1x+dTyXQve0THZXa3vTHgADfbMLkBLsOTjuobn5FP7jL1FB9iP5KJ1gA1egt/GNLV2VM8RlIkR07hFOvjFnxMqRFSZqDdfxAQ3qjExbwnavYFcWkWMxcecS/LpfFSgMEyQzSavkotsB1TVGca+OcAaTOqMXgc2Q4mLfxFTp6Kjvz0Dtn60QiFAzpNPikScnfKRUQsd0UC9ykNFLwAjCcN0ghmh5BelV1SXwzndhLyZY7KXJtTd+GvMpZuCXQHIuOqZuGviXWPcylLRD9V5ZAi2jMfMiAGFXIY8V0xLqLh1YimM2IiTuBRUHiOOfwsHZZsg0nNRDgjcdlluIilLZ8HO0YDdfnlSRyqBYReCZbp+cLeL2FNtOWsE1QT7RZMWiadn16/fqrmazeLT34EVdgHZt3cL2Y9uQX8be3ifObwdum8auwBpQ7L4KNqmSdk54XYJPX7JcdQ/GdCjCKvGMnVcToclxxG+bBgDY0Zwxs7jhzVHOyzxBPEiTsWdK70mkcKEAW7HEE5bOMIOjk4qYYDP1Eq6d8XJrZhy2P2QDBSlbaqW6frRjbyblPiupVgzIDiUHT3BD7OjD3NJDLdNRH4SLC6AIKID1AU1hJaqdq+LXQDXRK3kZss84yy9VlJVI3m1OJPDcN+i/rhKhFPuuSyd/FHadAyg5BcugLwJiE0GbLiNs1d2hPk7OZow3tH/IOkKoyy4DFkLabkQozHCiJT17vdghM/Xuwz1Gqk5MZ4QOlU5qwcixE9hQZdcNahdMlXVWlV8JEMRjo3cmaRTgUVkM3KyHzcul53YyYjkLoZbWieJIrCFYdLhMgcgGFm/wy/37vZe2c19Gz12mzLLRtrdcrbUGn2JZeAFO8Ssv5UWhO/xHCRozlqSkCGY6LebWsDtAp/a2Gw3EpCdsB8mxurx4GdL0yFttx6Mppf7aQrqhV8rI11R07Qzwi2vwDi57rU9DTWMBpHCLiRrCnHjRmDjwXtug77l0Tqkd/eDHa0fb0fTD4VJNuT01qQFh/FNFA5oQ4o3AuEWwuDrpe7ljdTpo+6dv2hJaNM371yyXqrHESA3yPFOgHy9x/HHm7cs1WiD42zZ7eSjPqoESXnHbiE/jnocU9I2OIydUo8laDt+6uSVO41dFBXYhXqAKAnd8iQTj0b42uiGYy8lrbJ6nfZEdT4oEfy1DpE95zKTJ+Q/Jz9//z15+vb0zcUzcsqN5XLecLOAEkvho7gINVfZ+wLti4RhtuzM4xG2Gb84kjGmVWav4r76T7erMQy6G4Me+WRDn+9yXRim/Xd1vz3HH+IUi5lSGWuTvskUoyJVd7odQj7QkjfGr0CUJoZXXFDtxZMTm+4OMXzX4+VVeM8NL4/ZaaSfKf/JHYTWi7jTF3NzyfPVWbyR++46hjVCpWHP/xucRPjJ4CwExw30yjLKuCtT6ZyJAYOQDbJa6TmV/M89WdUy31G4LbMP4HT/TI2we8Z1tJY0U9efX9xy+Fr4Fl++d9FWVvOvQIVdMKqB1BpKVXFJowV3PfF0QS0Hac2N6fGCHpPat/RBifWtH6HOdHDd1XniBFdNtcVmSBtS94vVIzY7CsLmNhJ1BiVoaqEskiWV7TkfTvj80q7YBc8utFrysmseFr5H61oETXVwMELzH/esbeu0cQVnQyQvj0Rlt2To9WfXI2RGh4di5uSS++j5YldxH2kB1ymdKYeC31XzhGvUmXo/6lVCzyOEeh0VNVZqiLFKe4nvoFVgKa72BL81cd96Eqe+4mUp4HhS7h2ud1s5F9nentw7SM614zGOQ+5FWK3XYUiu2+jsc1IL6rbMvc9KE5BMr+sxLz+mQh7BnrxFBp3ubMtflbHkHWULLkdMupJmkhzf7PL6k8RM/1qDEx9OP/JNzsyEvC1pTT7jP7x+VCrp607/OXw8yYIuwWlOAqgmXxrQa4I9CE2tpIFWo4oXpzp6C/zNceRl6IHHHGTN2y6Q0pPv+/KN49mSdARUNwfoQ2iOeltMccpTXofZ7hlvW0tvNTFytmF4eLkhupEyasea593L4yPPvo3USI1dgFgECzP/RlCy4rJUK0NMDYzPOHOfPI/VCYY82eEFceR5fDc5N+QpdoQFyTbPEIYun/W4RRqJ7/hbmFO2Jp/MduPbLgJb7RbSJs+udSscwWAfee37phaigrVqeMjcizjgeNcHIFL9v1VpiuU8Q/Ztk51foR7rzuvV6wjFSGH0oIXfHEDscfJ6x0gNGb7B9d7KujMkfbwL6JCa4zjsuoDB9t5sEjL9Ngx2KN6Q4ubiZywbSDkScLTCDUkuYcZl8NWjcMKufhWtR5oOInYHFYplwm3jgNlR/1ILxs5nm5v20EtppDdl58O2lrJFdeQW+JtVkeFkYB31tyPLkJcpl+kmiCW9G45kLCrM+3hGhFS/bAe3xbfR3pT3R6Z2DrDO+/bdgHVNdXum3J+fb0hZLfiglTpxt8PZsj75/Vbk2eQzS3xbC6XX+Tb8b6am8t9u7BjTIrLdRb1Vz2NPk2PL314g9BtoezCVaEBV2299P1Wjp6AAabWqDxEdpWqmA+fCrc54WNNZ23BDOQLi6Ks7jnsPT1RVU7nu7iNeOxyn7+2VJWj3DBVczlRcKaDmKneN0A3yY8eKbDFbQd6u6LMvuXIEfmmEWJP/aKjgMw4lOcW6Z+8cjKKygmnBlLriDxR0/x2mxK+/sZ+pGNPmk3eb3YTD68aiyn3gCNOb7/qHbokwZSe4o71PfkI+rmtP+sZz4Jjjd3B88zTMiqTNZHfQdjh4R4R+YmJta3eROYarrlMut7HznsVa6dbbjyHmD29HtrzXKyfxcWp5UeedQ7SHFW7lGz33LZpaqUyayDZSbh23H6SmNu6aZLKgJmW0vwdYh3L6xJAbLRJucw9qwl3pjNGi0am8IT2YBnRB5+lsyg3o5M/TNuik6Y/boMOpzyBY4NqCRNUqvXHi4Cc7zZ2it9CwkyqTWqPySxyjlnBL5n7EZVG9ehH++ySg8CL8R8hrirn9qQAdz84L5Dxg9NwT0w+eo8e1N2ptQE4ZBqI5k4rLGWg9Encd0n0UuvqK/42sj7pnj4Bk25d41tuGyJXCsLbKeqUiSxzt+J35uL07dh8xg1j3//QPGCZojQ/85PUC9HH8EU5nDxlPT09w9OMzcoLrx1EDbY/ULGWEzyegw/BP2MrC3NOcF7KGjnuM7G24W/SJ6XWK3rvT/M9DvZJ3b40S321yyf+Me2v4VSaZcv6PMyJhriz3G1gvqBmZAGXYsdsK9bbSLz4+XNBtdbYJUIMEl50z1jZOb+tv4gkphs+PUVGx3d+om3r4cXTQspMm3JgmudKJkDFZKp+37n4xFMQQtM7qAx1sSl96nrnFySUGp/dJp6NkSHSdwUMU+eklpnbuf4x60vMwJO8uPffgOC5CjRHFMueLvhtSDY7sKDJl4Y4ebZK3aTS5APMrCBZ1puYG32zGlfQfJJStPxGD8Tqlyfnlm3+8uyAX7p0iv8mR6SsbbDNVUh+C7ceVimOLYogtgF2Zg5zItxPCeXuQxYbOdf06uxZhmAYaRhBupOAeLRc0HzSFfAAl1+PRdQUZNRoQZ0ttc7QJn30sl1Tw0h/ECBK7gvBoXa33CULk2BWsza7YTnTy2wTSxLAX1tam4DiDNgto3MocDGH0EdwmPpdt5YvS3K5vuFFMVVXWPnG3xNvjERxC8RL8Fdcgdi3N1C6WlaCyMOahBt66lb0M/z1Q29ZoRbH1pcZFrfgx0qpjCHsMCGKASMWtAWQrW1ApB40zcrebCqsiIiMx2yO1be4eljDz8Pe3b96Hd+/FzvLdg2KV3vX9J+/Zxs1VsVSiycWAN+0cZxnm3HSTsdtxvo3k1pCnHgnzDLt1YGFvO1F3BzxBpKPUiCaTNHsbcP0kuQ3pApPtooMlaMwUmDWCMCUZ1NYZypd+D0faK6xWOaWvZ7wz2NsR2g7RWmlLlOPvr//+JpaCG2V76nOn9Pz4CZa7BQZbLtYp9c1Ooo1i/n7228X5BXlHrysuy26sd3xbHW1HT8PcGqI4QlYgY0DdPrI69Slespg8PdtXORaz4xVsPnQRfktydrVjy1kWpPL5aejSG7DYi6E43qY8cK+AluLqv3zdcFeYI8uhJpn6dqO/xJnQD5TdGMZVoxXfBXUrX9z7nJgmkqJODfmbsVrJ+b9NBWVXghsL5d9ehL897z7lcgYs/tGMa1hREVVk6FT0fkOoLIlRZORYaphzY/XaWfbHFBY1tYvQrL/DgeziMEASnVLHQtMXQvt6LaZ0rwt5p092mIO0ev2X/xsAAP//9vC6oA==" +} diff --git a/x-pack/filebeat/module/cylance/protect/_meta/fields.yml b/x-pack/filebeat/module/cylance/protect/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml new file mode 100644 index 00000000000..fc90f92344c --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Cylance" + product: "Protect" + type: "Anti-Virus" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/cylance/protect/config/liblogparser.js + - ${path.home}/module/cylance/protect/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld14->} %{p0}"); + +var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + +var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + +var dup5 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + +var dup6 = setc("eventcategory","1901000000"); + +var dup7 = setc("vendor_event_cat"," AuditLog"); + +var dup8 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup9 = field("event_type"); + +var dup10 = field("event_cat"); + +var dup11 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + +var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + +var dup13 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + +var dup14 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); + +var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + +var dup16 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); + +var dup17 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + +var dup18 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); + +var dup19 = date_time({ + dest: "event_time", + args: ["hmonth","hdate","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dN,dU,dO], + ], +}); + +var dup20 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + +var dup21 = constant("1701000000"); + +var dup22 = constant("1804000000"); + +var dup23 = constant("1003010000"); + +var dup24 = linear_select([ + dup3, + dup4, +]); + +var dup25 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup9, +}); + +var dup26 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup10, +}); + +var dup27 = linear_select([ + dup12, + dup13, +]); + +var dup28 = linear_select([ + dup15, + dup16, +]); + +var dup29 = linear_select([ + dup17, + dup18, +]); + +var dup30 = linear_select([ + dup20, + dup14, +]); + +var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, +])); + +var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); + +var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{checksum}; %{p0}"); + +var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{checksum}; %{p0}"); + +var select2 = linear_select([ + part2, + part3, +]); + +var part4 = match("MESSAGE#0:CylancePROTECT:01/4_0", "nwparser.p0", "Category: %{category}; Reason: %{result}, User: %{p0}"); + +var part5 = match("MESSAGE#0:CylancePROTECT:01/4_1", "nwparser.p0", "Reason: %{result}, User: %{p0}"); + +var select3 = linear_select([ + part4, + part5, +]); + +var all1 = all_match({ + processors: [ + dup2, + dup24, + part1, + select2, + select3, + dup5, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg1 = msg("CylancePROTECT:01", all1); + +var part6 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); + +var part7 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); + +var select4 = linear_select([ + part6, + part7, +]); + +var part8 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var part9 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var select5 = linear_select([ + part8, + part9, +]); + +var all2 = all_match({ + processors: [ + dup2, + dup24, + dup11, + select4, + select5, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg2 = msg("CylancePROTECT:02", all2); + +var part10 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); + +var part11 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); + +var part12 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); + +var select6 = linear_select([ + part10, + part11, + part12, +]); + +var part13 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var all3 = all_match({ + processors: [ + dup2, + dup24, + dup11, + select6, + part13, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg3 = msg("CylancePROTECT:03", all3); + +var part14 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var all4 = all_match({ + processors: [ + dup2, + dup24, + part14, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg4 = msg("CylancePROTECT:04", all4); + +var part15 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); + +var part16 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", " Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); + +var part17 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); + +var select7 = linear_select([ + part15, + part16, + part17, +]); + +var all5 = all_match({ + processors: [ + dup2, + dup24, + dup11, + select7, + dup5, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg5 = msg("CylancePROTECT:05", all5); + +var part18 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); + +var part19 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); + +var part20 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); + +var select8 = linear_select([ + part19, + part20, +]); + +var part21 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})"); + +var select9 = linear_select([ + part21, + dup5, +]); + +var all6 = all_match({ + processors: [ + dup2, + dup24, + part18, + select8, + select9, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg6 = msg("CylancePROTECT:06", all6); + +var part22 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); + +var part23 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); + +var select10 = linear_select([ + part22, + part23, +]); + +var part24 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); + +var all7 = all_match({ + processors: [ + dup2, + select10, + part24, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," ExploitAttempt"), + dup8, + dup25, + dup26, + ]), +}); + +var msg7 = msg("CylancePROTECT:07", all7); + +var part25 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); + +var part26 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); + +var select11 = linear_select([ + part25, + part26, +]); + +var part27 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); + +var all8 = all_match({ + processors: [ + dup2, + select11, + part27, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," DeviceControl"), + dup8, + dup25, + dup26, + ]), +}); + +var msg8 = msg("CylancePROTECT:08", all8); + +var part28 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); + +var part29 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); + +var select12 = linear_select([ + part29, + dup14, +]); + +var all9 = all_match({ + processors: [ + dup2, + dup27, + part28, + select12, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," ScriptControl"), + dup8, + dup25, + dup26, + ]), +}); + +var msg9 = msg("CylancePROTECT:09", all9); + +var part30 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); + +var part31 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}"); + +var select13 = linear_select([ + part30, + part31, +]); + +var part32 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); + +var all10 = all_match({ + processors: [ + dup2, + select13, + part32, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," Threat"), + dup8, + dup25, + dup26, + ]), +}); + +var msg10 = msg("CylancePROTECT:10", all10); + +var part33 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); + +var part34 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}"); + +var select14 = linear_select([ + part33, + part34, +]); + +var part35 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); + +var all11 = all_match({ + processors: [ + dup2, + select14, + part35, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," AppControl"), + dup25, + dup26, + ]), +}); + +var msg11 = msg("CylancePROTECT:11", all11); + +var part36 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); + +var all12 = all_match({ + processors: [ + dup2, + dup28, + part36, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg12 = msg("CylancePROTECT:15", all12); + +var part37 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var all13 = all_match({ + processors: [ + dup2, + dup28, + part37, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg13 = msg("CylancePROTECT:14", all13); + +var part38 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); + +var all14 = all_match({ + processors: [ + dup2, + dup28, + part38, + dup29, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg14 = msg("CylancePROTECT:13", all14); + +var part39 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); + +var all15 = all_match({ + processors: [ + dup2, + dup28, + part39, + dup29, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg15 = msg("CylancePROTECT:16", all15); + +var part40 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); + +var all16 = all_match({ + processors: [ + dup2, + dup27, + part40, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg16 = msg("CylancePROTECT:25", all16); + +var part41 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); + +var part42 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); + +var part43 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); + +var part44 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}"); + +var select15 = linear_select([ + part42, + part43, + part44, +]); + +var all17 = all_match({ + processors: [ + dup2, + dup28, + part41, + select15, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg17 = msg("CylancePROTECT:12", all17); + +var part45 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); + +var part46 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); + +var part47 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}"); + +var select16 = linear_select([ + part46, + part47, +]); + +var all18 = all_match({ + processors: [ + part45, + select16, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg18 = msg("CylancePROTECT:17", all18); + +var part48 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup6, + dup19, + dup25, + dup26, +])); + +var msg19 = msg("CylancePROTECT:18", part48); + +var part49 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); + +var part50 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} "); + +var select17 = linear_select([ + part50, + dup14, +]); + +var all19 = all_match({ + processors: [ + part49, + select17, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg20 = msg("CylancePROTECT:19", all19); + +var part51 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); + +var part52 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); + +var part53 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); + +var select18 = linear_select([ + part52, + part53, +]); + +var part54 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}"); + +var part55 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}"); + +var part56 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}"); + +var select19 = linear_select([ + part55, + part56, +]); + +var part57 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); + +var all20 = all_match({ + processors: [ + part51, + select18, + part54, + select19, + part57, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg21 = msg("CylancePROTECT:20", all20); + +var part58 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup6, + dup19, + dup25, + dup26, + date_time({ + dest: "effective_time", + args: ["fld51"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], + ], + }), +])); + +var msg22 = msg("CylancePROTECT:21", part58); + +var part59 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); + +var part60 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); + +var part61 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); + +var select20 = linear_select([ + part60, + part61, +]); + +var all21 = all_match({ + processors: [ + part59, + select20, + dup30, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg23 = msg("CylancePROTECT:22", all21); + +var part62 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup6, + dup19, + dup25, + dup26, +])); + +var msg24 = msg("CylancePROTECT:23", part62); + +var part63 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{p0}"); + +var part64 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015"); + +var part65 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})"); + +var select21 = linear_select([ + part64, + part65, +]); + +var all22 = all_match({ + processors: [ + part63, + select21, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg25 = msg("CylancePROTECT:24", all22); + +var part66 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + +var all23 = all_match({ + processors: [ + part66, + dup30, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg26 = msg("CylancePROTECT:26", all23); + +var part67 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); + +var part68 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); + +var part69 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); + +var select22 = linear_select([ + part68, + part69, +]); + +var part70 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + +var part71 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); + +var select23 = linear_select([ + part71, + dup14, +]); + +var all24 = all_match({ + processors: [ + part67, + select22, + part70, + select23, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg27 = msg("CylancePROTECT:27", all24); + +var part72 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); + +var part73 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); + +var part74 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); + +var select24 = linear_select([ + part73, + part74, +]); + +var part75 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info->} Device Id: %{fld3}"); + +var all25 = all_match({ + processors: [ + part72, + select24, + part75, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg28 = msg("CylancePROTECT:28", all25); + +var select25 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "CylancePROTECT": select25, + }), +]); + +var part76 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); + +var part77 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + +var part78 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + +var part79 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + +var part80 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + +var part81 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + +var part82 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + +var part83 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); + +var part84 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + +var part85 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); + +var part86 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + +var part87 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); + +var part88 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + +var select26 = linear_select([ + dup3, + dup4, +]); + +var select27 = linear_select([ + dup12, + dup13, +]); + +var select28 = linear_select([ + dup15, + dup16, +]); + +var select29 = linear_select([ + dup17, + dup18, +]); + +var select30 = linear_select([ + dup20, + dup14, +]); diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml new file mode 100644 index 00000000000..d6bca1e8c47 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for CylanceProtect + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cylance/protect/manifest.yml b/x-pack/filebeat/module/cylance/protect/manifest.yml new file mode 100644 index 00000000000..d0f61417f4b --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["cylance.protect", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9508 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log b/x-pack/filebeat/module/cylance/protect/test/generated.log new file mode 100644 index 00000000000..85f71671cc9 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log @@ -0,0 +1,100 @@ +29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo) +2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi) +26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu +2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip) +2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli) +uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo +24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq +ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos) +2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan +2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc +20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu +2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute +July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc +olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend +2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd +ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib +13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae +Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit +12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat +ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi +Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam +24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex +8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum +Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur +6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame +20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame +2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi) +uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte) +2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin) +2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat) +uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu +Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015 +30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites) +14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq +iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom +2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte +2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons) +11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid +25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo +8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni +Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu +September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute +2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea +4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide +nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita +Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema +16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm +1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau +hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai +ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici +Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud +Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat +bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad) +Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse +Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl +2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever) +quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum +2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) +hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido +2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad) +2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun +2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui +3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati +17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu) +edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine +15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo +29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia +2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug) +2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum +2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex +25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt +9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat +inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo +2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica) +21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin +Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme +19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate +inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio +Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem +odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv +Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum +1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod +15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc) +isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae +2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam) +2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu) +11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu) +Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita +10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon +24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam +Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi +21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil +5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015 +19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) +Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod +Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit +rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta +15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam +ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis) +14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int) diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json new file mode 100644 index 00000000000..abf3264f09f --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -0,0 +1,3545 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.action": "ZoneAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo)", + "fileset.name": "protect", + "host.name": "nostrud4819.mail.test", + "input.type": "log", + "log.offset": 0, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "uii", + "rsa.identity.lastname": "umexe", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "estlabo", + "rsa.misc.node": "pisciv", + "rsa.misc.policy_name": "orev", + "rsa.network.alias_host": [ + "nostrud4819.mail.test" + ], + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi)", + "fileset.name": "protect", + "host.name": "volup208.invalid", + "input.type": "log", + "log.offset": 271, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "luptat", + "rsa.identity.lastname": "isiutal", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "moenimi", + "rsa.misc.node": "vol", + "rsa.network.alias_host": [ + "volup208.invalid" + ], + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-26T10:15:08.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu", + "fileset.name": "protect", + "host.name": "eius6159.www5.localhost", + "input.type": "log", + "log.offset": 453, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "temvel", + "rsa.identity.firstname": "lupt", + "rsa.identity.lastname": "tia", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.device_name": "aer", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "oloremqu", + "rsa.network.alias_host": [ + "eius6159.www5.localhost" + ], + "rsa.time.event_time": "2020-02-26T10:15:08.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip)", + "fileset.name": "protect", + "host.name": "ratvolup497.www.corp", + "input.type": "log", + "log.offset": 690, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ommodic", + "rsa.identity.firstname": "mipsu", + "rsa.identity.lastname": "consec", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "taliquip", + "rsa.network.alias_host": [ + "ratvolup497.www.corp" + ], + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli)", + "fileset.name": "protect", + "host.name": "tatno5625.api.local", + "input.type": "log", + "log.offset": 869, + "observer.product": "taliqu", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "tur", + "rsa.identity.lastname": "aperi", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "ommod", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "iveli", + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tatno5625.api.local" + ], + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo", + "fileset.name": "protect", + "host.mac": "01:00:5e:dc:bb:8b", + "host.name": "maveniam1399.mail.lan", + "input.type": "log", + "log.offset": 1075, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.124.61.119" + ], + "related.user": [ + "occ" + ], + "rsa.db.index": "reetdolo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": "omnis", + "rsa.misc.OS": "ect", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "eip", + "rsa.network.alias_host": [ + "maveniam1399.mail.lan" + ], + "rsa.network.eth_host": "01:00:5e:dc:bb:8b", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "service.type": "cylance", + "source.ip": [ + "10.124.61.119" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "occ" + }, + { + "@timestamp": "2020-04-24T14:25:25.000Z", + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq", + "fileset.name": "protect", + "host.name": "nimadmin6499.local", + "input.type": "log", + "log.offset": 1370, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lorem", + "rsa.identity.firstname": "urerep", + "rsa.identity.lastname": "aquaeab", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.device_name": "dexe", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "liqu", + "rsa.network.alias_host": [ + "nimadmin6499.local" + ], + "rsa.time.event_time": "2020-04-24T14:25:25.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos)", + "fileset.name": "protect", + "host.name": "suntinc4934.www5.test", + "input.type": "log", + "log.offset": 1612, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "dmi", + "rsa.identity.lastname": "olab", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "uovol", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "mquisnos", + "rsa.misc.policy_name": "uptatev", + "rsa.network.alias_host": [ + "suntinc4934.www5.test" + ], + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan", + "file.directory": "aspern", + "fileset.name": "protect", + "host.name": "reetdolo2451.www.example", + "input.type": "log", + "log.offset": 1814, + "network.application": "itlabori", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.2344", + "related.user": [ + "usan" + ], + "rsa.db.index": "ollit", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "llam", + "rsa.misc.version": "1.2344", + "rsa.network.alias_host": [ + "reetdolo2451.www.example" + ], + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "usan" + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "event.action": "Registration", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc", + "fileset.name": "protect", + "host.name": "uis7612.www5.domain", + "input.type": "log", + "log.offset": 2074, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "emeumfug", + "rsa.misc.event_type": "Registration", + "rsa.network.alias_host": [ + "uis7612.www5.domain" + ], + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-20T06:35:42.000Z", + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu", + "fileset.name": "protect", + "host.name": "admi3749.api.lan", + "input.type": "log", + "log.offset": 2210, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "nimadmin", + "rsa.identity.firstname": "iqui", + "rsa.identity.lastname": "etc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.device_name": "tinvol", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "etM", + "rsa.network.alias_host": [ + "admi3749.api.lan" + ], + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.action": "fullaccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute", + "file.directory": "Nemoen", + "fileset.name": "protect", + "host.name": "rudexerc703.internal.host", + "input.type": "log", + "log.offset": 2487, + "network.application": "tfug", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.5383", + "related.user": [ + "isaute" + ], + "rsa.db.index": "urE", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "onproide", + "rsa.misc.version": "1.5383", + "rsa.network.alias_host": [ + "rudexerc703.internal.host" + ], + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "isaute" + }, + { + "@timestamp": "2016-07-18T20:40:00.000Z", + "event.action": "cancel", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc", + "file.directory": "Lor", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 2754, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.199.98.186" + ], + "rsa.db.index": "erc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.checksum": "itecto", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "sequatur", + "rsa.time.event_time": "2016-07-18T20:40:00.000Z", + "service.type": "cylance", + "source.ip": [ + "10.199.98.186" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend", + "file.directory": "giatquov", + "file.name": "ici", + "file.type": "tati", + "fileset.name": "protect", + "host.name": "estqu1709.internal.example", + "input.type": "log", + "log.offset": 3047, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.64.70.5" + ], + "rsa.crypto.sig_type": "eprehend", + "rsa.db.index": "iadese", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "dexeac", + "rsa.misc.event_state": "atvol", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "uasia", + "rsa.network.alias_host": [ + "estqu1709.internal.example" + ], + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.web.reputation_num": 145.898, + "service.type": "cylance", + "source.ip": [ + "10.64.70.5" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd", + "fileset.name": "protect", + "host.mac": "01:00:5e:93:1c:9f", + "host.name": "xeac7155.www.localdomain", + "input.type": "log", + "log.offset": 3563, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.143.239.210" + ], + "related.user": [ + "oinBCSe" + ], + "rsa.db.index": "sedd", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "pida", + "rsa.misc.OS": "mnisist", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "idolor", + "rsa.network.alias_host": [ + "xeac7155.www.localdomain" + ], + "rsa.network.eth_host": "01:00:5e:93:1c:9f", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "service.type": "cylance", + "source.ip": [ + "10.143.239.210" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "oinBCSe" + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "event.action": "accept", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib", + "fileset.name": "protect", + "host.name": "maccusa5126.api.domain", + "input.type": "log", + "log.offset": 3854, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "aliqu.exe", + "process.pid": 2289, + "related.ip": [ + "10.32.143.134" + ], + "related.user": [ + "olupta" + ], + "rsa.db.index": "eFinib", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "olorema", + "rsa.misc.policy_name": "mipsumd", + "rsa.network.alias_host": [ + "maccusa5126.api.domain" + ], + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "service.type": "cylance", + "source.ip": [ + "10.32.143.134" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "olupta" + }, + { + "@timestamp": "2019-09-13T12:51:07.000Z", + "event.action": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae", + "fileset.name": "protect", + "host.name": "llu4718.localhost", + "input.type": "log", + "log.offset": 4159, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "psaquae", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "oidentsu", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "conseq", + "rsa.misc.serial_number": "ern", + "rsa.network.alias_host": [ + "llu4718.localhost" + ], + "rsa.time.event_time": "2019-09-13T12:51:07.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-28T07:53:42.000Z", + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 4504, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ari", + "rsa.identity.firstname": "rinrepre", + "rsa.identity.lastname": "etconse", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "stquidol", + "rsa.misc.device_name": "leumiu", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "tincu", + "rsa.misc.policy_name": "taevit", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat", + "fileset.name": "protect", + "host.name": "eaq908.api.home", + "input.type": "log", + "log.offset": 4737, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "equat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "tNequepo", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.node": "luptasn", + "rsa.network.alias_host": [ + "eaq908.api.home" + ], + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi", + "file.directory": "olor", + "fileset.name": "protect", + "host.name": "mcolab379.internal.home", + "input.type": "log", + "log.offset": 4991, + "network.application": "Neque", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.4129", + "related.user": [ + "fdeFi" + ], + "rsa.db.index": "iutali", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "tper", + "rsa.misc.version": "1.4129", + "rsa.network.alias_host": [ + "mcolab379.internal.home" + ], + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "fdeFi" + }, + { + "@timestamp": "2019-11-10T05:01:24.000Z", + "event.action": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam", + "fileset.name": "protect", + "host.mac": "01:00:5e:3f:c4:6c", + "input.type": "log", + "log.offset": 5268, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.237.205.140" + ], + "related.user": [ + "uames" + ], + "rsa.db.index": "veniam", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "boN", + "rsa.misc.OS": "iduntu", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "ectio", + "rsa.network.eth_host": "01:00:5e:3f:c4:6c", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "service.type": "cylance", + "source.ip": [ + "10.237.205.140" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "uames" + }, + { + "@timestamp": "2019-11-24T12:03:59.000Z", + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex", + "fileset.name": "protect", + "host.name": "sciun4694.api.lan", + "input.type": "log", + "log.offset": 5527, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "enderit", + "rsa.identity.firstname": "idata", + "rsa.identity.lastname": "rumwritt", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.device_name": "nsect", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "magnid", + "rsa.network.alias_host": [ + "sciun4694.api.lan" + ], + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-08T07:06:33.000Z", + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum", + "fileset.name": "protect", + "host.name": "mni7200.mail.localdomain", + "input.type": "log", + "log.offset": 5772, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "uisau", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "idolor", + "rsa.network.alias_host": [ + "mni7200.mail.localdomain" + ], + "rsa.time.event_time": "2019-12-08T07:06:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-23T14:09:07.000Z", + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 5973, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "tur", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "officiad", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "quinesc", + "rsa.network.zone": "madmi", + "rsa.time.event_time": "2019-12-23T14:09:07.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame", + "file.directory": "orro", + "fileset.name": "protect", + "host.name": "ntoccae1705.internal.invalid", + "input.type": "log", + "log.offset": 6150, + "network.application": "tae", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.3212", + "related.user": [ + "aperiame" + ], + "rsa.db.index": "tlab", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "sBon", + "rsa.misc.version": "1.3212", + "rsa.network.alias_host": [ + "ntoccae1705.internal.invalid" + ], + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "aperiame" + }, + { + "@timestamp": "2020-01-20T04:14:16.000Z", + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame", + "fileset.name": "protect", + "host.name": "etconsec6708.internal.invalid", + "input.type": "log", + "log.offset": 6477, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "mquame", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.device_name": "tquov", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "ersp", + "rsa.misc.serial_number": "tes", + "rsa.network.alias_host": [ + "etconsec6708.internal.invalid" + ], + "rsa.time.event_time": "2020-01-20T04:14:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi)", + "fileset.name": "protect", + "host.name": "Sedutp7428.internal.home", + "input.type": "log", + "log.offset": 6841, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "iquipe", + "rsa.identity.firstname": "upida", + "rsa.identity.lastname": "tvolupt", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "eufugi", + "rsa.misc.policy_name": "itempor", + "rsa.network.alias_host": [ + "Sedutp7428.internal.home" + ], + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte)", + "fileset.name": "protect", + "host.name": "ati4639.www5.home", + "input.type": "log", + "log.offset": 7059, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "con", + "rsa.identity.lastname": "nisist", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "usmodte", + "rsa.misc.node": "ven", + "rsa.network.alias_host": [ + "ati4639.www5.home" + ], + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin)", + "fileset.name": "protect", + "host.name": "torever662.www5.home", + "input.type": "log", + "log.offset": 7233, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240", + "rsa.identity.firstname": "amcol", + "rsa.identity.lastname": "adeser", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "oin", + "rsa.network.alias_host": [ + "torever662.www5.home" + ], + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat)", + "fileset.name": "protect", + "host.name": "emeumfug4387.internal.lan", + "input.type": "log", + "log.offset": 7474, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "ccaeca", + "rsa.identity.lastname": "niamq", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "iduntu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "lapariat", + "rsa.misc.node": "untincul", + "rsa.network.alias_host": [ + "emeumfug4387.internal.lan" + ], + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu", + "fileset.name": "protect", + "host.name": "rumwrit764.www5.local", + "input.type": "log", + "log.offset": 7679, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "miu", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "etMal", + "rsa.misc.serial_number": "onula", + "rsa.network.alias_host": [ + "rumwrit764.www5.local" + ], + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-16T10:29:41.000Z", + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 8019, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.13.66.97" + ], + "rsa.identity.firstname": "dicta", + "rsa.identity.lastname": "taedicta", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "luptat", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "ritt", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "service.type": "cylance", + "source.ip": [ + "10.13.66.97" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "event.action": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites)", + "fileset.name": "protect", + "host.name": "oremi1485.api.localhost", + "input.type": "log", + "log.offset": 8195, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "atisund", + "rsa.identity.lastname": "xea", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "amvolupt", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.mail_id": "ites", + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "oremi1485.api.localhost" + ], + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-14T12:34:50.000Z", + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq", + "fileset.name": "protect", + "host.name": "periam126.api.host", + "input.type": "log", + "log.offset": 8475, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "rExc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.checksum": "tame", + "rsa.misc.event_type": "threat_found", + "rsa.network.alias_host": [ + "periam126.api.host" + ], + "rsa.time.event_time": "2020-05-14T12:34:50.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom", + "file.directory": "sit", + "file.name": "iquamqua", + "file.type": "olorsit", + "fileset.name": "protect", + "host.name": "tate6578.api.localdomain", + "input.type": "log", + "log.offset": 8683, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.252.165.146" + ], + "rsa.crypto.sig_type": "undeom", + "rsa.db.index": "turadip", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "ita", + "rsa.misc.event_state": "exeaco", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "yCiceroi", + "rsa.network.alias_host": [ + "tate6578.api.localdomain" + ], + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.web.reputation_num": 51.523, + "service.type": "cylance", + "source.ip": [ + "10.252.165.146" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte", + "fileset.name": "protect", + "host.mac": "01:00:5e:f9:78:c2", + "host.name": "midestl1919.host", + "input.type": "log", + "log.offset": 9194, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.124.88.222" + ], + "related.user": [ + "onu" + ], + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "ntNeq", + "rsa.misc.OS": "liquaUte", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "aUt", + "rsa.network.alias_host": [ + "midestl1919.host" + ], + "rsa.network.eth_host": "01:00:5e:f9:78:c2", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "cylance", + "source.ip": [ + "10.124.88.222" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "onu" + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons)", + "fileset.name": "protect", + "host.name": "eiusmod3517.internal.invalid", + "input.type": "log", + "log.offset": 9469, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "dol", + "rsa.identity.lastname": "sciun", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "labor", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "metcons", + "rsa.misc.node": "olup", + "rsa.network.alias_host": [ + "eiusmod3517.internal.invalid" + ], + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid", + "fileset.name": "protect", + "host.mac": "01:00:5e:54:ab:3f", + "host.name": "ntexpl3889.www.home", + "input.type": "log", + "log.offset": 9678, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.156.34.19" + ], + "related.user": [ + "imveni" + ], + "rsa.db.index": "stquid", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "Cic", + "rsa.misc.OS": "ariaturE", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "saqu", + "rsa.network.alias_host": [ + "ntexpl3889.www.home" + ], + "rsa.network.eth_host": "01:00:5e:54:ab:3f", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "cylance", + "source.ip": [ + "10.156.34.19" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "imveni" + }, + { + "@timestamp": "2019-07-25T11:47:41.000Z", + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo", + "fileset.name": "protect", + "host.mac": "01:00:5e:ee:e8:77", + "host.name": "ntium4450.www5.localdomain", + "input.type": "log", + "log.offset": 10027, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.22.94.10" + ], + "related.user": [ + "ssusci" + ], + "rsa.db.index": "mpo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.OS": "animid", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "vol", + "rsa.network.alias_host": [ + "ntium4450.www5.localdomain" + ], + "rsa.network.eth_host": "01:00:5e:ee:e8:77", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "service.type": "cylance", + "source.ip": [ + "10.22.94.10" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "ssusci" + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", + "fileset.name": "protect", + "host.name": "erspi5757.local", + "input.type": "log", + "log.offset": 10341, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "undeomni", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "uov", + "rsa.misc.serial_number": "quaU", + "rsa.network.alias_host": [ + "erspi5757.local" + ], + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T13:52:50.000Z", + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 10755, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lmolesti", + "rsa.identity.firstname": "uptate", + "rsa.identity.lastname": "lloinven", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "idolo", + "rsa.misc.device_name": "edolo", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "econs", + "rsa.time.event_time": "2019-08-22T13:52:50.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T08:55:00.000Z", + "event.action": "allow", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute", + "file.directory": "isi", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 10997, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.153.34.43" + ], + "rsa.db.index": "saute", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.checksum": "culpaq", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "fugits", + "rsa.time.event_time": "2017-09-06T08:55:00.000Z", + "service.type": "cylance", + "source.ip": [ + "10.153.34.43" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea", + "fileset.name": "protect", + "host.name": "magnid3343.home", + "input.type": "log", + "log.offset": 11290, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "obea", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "gitse", + "rsa.misc.serial_number": "col", + "rsa.network.alias_host": [ + "magnid3343.home" + ], + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-04T11:00:32.000Z", + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide", + "fileset.name": "protect", + "host.name": "asperna7623.www.home", + "input.type": "log", + "log.offset": 11623, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "onproide", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dexe", + "rsa.network.alias_host": [ + "asperna7623.www.home" + ], + "rsa.network.zone": "tat", + "rsa.time.event_time": "2019-10-04T11:00:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita", + "file.directory": "seddoeiu", + "fileset.name": "protect", + "host.name": "undeom845.www5.example", + "input.type": "log", + "log.offset": 11837, + "network.application": "nse", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.3421", + "related.user": [ + "tassita" + ], + "rsa.db.index": "quira", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "liq", + "rsa.misc.version": "1.3421", + "rsa.network.alias_host": [ + "undeom845.www5.example" + ], + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "tassita" + }, + { + "@timestamp": "2019-11-02T13:05:41.000Z", + "event.action": "threat_changed", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 12101, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "tatema", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "nisiut", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "quira", + "rsa.network.zone": "rror", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "event.action": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm", + "file.directory": "nculpaq", + "file.name": "psa", + "file.type": "iame", + "fileset.name": "protect", + "host.name": "ons5050.mail.test", + "input.type": "log", + "log.offset": 12269, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.48.209.115" + ], + "rsa.crypto.sig_type": "adm", + "rsa.db.index": "cta", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "sequat", + "rsa.misc.event_state": "ccaec", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "mquiad", + "rsa.network.alias_host": [ + "ons5050.mail.test" + ], + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.web.reputation_num": 75.498, + "service.type": "cylance", + "source.ip": [ + "10.48.209.115" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-01T03:10:49.000Z", + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau", + "fileset.name": "protect", + "host.mac": "01:00:5e:e8:41:ae", + "host.name": "oloreeu7597.mail.home", + "input.type": "log", + "log.offset": 12834, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.7.99.47" + ], + "related.user": [ + "evolupta" + ], + "rsa.db.index": "ditau", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.OS": "teturadi", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "nula", + "rsa.network.alias_host": [ + "oloreeu7597.mail.home" + ], + "rsa.network.eth_host": "01:00:5e:e8:41:ae", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "service.type": "cylance", + "source.ip": [ + "10.7.99.47" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "evolupta" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.action": "Device Updated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai", + "fileset.name": "protect", + "host.name": "ueip5847.api.test", + "input.type": "log", + "log.offset": 13150, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "Nemoenim", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "sed", + "rsa.misc.checksum": "labori", + "rsa.misc.event_type": "Device Updated", + "rsa.network.alias_host": [ + "ueip5847.api.test" + ], + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici", + "file.directory": "eufug", + "fileset.name": "protect", + "host.name": "uid3520.www.home", + "input.type": "log", + "log.offset": 13355, + "network.application": "roquisq", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.989", + "related.user": [ + "ici" + ], + "rsa.db.index": "civelits", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "prehend", + "rsa.misc.version": "1.989", + "rsa.network.alias_host": [ + "uid3520.www.home" + ], + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "ici" + }, + { + "@timestamp": "2020-01-12T12:18:32.000Z", + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 13623, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "nostrud", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "iduntu", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "inibusB", + "rsa.time.event_time": "2020-01-12T12:18:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-27T07:21:06.000Z", + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 13772, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "ugiat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "pariatur", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "imavenia", + "rsa.network.zone": "expli", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad)", + "fileset.name": "protect", + "host.name": "teir7585.www5.localdomain", + "input.type": "log", + "log.offset": 13945, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "scip", + "rsa.identity.lastname": "Finibus", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "Utenimad", + "rsa.misc.node": "oreverit", + "rsa.network.alias_host": [ + "teir7585.www5.localdomain" + ], + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-24T09:26:15.000Z", + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse ", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 14144, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ptate, Device Id: entsu, Policy Name: conse", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ali", + "rsa.misc.device_name": "itasp", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "quunt", + "rsa.misc.serial_number": "volup", + "rsa.time.event_time": "2020-02-24T09:26:15.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-11T04:28:49.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 14471, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "colabori", + "rsa.identity.firstname": "nvo", + "rsa.identity.lastname": "iamqui", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "atura", + "rsa.misc.device_name": "oreeu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "tassita", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever)", + "fileset.name": "protect", + "host.name": "serrorsi1096.www5.localdomain", + "input.type": "log", + "log.offset": 14653, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.node": "reetdo", + "rsa.network.alias_host": [ + "serrorsi1096.www5.localdomain" + ], + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum", + "fileset.name": "protect", + "host.name": "prehen4807.mail.invalid", + "input.type": "log", + "log.offset": 14890, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "meum", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "remq", + "rsa.misc.serial_number": "ugia", + "rsa.network.alias_host": [ + "prehen4807.mail.invalid" + ], + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "event.action": "ZoneAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", + "fileset.name": "protect", + "host.name": "sit1400.www.lan", + "input.type": "log", + "log.offset": 15226, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ntsunti", + "rsa.identity.firstname": "uid", + "rsa.identity.lastname": "idatat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "onev", + "rsa.misc.policy_name": "borios", + "rsa.network.alias_host": [ + "sit1400.www.lan" + ], + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "event.action": "Device Updated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", + "fileset.name": "protect", + "host.name": "sectetu7182.localdomain", + "input.type": "log", + "log.offset": 15419, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "orissus", + "rsa.misc.event_type": "Device Updated", + "rsa.network.alias_host": [ + "sectetu7182.localdomain" + ], + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "event.action": "ZoneAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad)", + "fileset.name": "protect", + "host.name": "officiad4982.www5.domain", + "input.type": "log", + "log.offset": 15567, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "etdolore", + "rsa.identity.lastname": "magnaa", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "sumquiad", + "rsa.misc.node": "umtota", + "rsa.network.alias_host": [ + "officiad4982.www5.domain" + ], + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun", + "fileset.name": "protect", + "host.name": "consequa1486.internal.localdomain", + "input.type": "log", + "log.offset": 15754, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "quaeratv", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ptatemse", + "rsa.misc.checksum": "tobeata", + "rsa.misc.event_type": "pechange", + "rsa.network.alias_host": [ + "consequa1486.internal.localdomain" + ], + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.action": "fullaccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui", + "fileset.name": "protect", + "host.mac": "01:00:5e:bc:c1:21", + "host.name": "its6443.mail.example", + "input.type": "log", + "log.offset": 15974, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.139.80.71" + ], + "related.user": [ + "orem" + ], + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "miurere", + "rsa.misc.OS": "eniamqui", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "tlabo", + "rsa.network.alias_host": [ + "its6443.mail.example" + ], + "rsa.network.eth_host": "01:00:5e:bc:c1:21", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "service.type": "cylance", + "source.ip": [ + "10.139.80.71" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "orem" + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati", + "file.directory": "ttenb", + "file.name": "itl", + "file.type": "oluptat", + "fileset.name": "protect", + "host.name": "tconsec7604.corp", + "input.type": "log", + "log.offset": 16248, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.223.246.244" + ], + "rsa.crypto.sig_type": "ercitati", + "rsa.db.index": "con", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "quiav", + "rsa.misc.event_state": "Nem", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "stiaecon", + "rsa.network.alias_host": [ + "tconsec7604.corp" + ], + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.web.reputation_num": 105.845, + "service.type": "cylance", + "source.ip": [ + "10.223.246.244" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu)", + "fileset.name": "protect", + "host.name": "tuser2694.internal.invalid", + "input.type": "log", + "log.offset": 16788, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "natus", + "rsa.identity.lastname": "boreet", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ugiatqu", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "luptasnu", + "rsa.misc.node": "turveli", + "rsa.misc.policy_name": "isciv", + "rsa.network.alias_host": [ + "tuser2694.internal.invalid" + ], + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine", + "fileset.name": "protect", + "host.name": "gnaaliq5240.api.test", + "input.type": "log", + "log.offset": 17069, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "ratvo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "esciun", + "rsa.misc.checksum": "volupt", + "rsa.misc.event_type": "pechange", + "rsa.network.alias_host": [ + "gnaaliq5240.api.test" + ], + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-15T09:57:06.000Z", + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo", + "fileset.name": "protect", + "host.name": "illum2625.test", + "input.type": "log", + "log.offset": 17270, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "iaeconse", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.checksum": "nimadmin", + "rsa.misc.event_type": "LoginSuccess", + "rsa.network.alias_host": [ + "illum2625.test" + ], + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T16:59:40.000Z", + "event.action": "deny", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia", + "file.directory": "emporin", + "fileset.name": "protect", + "host.name": "nulamc5617.mail.host", + "input.type": "log", + "log.offset": 17480, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.134.137.205" + ], + "rsa.db.index": "etquasia", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.checksum": "oreseosq", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "ntu", + "rsa.network.alias_host": [ + "nulamc5617.mail.host" + ], + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "service.type": "cylance", + "source.ip": [ + "10.134.137.205" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug)", + "fileset.name": "protect", + "host.name": "tatem4713.internal.host", + "input.type": "log", + "log.offset": 17827, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "usci", + "rsa.identity.firstname": "lupta", + "rsa.identity.lastname": "ura", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "oreeufug", + "rsa.misc.policy_name": "unturmag", + "rsa.network.alias_host": [ + "tatem4713.internal.host" + ], + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum", + "fileset.name": "protect", + "host.mac": "01:00:5e:42:41:00", + "host.name": "ugits5961.www5.local", + "input.type": "log", + "log.offset": 18043, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.91.2.225" + ], + "related.user": [ + "rsp" + ], + "rsa.db.index": "nostrum", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "naa", + "rsa.misc.OS": "imipsa", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "idolo", + "rsa.network.alias_host": [ + "ugits5961.www5.local" + ], + "rsa.network.eth_host": "01:00:5e:42:41:00", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "service.type": "cylance", + "source.ip": [ + "10.91.2.225" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "rsp" + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.action": "block", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex", + "fileset.name": "protect", + "host.name": "prehende5460.mail.localdomain", + "input.type": "log", + "log.offset": 18340, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "nimadmi.exe", + "process.pid": 601, + "related.ip": [ + "10.191.99.14" + ], + "related.user": [ + "lapa" + ], + "rsa.db.index": "iquipex", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "uido", + "rsa.misc.policy_name": "emoenimi", + "rsa.network.alias_host": [ + "prehende5460.mail.localdomain" + ], + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "cylance", + "source.ip": [ + "10.191.99.14" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "lapa" + }, + { + "@timestamp": "2019-10-25T09:09:57.000Z", + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt", + "fileset.name": "protect", + "host.name": "velites1745.api.corp", + "input.type": "log", + "log.offset": 18660, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lor", + "rsa.identity.firstname": "naaliq", + "rsa.identity.lastname": "plica", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.change_new": "olorsit", + "rsa.misc.change_old": "nimides", + "rsa.misc.device_name": "psaqu", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "asiarc", + "rsa.network.alias_host": [ + "velites1745.api.corp" + ], + "rsa.time.event_time": "2019-10-25T09:09:57.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-09T04:12:32.000Z", + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat", + "fileset.name": "protect", + "host.name": "Duis583.api.local", + "input.type": "log", + "log.offset": 18964, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "dminim", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.checksum": "aperiame", + "rsa.misc.event_type": "LoginSuccess", + "rsa.network.alias_host": [ + "Duis583.api.local" + ], + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.action": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo", + "file.directory": "umfu", + "fileset.name": "protect", + "host.name": "velitess2401.www.lan", + "input.type": "log", + "log.offset": 19179, + "network.application": "utla", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.2478", + "rsa.db.index": "dolo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "volupta", + "rsa.misc.version": "1.2478", + "rsa.network.alias_host": [ + "velitess2401.www.lan" + ], + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica)", + "fileset.name": "protect", + "host.name": "sequines3991.mail.local", + "input.type": "log", + "log.offset": 19432, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "sequines", + "rsa.identity.lastname": "minimve", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "reeufugi", + "rsa.misc.checksum": "eumfugia", + "rsa.misc.event_type": "pechange", + "rsa.misc.mail_id": "texplica", + "rsa.misc.policy_name": "iquamqu", + "rsa.network.alias_host": [ + "sequines3991.mail.local" + ], + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin", + "file.directory": "setquas", + "file.name": "itationu", + "file.type": "rna", + "fileset.name": "protect", + "host.name": "iatquo2815.mail.host", + "input.type": "log", + "log.offset": 19658, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.181.215.164" + ], + "rsa.crypto.sig_type": "tin", + "rsa.db.index": "iav", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "runtmoll", + "rsa.misc.event_state": "norumetM", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "imveni", + "rsa.network.alias_host": [ + "iatquo2815.mail.host" + ], + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.web.reputation_num": 38.593, + "service.type": "cylance", + "source.ip": [ + "10.181.215.164" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-05T08:22:49.000Z", + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 20234, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "tot", + "rsa.identity.firstname": "remips", + "rsa.identity.lastname": "laboreet", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "inBC", + "rsa.misc.device_name": "atevelit", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "uptate", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-19T03:25:23.000Z", + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate", + "fileset.name": "protect", + "host.name": "issusci7005.mail.host", + "input.type": "log", + "log.offset": 20482, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "tiumtot", + "rsa.identity.firstname": "ecillumd", + "rsa.identity.lastname": "iumto", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.change_new": "saute", + "rsa.misc.change_old": "lors", + "rsa.misc.device_name": "ore", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "sequatu", + "rsa.network.alias_host": [ + "issusci7005.mail.host" + ], + "rsa.time.event_time": "2020-01-19T03:25:23.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-02T22:27:57.000Z", + "event.action": "accept", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio", + "file.directory": "reseo", + "fileset.name": "protect", + "host.name": "umq7428.invalid", + "input.type": "log", + "log.offset": 20794, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.164.59.219" + ], + "rsa.db.index": "ulpaquio", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.checksum": "quam", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "iad", + "rsa.network.alias_host": [ + "umq7428.invalid" + ], + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "cylance", + "source.ip": [ + "10.164.59.219" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-17T05:30:32.000Z", + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 21074, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "eacomm", + "rsa.identity.firstname": "onorumet", + "rsa.identity.lastname": "iscivel", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": "archite", + "rsa.misc.device_name": "rem", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "rinci", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.action": "block", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv", + "file.directory": "ionem", + "fileset.name": "protect", + "host.name": "epteurs5503.www5.home", + "input.type": "log", + "log.offset": 21262, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.1.193.187" + ], + "rsa.db.index": "dminimv", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.checksum": "taevitae", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "iscive", + "rsa.network.alias_host": [ + "epteurs5503.www5.home" + ], + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "cylance", + "source.ip": [ + "10.1.193.187" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-17T07:35:40.000Z", + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 21536, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "atvol", + "rsa.identity.firstname": "tass", + "rsa.identity.lastname": "ugi", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "ipiscin", + "rsa.misc.device_name": "orinr", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "riat", + "rsa.misc.policy_name": "umdo", + "rsa.time.event_time": "2020-03-17T07:35:40.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-01T14:38:14.000Z", + "event.action": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod ", + "fileset.name": "protect", + "host.name": "omnisis5339.www5.local", + "input.type": "log", + "log.offset": 21759, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "Cicero", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "stiaec", + "rsa.misc.serial_number": "mqui", + "rsa.network.alias_host": [ + "omnisis5339.www5.local" + ], + "rsa.time.event_time": "2020-04-01T14:38:14.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc)", + "fileset.name": "protect", + "host.name": "ction491.www5.local", + "input.type": "log", + "log.offset": 22140, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "imveniam", + "rsa.identity.lastname": "sunte", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "exerc", + "rsa.misc.node": "ill", + "rsa.network.alias_host": [ + "ction491.www5.local" + ], + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae", + "fileset.name": "protect", + "host.mac": "01:00:5e:9a:f3:b9", + "host.name": "undeom7847.api.corp", + "input.type": "log", + "log.offset": 22391, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.146.228.234" + ], + "related.user": [ + "susc" + ], + "rsa.db.index": "eatae", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "uelaudan", + "rsa.misc.OS": "taed", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "teiru", + "rsa.network.alias_host": [ + "undeom7847.api.corp" + ], + "rsa.network.eth_host": "01:00:5e:9a:f3:b9", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "service.type": "cylance", + "source.ip": [ + "10.146.228.234" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "susc" + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam)", + "fileset.name": "protect", + "host.name": "dolo6230.mail.invalid", + "input.type": "log", + "log.offset": 22698, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.59.232.97" + ], + "rsa.db.index": "The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dolor", + "rsa.network.alias_host": [ + "dolo6230.mail.invalid" + ], + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "service.type": "cylance", + "source.ip": [ + "10.59.232.97" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu)", + "fileset.name": "protect", + "host.name": "nvolup6280.api.home", + "input.type": "log", + "log.offset": 22932, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "dantium", + "rsa.identity.lastname": "ors", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "xeaco", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "dqu", + "rsa.misc.node": "uianonn", + "rsa.misc.policy_name": "eavolupt", + "rsa.network.alias_host": [ + "nvolup6280.api.home" + ], + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu)", + "fileset.name": "protect", + "host.name": "urautodi3892.www5.example", + "input.type": "log", + "log.offset": 23132, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "nibu", + "rsa.identity.firstname": "mdolo", + "rsa.identity.lastname": "nof", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "usantiu", + "rsa.misc.policy_name": "quatur", + "rsa.network.alias_host": [ + "urautodi3892.www5.example" + ], + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-25T08:53:40.000Z", + "event.action": "allow", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 23412, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "lab.exe", + "process.pid": 452, + "related.ip": [ + "10.36.18.24" + ], + "related.user": [ + "nsequ" + ], + "rsa.db.index": "ollita", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "itempo", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.device_name": "isciveli", + "rsa.misc.event_type": "Alert", + "rsa.misc.policy_name": "ing", + "rsa.time.event_time": "2020-06-25T08:53:40.000Z", + "service.type": "cylance", + "source.ip": [ + "10.36.18.24" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "nsequ" + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.action": "block", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon", + "fileset.name": "protect", + "host.name": "uraut3756.www5.test", + "input.type": "log", + "log.offset": 23666, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "oluptat.exe", + "process.pid": 4608, + "related.ip": [ + "10.127.30.119" + ], + "related.user": [ + "stenatus" + ], + "rsa.db.index": "iaecon", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "ollita", + "rsa.misc.policy_name": "eabillo", + "rsa.network.alias_host": [ + "uraut3756.www5.test" + ], + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "cylance", + "source.ip": [ + "10.127.30.119" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "stenatus" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam", + "fileset.name": "protect", + "host.name": "squ2213.www.test", + "input.type": "log", + "log.offset": 24048, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "rExce", + "rsa.identity.firstname": "rinc", + "rsa.identity.lastname": "tno", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.device_name": "ncididu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "meumf", + "rsa.network.alias_host": [ + "squ2213.www.test" + ], + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "event.action": "threat_changed", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 24334, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "uamnihil", + "rsa.identity.firstname": "iadolo", + "rsa.identity.lastname": "ecatcup", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "snos", + "rsa.misc.device_name": "utod", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.mail_id": "orinrep", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.action": "deny", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil", + "fileset.name": "protect", + "host.name": "umet5891.api.localdomain", + "input.type": "log", + "log.offset": 24569, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "ngelitse.exe", + "process.pid": 4190, + "related.ip": [ + "10.8.150.213" + ], + "related.user": [ + "ugiatnul" + ], + "rsa.db.index": "hil", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dipisciv", + "rsa.misc.policy_name": "mips", + "rsa.network.alias_host": [ + "umet5891.api.localdomain" + ], + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "service.type": "cylance", + "source.ip": [ + "10.8.150.213" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "ugiatnul" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.action": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015", + "fileset.name": "protect", + "host.name": "umquam5574.internal.test", + "input.type": "log", + "log.offset": 24954, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.108.59.10" + ], + "rsa.identity.firstname": "magnama", + "rsa.identity.lastname": "reprehe", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "citatio", + "rsa.network.alias_host": [ + "umquam5574.internal.test" + ], + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "cylance", + "source.ip": [ + "10.108.59.10" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)", + "fileset.name": "protect", + "host.name": "volupt6822.api.invalid", + "input.type": "log", + "log.offset": 25191, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "qui", + "rsa.identity.lastname": "epteurs", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "tio", + "rsa.misc.checksum": "gnaa", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "did", + "rsa.misc.node": "xcepte", + "rsa.network.alias_host": [ + "volupt6822.api.invalid" + ], + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 25471, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "commod", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "rauto", + "rsa.misc.device_name": "rissusci", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "stl", + "rsa.misc.serial_number": "eumfugi", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit ", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 25773, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "aqua, Device Id: edquiac, Policy Name: sit", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "incidi", + "rsa.misc.device_name": "nto", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "tutlabo", + "rsa.misc.serial_number": "ateveli", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta", + "file.directory": "sunt", + "fileset.name": "protect", + "host.name": "amvol4075.mail.localhost", + "input.type": "log", + "log.offset": 26110, + "network.application": "orumSe", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.3237", + "related.user": [ + "pta" + ], + "rsa.db.index": "psa", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "onsequa", + "rsa.misc.version": "1.3237", + "rsa.network.alias_host": [ + "amvol4075.mail.localhost" + ], + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "pta" + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "event.action": "Registration", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam", + "fileset.name": "protect", + "host.name": "asi4651.api.test", + "input.type": "log", + "log.offset": 26380, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ssecill", + "rsa.identity.firstname": "officiad", + "rsa.identity.lastname": "veniam", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "emp", + "rsa.misc.event_type": "Registration", + "rsa.misc.mail_id": "labo", + "rsa.network.alias_host": [ + "asi4651.api.test" + ], + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis)", + "fileset.name": "protect", + "host.name": "perna6751.internal.home", + "input.type": "log", + "log.offset": 26645, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.138.85.233" + ], + "rsa.db.index": "The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "datatno", + "rsa.network.alias_host": [ + "perna6751.internal.home" + ], + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "service.type": "cylance", + "source.ip": [ + "10.138.85.233" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int)", + "fileset.name": "protect", + "host.name": "evolupta7790.internal.local", + "input.type": "log", + "log.offset": 26895, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "rehe", + "rsa.identity.firstname": "tam", + "rsa.identity.lastname": "deser", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "int", + "rsa.misc.policy_name": "aper", + "rsa.network.alias_host": [ + "evolupta7790.internal.local" + ], + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md new file mode 100644 index 00000000000..37a9e5f20c3 --- /dev/null +++ b/x-pack/filebeat/module/f5/README.md @@ -0,0 +1,7 @@ +# f5 module + +This is a module for Big-IP Access Policy Manager logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 +at 2020-07-13 17:55:34.191415 +0000 UTC. + diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml new file mode 100644 index 00000000000..a40427c7730 --- /dev/null +++ b/x-pack/filebeat/module/f5/_meta/config.yml @@ -0,0 +1,38 @@ +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + firepass: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9509 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/f5/_meta/docs.asciidoc b/x-pack/filebeat/module/f5/_meta/docs.asciidoc new file mode 100644 index 00000000000..058a7aa3ea9 --- /dev/null +++ b/x-pack/filebeat/module/f5/_meta/docs.asciidoc @@ -0,0 +1,111 @@ +[role="xpack"] + +:modulename: f5 +:has-dashboards: false + +== F5 module + +experimental[] + +This is a module for receiving Big-IP Access Policy Manager logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: bigipapm + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `bigipapm` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9504` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `firepass` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9509` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/f5/_meta/fields.yml b/x-pack/filebeat/module/f5/_meta/fields.yml new file mode 100644 index 00000000000..7cd2cda6541 --- /dev/null +++ b/x-pack/filebeat/module/f5/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: f5 + title: Big-IP Access Policy Manager + description: > + f5 fields. + fields: diff --git a/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml b/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml new file mode 100644 index 00000000000..2cfda9d24b5 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "Big-IP" + type: "Access" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/f5/bigipapm/config/liblogparser.js + - ${path.home}/module/f5/bigipapm/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + +var dup5 = setc("eventcategory","1801000000"); + +var dup6 = setc("eventcategory","1801010000"); + +var dup7 = setc("eventcategory","1502000000"); + +var dup8 = setc("eventcategory","1805010000"); + +var dup9 = setc("eventcategory","1803000000"); + +var dup10 = setc("eventcategory","1803030000"); + +var dup11 = setc("disposition"," Successful"); + +var dup12 = setc("dclass_counter1_string"," Logon Attempt"); + +var dup13 = setc("eventcategory","1204000000"); + +var dup14 = date_time({ + dest: "event_time", + args: ["fld20"], + fmts: [ + [dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup15 = setc("eventcategory","1605000000"); + +var dup16 = setc("eventcategory","1612000000"); + +var dup17 = date_time({ + dest: "event_time", + args: ["fld1","fld2","fld3"], + fmts: [ + [dB,dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, +])); + +var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup15, + dup2, +])); + +var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup5, + dup2, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: [%{messageid}]%{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": ["), + field("messageid"), + constant("]"), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant(":"), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{payload}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(" /"), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, +]); + +var msg1 = msg("01490502", dup18); + +var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([ + dup3, + dup2, +])); + +var msg2 = msg("01490521", part1); + +var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([ + dup3, + dup2, +])); + +var msg3 = msg("01490506", part2); + +var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([ + dup3, + dup2, +])); + +var msg4 = msg("01490113:01", part3); + +var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([ + dup3, + dup2, +])); + +var msg5 = msg("01490113:02", part4); + +var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([ + dup3, + dup2, +])); + +var msg6 = msg("01490113:03", part5); + +var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([ + dup3, + dup2, +])); + +var msg7 = msg("01490113:04", part6); + +var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([ + dup3, + dup2, +])); + +var msg8 = msg("01490113:05", part7); + +var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([ + dup3, + dup2, +])); + +var msg9 = msg("01490113:06", part8); + +var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([ + dup3, + dup2, +])); + +var msg10 = msg("01490113", part9); + +var select2 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, +]); + +var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}"); + +var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}"); + +var select3 = linear_select([ + part10, + part11, +]); + +var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'"); + +var all1 = all_match({ + processors: [ + dup4, + select3, + part12, + ], + on_success: processor_chain([ + setc("eventcategory","1401000000"), + dup2, + ]), +}); + +var msg11 = msg("01490010", all1); + +var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([ + setc("eventcategory","1501020000"), + dup2, +])); + +var msg12 = msg("01490009", part13); + +var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([ + setc("eventcategory","1501000000"), + dup2, +])); + +var msg13 = msg("01490102", part14); + +var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([ + dup5, + dup2, +])); + +var msg14 = msg("01490000:02", part15); + +var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([ + dup6, + dup2, +])); + +var msg15 = msg("01490000:01", part16); + +var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([ + dup5, + dup2, +])); + +var msg16 = msg("01490000", part17); + +var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([ + dup5, + dup2, +])); + +var msg17 = msg("01490000:03", part18); + +var select4 = linear_select([ + msg14, + msg15, + msg16, + msg17, +]); + +var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([ + dup5, + dup2, +])); + +var msg18 = msg("01490004", part19); + +var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}"); + +var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}"); + +var select5 = linear_select([ + part20, + part21, +]); + +var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}"); + +var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})"); + +var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}"); + +var part25 = match("MESSAGE#18:01490500/3_2", "nwparser.p0", "%{daddr}"); + +var select6 = linear_select([ + part23, + part24, + part25, +]); + +var all2 = all_match({ + processors: [ + dup4, + select5, + part22, + select6, + ], + on_success: processor_chain([ + dup3, + dup2, + ]), +}); + +var msg19 = msg("01490500", all2); + +var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([ + dup7, + dup2, +])); + +var msg20 = msg("01490005", part26); + +var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([ + dup7, + dup2, +])); + +var msg21 = msg("01490006", part27); + +var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([ + dup7, + dup2, +])); + +var msg22 = msg("01490007", part28); + +var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([ + dup3, + dup2, +])); + +var msg23 = msg("01490008", part29); + +var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([ + dup6, + dup2, +])); + +var msg24 = msg("01490514", part30); + +var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup5, + dup2, +])); + +var msg25 = msg("01490505", part31); + +var msg26 = msg("01490501", dup18); + +var msg27 = msg("01490520", dup18); + +var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + setc("eventcategory","1609000000"), + dup2, +])); + +var msg28 = msg("01490142", part32); + +var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([ + dup8, + dup2, +])); + +var msg29 = msg("01490504", part33); + +var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([ + dup8, + dup2, +])); + +var msg30 = msg("01490538", part34); + +var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([ + dup9, + dup2, +])); + +var msg31 = msg("01490107:01", part35); + +var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([ + dup9, + dup2, +])); + +var msg32 = msg("01490107", part36); + +var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}"); + +var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}"); + +var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}"); + +var select7 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#32:01490107:02/2", "nwparser.p0", "%{info}"); + +var all3 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup9, + dup2, + ]), +}); + +var msg33 = msg("01490107:02", all3); + +var select8 = linear_select([ + msg31, + msg32, + msg33, +]); + +var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup9, + dup2, +])); + +var msg34 = msg("01490106", part41); + +var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup9, + dup2, +])); + +var msg35 = msg("01490106:01", part42); + +var select9 = linear_select([ + msg34, + msg35, +]); + +var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([ + dup5, + dup2, +])); + +var msg36 = msg("01490128", part43); + +var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([ + dup10, + dup2, + setc("dclass_counter1_string","Newly active generation count"), +])); + +var msg37 = msg("01490101", part44); + +var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([ + dup10, + dup2, +])); + +var msg38 = msg("01490103", part45); + +var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([ + dup7, + dup2, +])); + +var msg39 = msg("01490115", part46); + +var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([ + dup7, + dup2, + dup11, + dup12, +])); + +var msg40 = msg("01490017", part47); + +var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([ + dup7, + dup2, + setc("disposition"," Failed"), + dup12, +])); + +var msg41 = msg("01490017:01", part48); + +var select10 = linear_select([ + msg40, + msg41, +]); + +var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([ + dup7, + dup2, +])); + +var msg42 = msg("01490013", part49); + +var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([ + dup7, + dup2, + dup11, +])); + +var msg43 = msg("01490019", part50); + +var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([ + dup7, + dup2, +])); + +var msg44 = msg("01490544", part51); + +var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([ + dup7, + dup2, + setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"), +])); + +var msg45 = msg("01490511", part52); + +var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([ + dup7, + dup2, + setc("disposition","Succeeded"), +])); + +var msg46 = msg("014d0002", part53); + +var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([ + dup7, + dup2, + setc("disposition","Failed"), +])); + +var msg47 = msg("014d0002:01", part54); + +var select11 = linear_select([ + msg46, + msg47, +]); + +var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([ + dup7, + dup2, +])); + +var msg48 = msg("01490079", part55); + +var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg49 = msg("01490165", part56); + +var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg50 = msg("01490166", part57); + +var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg51 = msg("01490167", part58); + +var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg52 = msg("01490169", part59); + +var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg53 = msg("0149016a", part60); + +var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg54 = msg("0149016b", part61); + +var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}"); + +var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}"); + +var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}"); + +var select12 = linear_select([ + part63, + part64, +]); + +var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "%{}[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}"); + +var all4 = all_match({ + processors: [ + part62, + select12, + part65, + ], + on_success: processor_chain([ + dup13, + dup14, + dup2, + ]), +}); + +var msg55 = msg("ssl_acc", all4); + +var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([ + dup13, + dup14, + dup2, +])); + +var msg56 = msg("ssl_req", part66); + +var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([ + dup13, + dup14, + dup2, +])); + +var msg57 = msg("acc", part67); + +var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([ + dup15, + dup2, +])); + +var msg58 = msg("crond", part68); + +var msg59 = msg("crond:01", dup19); + +var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([ + dup15, + dup2, +])); + +var msg60 = msg("crond:02", part69); + +var select13 = linear_select([ + msg58, + msg59, + msg60, +]); + +var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + setc("eventcategory","1207000000"), + dup2, +])); + +var msg61 = msg("sSMTP", part70); + +var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([ + dup16, + dup2, +])); + +var msg62 = msg("01420002", part71); + +var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup15, + dup2, +])); + +var msg63 = msg("syslog-ng", part72); + +var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([ + dup15, + dup2, +])); + +var msg64 = msg("syslog-ng:01", part73); + +var select14 = linear_select([ + msg63, + msg64, +]); + +var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup16, + dup2, +])); + +var msg65 = msg("auditd", part74); + +var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([ + dup5, + dup2, +])); + +var msg66 = msg("014d0001", part75); + +var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}"); + +var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}"); + +var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}"); + +var select15 = linear_select([ + part77, + part78, +]); + +var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}"); + +var all5 = all_match({ + processors: [ + part76, + select15, + part79, + ], + on_success: processor_chain([ + dup5, + dup2, + ]), +}); + +var msg67 = msg("014d0001:01", all5); + +var msg68 = msg("014d0001:02", dup20); + +var select16 = linear_select([ + msg66, + msg67, + msg68, +]); + +var msg69 = msg("014d0044", dup20); + +var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}"); + +var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9->} "); + +var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", " %{saddr}"); + +var select17 = linear_select([ + part81, + part82, +]); + +var all6 = all_match({ + processors: [ + part80, + select17, + ], + on_success: processor_chain([ + dup3, + dup2, + ]), +}); + +var msg70 = msg("01490549", all6); + +var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([ + dup3, + dup2, +])); + +var msg71 = msg("01490547", part83); + +var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([ + dup3, + dup2, +])); + +var msg72 = msg("01490517", part84); + +var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([ + dup3, + dup2, +])); + +var msg73 = msg("011f0005", part85); + +var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([ + dup3, + dup2, +])); + +var msg74 = msg("014d0048", part86); + +var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([ + dup3, + dup2, +])); + +var msg75 = msg("error", part87); + +var msg76 = msg("CROND:03", dup19); + +var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([ + dup6, + dup2, +])); + +var msg77 = msg("01260009", part88); + +var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([ + dup15, + dup2, + dup17, +])); + +var msg78 = msg("apmd:04", part89); + +var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([ + dup9, + dup2, + dup17, +])); + +var msg79 = msg("apmd:03", part90); + +var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}"); + +var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}"); + +var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", " %{fld8}"); + +var select18 = linear_select([ + part92, + part93, +]); + +var all7 = all_match({ + processors: [ + part91, + select18, + ], + on_success: processor_chain([ + dup9, + dup2, + dup17, + ]), +}); + +var msg80 = msg("apmd:02", all7); + +var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([ + dup15, + dup2, + dup17, +])); + +var msg81 = msg("apmd", part94); + +var select19 = linear_select([ + msg78, + msg79, + msg80, + msg81, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "011f0005": msg73, + "01260009": msg77, + "01420002": msg62, + "01490000": select4, + "01490004": msg18, + "01490005": msg20, + "01490006": msg21, + "01490007": msg22, + "01490008": msg23, + "01490009": msg12, + "01490010": msg11, + "01490013": msg42, + "01490017": select10, + "01490019": msg43, + "01490079": msg48, + "01490101": msg37, + "01490102": msg13, + "01490103": msg38, + "01490106": select9, + "01490107": select8, + "01490113": select2, + "01490115": msg39, + "01490128": msg36, + "01490142": msg28, + "01490165": msg49, + "01490166": msg50, + "01490167": msg51, + "01490169": msg52, + "0149016a": msg53, + "0149016b": msg54, + "01490500": msg19, + "01490501": msg26, + "01490502": msg1, + "01490504": msg29, + "01490505": msg25, + "01490506": msg3, + "01490511": msg45, + "01490514": msg24, + "01490517": msg72, + "01490520": msg27, + "01490521": msg2, + "01490538": msg30, + "01490544": msg44, + "01490547": msg71, + "01490549": msg70, + "014d0001": select16, + "014d0002": select11, + "014d0044": msg69, + "CROND": msg76, + "Rule": msg74, + "acc": msg57, + "apmd": select19, + "auditd": msg65, + "crond": select13, + "error": msg75, + "sSMTP": msg61, + "ssl_acc": msg55, + "ssl_req": msg56, + "syslog-ng": select14, + }), +]); + +var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + +var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, +])); + +var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup15, + dup2, +])); + +var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup5, + dup2, +])); diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml new file mode 100644 index 00000000000..0ea72c6ba4d --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Big-IP Access Policy Manager + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/f5/bigipapm/manifest.yml b/x-pack/filebeat/module/f5/bigipapm/manifest.yml new file mode 100644 index 00000000000..f1b52ccede2 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["f5.bigipapm", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9504 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log b/x-pack/filebeat/module/f5/bigipapm/test/generated.log new file mode 100644 index 00000000000..02f88d8e18b --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log @@ -0,0 +1,100 @@ +January 2016/01/29 06:09:59 aliqu high equepor[6720]: 01490106: :dolore: sequa: AD module: authentication with 'abo' failed: Preauthentication failed, principal name: squira. success reeufugi +February 2016/02/12 13:12:33 billoi medium orev[6153]: 01490504: :tatemU: deF: sist1803.mail.local can not be resolved. +February 2016/02/26 20:15:08 aqui low sSMTP[1166]: isetq +March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi +March 2016/03/26 10:20:16 ude very-high veri[5990]: 01490113: :tempo: inv: session.user.clientip is 10.134.175.248 +April 2016/04/09 17:22:51 lupta low rsitvolu[2044]: 01490128: :pori: occ: Webtop ect assigned +April 2016/04/24 00:25:25 aedic high gni: [syslog-ng] +May 2016/05/08 07:27:59 labor low isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse +May 2016/05/22 14:30:33 metcon low emeumfug[6823]: 01490505: :emporinc: untutlab: tem +June 2016/06/05 21:33:08 tessec very-high ali[6446]: sSMTP: +June 2016/06/20 04:35:42 riat medium atvol[98]: 014d0044: :uames: tati +July 2016/07/04 11:38:16 sinto very-high CSed[2857]: 01490514: :utlabore: ecillu: Access encountered error: success. File: mnisist, Function: deny, Line: icons +July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel) +August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque +August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739 +August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm +September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup +September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad' +October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374 +October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita +November 2016/11/10 03:01:24 proiden medium mvele[5737]: 014d0044: :aco: tio +November 2016/11/24 10:03:59 quaea very-high mvel[1188]: 01490520: :porinc: tetur: xce +December 2016/12/08 17:06:33 aincidu very-high uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned +December 2016/12/23 00:09:07 cola high oremi[1485]: 01490128: :ineavol: iosa: Webtop boNemoe assigned +January 2017/01/06 07:11:41 Nequepor medium rem[5461]: 01490538: :esseq: adminima: Configuration snapshot deleted by Access. +January 2017/01/20 14:14:16 ptateve very-high miurerep: 01490165: :toccaec: Access profile: fugi initialized with configuration snapshot catalog: labo +February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin +February 2017/02/18 04:19:24 iruredol very-high derit[5270]: 01490106: :atquo: cupi: AD module: authentication with 'strude' failed in allow: Preauthentication failed, principal name: dunt. success yCic +March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134) +March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill +April 2017/04/02 01:27:07 caboNem medium laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo +April 2017/04/16 08:29:41 meaque high mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu +April 2017/04/30 15:32:16 atDuis medium nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore +May 2017/05/14 22:34:50 uptat high amquisno: 0149016b: :uido: Completed snapshot creation: tla for access profile: mquiad +May 2017/05/29 05:37:24 atur very-high ditau[4727]: 01490514: :piscivel: hend: Access encountered error: success. File: cepteur, Function: accept, Line: maliqu +June 2017/06/12 12:39:58 acon very-high sun[5971]: 01490501: :labori: porai: umiure +June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New session from client IP 10.122.204.151 (ST=writte/CC=sitvo/C=ine) at VIP 10.169.101.161 Listener itessequ +July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu +July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura +August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success +August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut +September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem +September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo +October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid +October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned +November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt +November 2017/11/16 18:08:15 equam low eaqueip[5207]: 01490538: :aevitaed: byCic: Configuration snapshot deleted by Access. +December 2017/12/01 01:10:49 xerc high eturad[1760]: 01490506: :nvol: enimadmi: Received User-Agent header: mobmail android 2.1.3.3150 +December 2017/12/15 08:13:24 sumdolo medium rors[1935]: 01490538: :oremque: quaU: Configuration snapshot deleted by Access. +December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating snapshot creation: ipis for access profile: itautfu +January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi +January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned +February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat +February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa +March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria +March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei +April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: +April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959 +May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu) +May 2018/05/21 13:41:41 sint low auditd[3376]: ctobeat +June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: +June 2018/06/19 03:46:49 namaliqu medium aeca[4543]: 014d0044: :autemv: sciveli +July 2018/07/03 10:49:23 piciati medium ntin[4646]: 01260009: :rcitat: Connection error:cinge +July 2018/07/17 17:51:58 iqui low litani[3126]: 01490142: :itanimi: onoru: data +August 2018/08/01 00:54:32 uptatem high ruredol: 01490079: :iadeseru: loremagn: Access policy 'acons' configuration has changed.Access profile 'nimadmi' configuration changes need to be applied for the new configuration +August 2018/08/15 07:57:06 lupt very-high eavolupt: 01490167: :uipe: Current snapshot ID: ipsa updated inside session db for access profile: con +August 2018/08/29 14:59:40 nesciu low ssequ[4877]: 01490008: :emse: emqui: Connectivity resource cipitla assigned +September 2018/09/12 22:02:15 ionevo high ptate[52]: 01490102: :uira: todita: Access policy result: failure +September 2018/09/27 05:04:49 iqu low tatis[7767]: 01490113: :reeufugi: sequines: session.server.network.protocol is minimve +October 2018/10/11 12:07:23 aborio low setquas: 014d0002: :nbyCi: runtmoll: SSOv2 Logon failed, config busBon form norumetM +October 2018/10/25 19:09:57 billoinv high deomn[904]: 01490113: :mali: roinBCSe: session.server.network.port is 3959 +November 2018/11/09 02:12:32 rch high sedd: 01490079: :atione: tvolup: Access policy 'oremeu' configuration has changed.Access profile 'lab' configuration changes need to be applied for the new configuration +November 2018/11/23 09:15:06 urau medium upt[4762]: 01490538: :itaedict: eroi: Configuration snapshot deleted by Access. +December 2018/12/07 16:17:40 reetdo low nidol[4345]: 01490113: :writtenb: atevelit: session.server.listener.name is ugitsed +December 2018/12/21 23:20:14 uatDuisa high ano[4054]: 01490102: :uunturm: iatn: Access policy result: unknown +January 2019/01/05 06:22:49 psum very-high exerci[3923]: 01490113: :lumqu: moen: session.oinvento +January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block) +February 2019/02/02 20:27:57 archite high rem[6473]: 01490008: :emp: inBC: Connectivity resource did assigned +February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc +March 2019/03/03 10:33:06 omnisis very-high uptatema[7023]: 01490501: :stiaec: Cicero: ven +March 2019/03/17 17:35:40 cons low ine[870]: 011f0005: :amquisn: success (Client side: vip=https://example.net/equamn/scipi.txt?eiu=maliquam#gnama profile=rdp pool=squamest client_ip=10.24.113.101) +April 2019/04/01 00:38:14 uelaudan low teiru[4918]: 014d0044: :orinrep: pta +April 2019/04/15 07:40:49 sis very-high rchite[7405]: 01490521: :rvelill: rors: Session statistics - bytes in:6092, bytes out: 1363 +April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel) +May 2019/05/13 21:45:57 isci high ugiatn: 0149016b: :squa: Completed snapshot creation: deseru for access profile: aquioff +May 2019/05/28 04:48:31 onsequat high giatq[7733]: 01490106: :imad: tura: AD module: authentication with 'equuntur' failed: Preauthentication failed, principal name: rve. success mqua +June 2019/06/11 11:51:06 utlabore very-high exea[2867]: 01490008: :amquisn: itquii: Connectivity resource imaven assigned +June 2019/06/25 18:53:40 lloinve low nim[7673]: 01490511: :edquiac: psamvolu: Initializing Access profile teturad with max concurrent user sessions limit: 7783 +July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip +July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame +August 2019/08/07 16:01:23 reprehe medium enimipsa[2698]: 01490521: :samn: quisnos: Session statistics - bytes in:2132, bytes out: 2552 +August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscipi: AD agent: Query: query with '(sAMAccountName=xplicabo)' successful +September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia +September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration +October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse +October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure*** +November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng] +November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful +November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve +December 2019/12/14 07:24:31 olupta medium oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json new file mode 100644 index 00000000000..b06452aca74 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -0,0 +1,2632 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2016/01/29 06:09:59 aliqu high equepor[6720]: 01490106: :dolore: sequa: AD module: authentication with 'abo' failed: Preauthentication failed, principal name: squira. success reeufugi", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 0, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6720, + "related.user": [ + "abo" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.log_session_id": "sequa", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "abo" + }, + { + "@timestamp": "2016-02-12T15:12:33.000Z", + "event.code": "01490504", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2016/02/12 13:12:33 billoi medium orev[6153]: 01490504: :tatemU: deF: sist1803.mail.local can not be resolved.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 192, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6153, + "rsa.internal.messageid": "01490504", + "rsa.misc.log_session_id": "deF", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-02-12T15:12:33.000Z", + "rsa.web.fqdn": "sist1803.mail.local", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-26T22:15:08.000Z", + "event.code": "sSMTP", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2016/02/26 20:15:08 aqui low sSMTP[1166]: isetq", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 312, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1166, + "rsa.db.index": "isetq", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.client": "sSMTP", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-02-26T22:15:08.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "crond", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 369, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5738, + "related.user": [ + "ccaecat" + ], + "rsa.db.index": "veleumi", + "rsa.internal.messageid": "crond", + "rsa.misc.client": "crond", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "ccaecat" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2016/03/26 10:20:16 ude very-high veri[5990]: 01490113: :tempo: inv: session.user.clientip is 10.134.175.248", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 435, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5990, + "related.ip": [ + "10.134.175.248" + ], + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "inv", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "f5", + "source.ip": [ + "10.134.175.248" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T19:22:51.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2016/04/09 17:22:51 lupta low rsitvolu[2044]: 01490128: :pori: occ: Webtop ect assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 550, + "network.application": "ect", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2044, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "occ", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-04-09T19:22:51.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-24T02:25:25.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2016/04/24 00:25:25 aedic high gni: [syslog-ng]", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 644, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.db.index": "[syslog-ng]", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "gni", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-04-24T02:25:25.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.code": "01490167", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2016/05/08 07:27:59 labor low isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 698, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490167", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T16:30:33.000Z", + "event.code": "01490505", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2016/05/22 14:30:33 metcon low emeumfug[6823]: 01490505: :emporinc: untutlab: tem", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 834, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6823, + "rsa.internal.event_desc": "tem", + "rsa.internal.messageid": "01490505", + "rsa.misc.log_session_id": "untutlab", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-05-22T16:30:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-05T23:33:08.000Z", + "event.code": "sSMTP", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2016/06/05 21:33:08 tessec very-high ali[6446]: sSMTP: ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 920, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6446, + "rsa.db.index": "sSMTP:", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.client": "ali", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-06-05T23:33:08.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2016/06/20 04:35:42 riat medium atvol[98]: 014d0044: :uames: tati", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 981, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 98, + "rsa.db.index": "tati", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.action": "deny", + "event.code": "01490514", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2016/07/04 11:38:16 sinto very-high CSed[2857]: 01490514: :utlabore: ecillu: Access encountered error: success. File: mnisist, Function: deny, Line: icons", + "file.name": "mnisist", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1052, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2857, + "rsa.internal.messageid": "01490514", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T20:40:50.000Z", + "event.action": "cancel", + "event.code": "CROND", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 1212, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1675, + "related.user": [ + "sitvolup" + ], + "rsa.internal.messageid": "CROND", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "CROND", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-07-18T20:40:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "sitvolup" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "destination.ip": [ + "10.225.160.182" + ], + "event.code": "01490500", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque", + "fileset.name": "bigipapm", + "geo.city_name": "usmodt", + "geo.country_name": "ercit", + "geo.region_name": "saute", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1283, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2289, + "related.ip": [ + "10.204.123.107", + "10.225.160.182" + ], + "rsa.internal.messageid": "01490500", + "rsa.misc.log_session_id": "eFinib", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "service.type": "f5", + "source.ip": [ + "10.204.123.107" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "01490511", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 1488, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3386, + "rsa.counters.dclass_c1": 4739, + "rsa.counters.dclass_c1_str": " Max Concurrent User Sessions Limit", + "rsa.internal.messageid": "01490511", + "rsa.misc.log_session_id": "tevelite", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-30T17:48:33.000Z", + "event.code": "01490544", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm", + "fileset.name": "bigipapm", + "http.request.referrer": "https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm", + "input.type": "log", + "log.level": "medium", + "log.offset": 1652, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4688, + "rsa.internal.messageid": "01490544", + "rsa.misc.log_session_id": "piscin", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-08-30T17:48:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-14T00:51:07.000Z", + "event.code": "014d0001", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 1818, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2364, + "rsa.db.index": "ctx: itinvol, SERVER : eavolup", + "rsa.internal.messageid": "014d0001", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-09-14T00:51:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "01490103", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad'", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1926, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5983, + "related.user": [ + "tenimad" + ], + "rsa.internal.messageid": "01490103", + "rsa.misc.log_session_id": "tse", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "tenimad" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 2033, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5625, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "gitsed", + "rsa.misc.severity": "low", + "rsa.network.network_port": 4374, + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T21:58:50.000Z", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 2149, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4946, + "related.user": [ + "reetdol" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.log_session_id": "itecto", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-10-26T21:58:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "reetdol" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2016/11/10 03:01:24 proiden medium mvele[5737]: 014d0044: :aco: tio", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 2342, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5737, + "rsa.db.index": "tio", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.code": "01490520", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2016/11/24 10:03:59 quaea very-high mvel[1188]: 01490520: :porinc: tetur: xce", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2419, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1188, + "rsa.internal.event_desc": "xce", + "rsa.internal.messageid": "01490520", + "rsa.misc.log_session_id": "tetur", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-08T19:06:33.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2016/12/08 17:06:33 aincidu very-high uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2506, + "network.application": "utaliqu", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5960, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "enimadmi", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-12-08T19:06:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-23T02:09:07.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2016/12/23 00:09:07 cola high oremi[1485]: 01490128: :ineavol: iosa: Webtop boNemoe assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 2634, + "network.application": "boNemoe", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1485, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "iosa", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-12-23T02:09:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2017/01/06 07:11:41 Nequepor medium rem[5461]: 01490538: :esseq: adminima: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 2736, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5461, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-20T16:14:16.000Z", + "event.code": "01490165", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2017/01/20 14:14:16 ptateve very-high miurerep: 01490165: :toccaec: Access profile: fugi initialized with configuration snapshot catalog: labo", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2861, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490165", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T23:16:50.000Z", + "event.code": "01490005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 3012, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4808, + "rsa.internal.messageid": "01490005", + "rsa.misc.log_session_id": "siuta", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-02-03T23:16:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.action": "allow", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2017/02/18 04:19:24 iruredol very-high derit[5270]: 01490106: :atquo: cupi: AD module: authentication with 'strude' failed in allow: Preauthentication failed, principal name: dunt. success yCic", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3144, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5270, + "related.user": [ + "strude" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.log_session_id": "cupi", + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "strude" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "011f0005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3347, + "network.protocol": "ipv6-icmp", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 748, + "related.ip": [ + "10.104.110.134" + ], + "rsa.internal.messageid": "011f0005", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "service.type": "f5", + "source.ip": [ + "10.104.110.134" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "url.original": "https://www5.example.com/olli/rever.html?rsp=oluptat#metco" + }, + { + "@timestamp": "2017-03-18T20:24:33.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 3560, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2638, + "rsa.db.index": "ill", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "syslog-ng", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-03-18T20:24:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "01490107", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2017/04/02 01:27:07 caboNem medium laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 3621, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7589, + "related.user": [ + "tob" + ], + "rsa.db.index": "itempo", + "rsa.internal.messageid": "01490107", + "rsa.misc.log_session_id": "mag", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.web.fqdn": "dolores2519.mail.host", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "tob" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "01490107", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2017/04/16 08:29:41 meaque high mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 3834, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5899, + "related.user": [ + "iqua" + ], + "rsa.internal.messageid": "01490107", + "rsa.misc.log_session_id": "mvolupta", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.web.fqdn": "luptat2979.internal.local", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "iqua" + }, + { + "@timestamp": "2017-04-30T17:32:16.000Z", + "event.code": "01490166", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2017/04/30 15:32:16 atDuis medium nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 4061, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490166", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-04-30T17:32:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-15T00:34:50.000Z", + "event.code": "0149016b", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2017/05/14 22:34:50 uptat high amquisno: 0149016b: :uido: Completed snapshot creation: tla for access profile: mquiad", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 4206, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016b", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-05-15T00:34:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.action": "accept", + "event.code": "01490514", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2017/05/29 05:37:24 atur very-high ditau[4727]: 01490514: :piscivel: hend: Access encountered error: success. File: cepteur, Function: accept, Line: maliqu", + "file.name": "cepteur", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4328, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4727, + "rsa.internal.messageid": "01490514", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "01490501", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2017/06/12 12:39:58 acon very-high sun[5971]: 01490501: :labori: porai: umiure", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4488, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5971, + "rsa.internal.event_desc": "umiure", + "rsa.internal.messageid": "01490501", + "rsa.misc.log_session_id": "porai", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-26T21:42:33.000Z", + "destination.ip": [ + "10.169.101.161" + ], + "event.code": "01490500", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New session from client IP 10.122.204.151 (ST=writte/CC=sitvo/C=ine) at VIP 10.169.101.161 Listener itessequ", + "fileset.name": "bigipapm", + "geo.city_name": "ine", + "geo.country_name": "sitvo", + "geo.region_name": "writte", + "input.type": "log", + "log.level": "low", + "log.offset": 4572, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4318, + "related.ip": [ + "10.122.204.151", + "10.169.101.161" + ], + "rsa.internal.messageid": "01490500", + "rsa.misc.log_session_id": "snulap", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2017-06-26T21:42:33.000Z", + "service.type": "f5", + "source.ip": [ + "10.122.204.151" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 4752, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3682, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "etcon", + "rsa.misc.severity": "low", + "rsa.network.network_service": "onsequu", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "01490013", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4871, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2412, + "rsa.internal.messageid": "01490013", + "rsa.misc.log_session_id": "upta", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-08T18:50:15.000Z", + "event.code": "01490517", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 4989, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5899, + "rsa.internal.messageid": "01490517", + "rsa.misc.log_session_id": "rur", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2017-08-08T18:50:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-23T01:52:50.000Z", + "event.code": "01420002", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut", + "file.directory": "entsu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 5073, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1580, + "process.ppid": 2037, + "related.user": [ + "ptate" + ], + "rsa.db.index": "ntut", + "rsa.internal.messageid": "01420002", + "rsa.misc.client": "met", + "rsa.misc.result": "failure", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-08-23T01:52:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "ptate" + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "01490549", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem ", + "fileset.name": "bigipapm", + "group.name": "exerci", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.level": "high", + "log.offset": 5216, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 571, + "related.ip": [ + "10.6.32.7" + ], + "rsa.internal.messageid": "01490549", + "rsa.misc.group": "exerci", + "rsa.misc.log_session_id": "atev", + "rsa.misc.rule_name": "quid", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rule.name": "quid", + "service.type": "f5", + "source.nat.ip": "10.6.32.7", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T15:57:58.000Z", + "event.code": "01260009", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 5408, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5051, + "rsa.internal.event_desc": "ipitlabo", + "rsa.internal.messageid": "01260009", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-09-20T15:57:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T23:00:32.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5505, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6438, + "rsa.db.index": "imid", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "syslog-ng", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5574, + "network.application": "oriosamn", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7083, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "iqu", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "event.code": "01490004", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5679, + "network.application": "sumquiad", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4212, + "rsa.internal.messageid": "01490004", + "rsa.misc.result_code": "iusmodt", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T20:08:15.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2017/11/16 18:08:15 equam low eaqueip[5207]: 01490538: :aevitaed: byCic: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 5817, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5207, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2017-11-16T20:08:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "event.code": "01490506", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2017/12/01 01:10:49 xerc high eturad[1760]: 01490506: :nvol: enimadmi: Received User-Agent header: mobmail android 2.1.3.3150", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 5941, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1760, + "rsa.internal.messageid": "01490506", + "rsa.misc.log_session_id": "enimadmi", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2017/12/15 08:13:24 sumdolo medium rors[1935]: 01490538: :oremque: quaU: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 6076, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1935, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T17:15:58.000Z", + "event.code": "0149016a", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating snapshot creation: ipis for access profile: itautfu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 6200, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016a", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-12-29T17:15:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-13T00:18:32.000Z", + "event.code": "01490005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 6330, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5924, + "rsa.internal.messageid": "01490005", + "rsa.misc.log_session_id": "evo", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-01-13T00:18:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 6466, + "network.application": "edquian", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2580, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "sectetur", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "event.code": "0149016a", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 6574, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016a", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-24T21:26:15.000Z", + "event.code": "01420002", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa", + "file.directory": "tseddoei", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6699, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5019, + "process.ppid": 4996, + "related.user": [ + "rem" + ], + "rsa.db.index": "remagnaa", + "rsa.internal.messageid": "01420002", + "rsa.misc.client": "cusanti", + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2018-02-24T21:26:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "rem" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "0149016b", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 6864, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016b", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "01490549", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei ", + "fileset.name": "bigipapm", + "group.name": "tationu", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.level": "high", + "log.offset": 6984, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2943, + "related.ip": [ + "10.142.213.80" + ], + "rsa.internal.messageid": "01490549", + "rsa.misc.group": "tationu", + "rsa.misc.log_session_id": "ueporroq", + "rsa.misc.rule_name": "olore", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rule.name": "olore", + "service.type": "f5", + "source.nat.ip": "10.142.213.80", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T18:33:58.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 7185, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.db.index": "syslog-ng:", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "mvolupta", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-04-08T18:33:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-23T01:36:32.000Z", + "event.code": "01490101", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 7241, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2625, + "rsa.counters.dclass_c1": 5959, + "rsa.counters.dclass_c1_str": "Newly active generation count", + "rsa.internal.messageid": "01490101", + "rsa.misc.log_session_id": "reprehen", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-04-23T01:36:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.ip": [ + "10.47.99.72" + ], + "event.code": "01490500", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu)", + "fileset.name": "bigipapm", + "geo.city_name": "boriosa", + "geo.country_name": "Malor", + "geo.region_name": "uasiarch", + "input.type": "log", + "log.level": "medium", + "log.offset": 7407, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1973, + "related.ip": [ + "10.47.99.72", + "10.187.64.126" + ], + "rsa.internal.messageid": "01490500", + "rsa.misc.category": "oremipsu", + "rsa.misc.log_session_id": "ectobeat", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "service.type": "f5", + "source.ip": [ + "10.187.64.126" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T15:41:41.000Z", + "event.code": "auditd", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2018/05/21 13:41:41 sint low auditd[3376]: ctobeat", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 7626, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3376, + "rsa.db.index": "ctobeat", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-05-21T15:41:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T22:44:15.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 7681, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3872, + "rsa.db.index": "syslog-ng:", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "tdolo", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-06-04T22:44:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2018/06/19 03:46:49 namaliqu medium aeca[4543]: 014d0044: :autemv: sciveli", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 7743, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4543, + "rsa.db.index": "sciveli", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "01260009", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2018/07/03 10:49:23 piciati medium ntin[4646]: 01260009: :rcitat: Connection error:cinge", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 7823, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4646, + "rsa.internal.event_desc": "cinge", + "rsa.internal.messageid": "01260009", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T19:51:58.000Z", + "event.code": "01490142", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2018/07/17 17:51:58 iqui low litani[3126]: 01490142: :itanimi: onoru: data", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 7917, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3126, + "rsa.internal.event_desc": "data", + "rsa.internal.messageid": "01490142", + "rsa.misc.log_session_id": "onoru", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-07-17T19:51:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T02:54:32.000Z", + "event.code": "01490079", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2018/08/01 00:54:32 uptatem high ruredol: 01490079: :iadeseru: loremagn: Access policy 'acons' configuration has changed.Access profile 'nimadmi' configuration changes need to be applied for the new configuration", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 7997, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490079", + "rsa.misc.log_session_id": "loremagn", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-08-01T02:54:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.code": "01490167", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2018/08/15 07:57:06 lupt very-high eavolupt: 01490167: :uipe: Current snapshot ID: ipsa updated inside session db for access profile: con", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 8217, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490167", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T16:59:40.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2018/08/29 14:59:40 nesciu low ssequ[4877]: 01490008: :emse: emqui: Connectivity resource cipitla assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 8362, + "network.application": "cipitla", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4877, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "emqui", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-13T00:02:15.000Z", + "event.code": "01490102", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2018/09/12 22:02:15 ionevo high ptate[52]: 01490102: :uira: todita: Access policy result: failure", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8476, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 52, + "rsa.internal.messageid": "01490102", + "rsa.misc.log_session_id": "todita", + "rsa.misc.result": "failure", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-09-13T00:02:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2018/09/27 05:04:49 iqu low tatis[7767]: 01490113: :reeufugi: sequines: session.server.network.protocol is minimve", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 8584, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7767, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "sequines", + "rsa.misc.severity": "low", + "rsa.network.network_service": "minimve", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "014d0002", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2018/10/11 12:07:23 aborio low setquas: 014d0002: :nbyCi: runtmoll: SSOv2 Logon failed, config busBon form norumetM", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 8709, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "014d0002", + "rsa.misc.disposition": "Failed", + "rsa.misc.log_session_id": "runtmoll", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T21:09:57.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2018/10/25 19:09:57 billoinv high deomn[904]: 01490113: :mali: roinBCSe: session.server.network.port is 3959", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8833, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 904, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "roinBCSe", + "rsa.misc.severity": "high", + "rsa.network.network_port": 3959, + "rsa.time.event_time": "2018-10-25T21:09:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "01490079", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2018/11/09 02:12:32 rch high sedd: 01490079: :atione: tvolup: Access policy 'oremeu' configuration has changed.Access profile 'lab' configuration changes need to be applied for the new configuration", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8950, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490079", + "rsa.misc.log_session_id": "tvolup", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2018/11/23 09:15:06 urau medium upt[4762]: 01490538: :itaedict: eroi: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 9158, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4762, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T18:17:40.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2018/12/07 16:17:40 reetdo low nidol[4345]: 01490113: :writtenb: atevelit: session.server.listener.name is ugitsed", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 9279, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4345, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "atevelit", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-12-07T18:17:40.000Z", + "service.name": "ugitsed", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-22T01:20:14.000Z", + "event.code": "01490102", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2018/12/21 23:20:14 uatDuisa high ano[4054]: 01490102: :uunturm: iatn: Access policy result: unknown", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 9403, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4054, + "rsa.internal.messageid": "01490102", + "rsa.misc.log_session_id": "iatn", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-12-22T01:20:14.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2019/01/05 06:22:49 psum very-high exerci[3923]: 01490113: :lumqu: moen: session.oinvento", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9513, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3923, + "rsa.db.index": "oinvento", + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "moen", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-19T15:25:23.000Z", + "event.action": "block", + "event.code": "crond", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9611, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4071, + "related.user": [ + "iconsequ" + ], + "rsa.internal.messageid": "crond", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.client": "crond", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-01-19T15:25:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "iconsequ" + }, + { + "@timestamp": "2019-02-02T22:27:57.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2019/02/02 20:27:57 archite high rem[6473]: 01490008: :emp: inBC: Connectivity resource did assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 9691, + "network.application": "did", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6473, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "inBC", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "0149016a", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 9801, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016a", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "01490501", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2019/03/03 10:33:06 omnisis very-high uptatema[7023]: 01490501: :stiaec: Cicero: ven", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9932, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7023, + "rsa.internal.event_desc": "ven", + "rsa.internal.messageid": "01490501", + "rsa.misc.log_session_id": "Cicero", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T19:35:40.000Z", + "event.code": "011f0005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2019/03/17 17:35:40 cons low ine[870]: 011f0005: :amquisn: success (Client side: vip=https://example.net/equamn/scipi.txt?eiu=maliquam#gnama profile=rdp pool=squamest client_ip=10.24.113.101)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 10023, + "network.protocol": "rdp", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 870, + "related.ip": [ + "10.24.113.101" + ], + "rsa.internal.messageid": "011f0005", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-03-17T19:35:40.000Z", + "service.type": "f5", + "source.ip": [ + "10.24.113.101" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "url.original": "https://example.net/equamn/scipi.txt?eiu=maliquam#gnama" + }, + { + "@timestamp": "2019-04-01T02:38:14.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2019/04/01 00:38:14 uelaudan low teiru[4918]: 014d0044: :orinrep: pta", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 10221, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4918, + "rsa.db.index": "pta", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-04-01T02:38:14.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.bytes": 6092, + "event.code": "01490521", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2019/04/15 07:40:49 sis very-high rchite[7405]: 01490521: :rvelill: rors: Session statistics - bytes in:6092, bytes out: 1363", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10297, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7405, + "rsa.internal.messageid": "01490521", + "rsa.misc.log_session_id": "rors", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "f5", + "source.bytes": 1363, + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T16:43:23.000Z", + "event.action": "cancel", + "event.code": "CROND", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 10429, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2977, + "related.user": [ + "emac" + ], + "rsa.internal.messageid": "CROND", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "CROND", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-04-29T16:43:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "emac" + }, + { + "@timestamp": "2019-05-13T23:45:57.000Z", + "event.code": "0149016b", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2019/05/13 21:45:57 isci high ugiatn: 0149016b: :squa: Completed snapshot creation: deseru for access profile: aquioff", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 10501, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016b", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2019/05/28 04:48:31 onsequat high giatq[7733]: 01490106: :imad: tura: AD module: authentication with 'equuntur' failed: Preauthentication failed, principal name: rve. success mqua", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 10624, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7733, + "related.user": [ + "equuntur" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.log_session_id": "tura", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "equuntur" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2019/06/11 11:51:06 utlabore very-high exea[2867]: 01490008: :amquisn: itquii: Connectivity resource imaven assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10808, + "network.application": "imaven", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2867, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "itquii", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T20:53:40.000Z", + "event.code": "01490511", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2019/06/25 18:53:40 lloinve low nim[7673]: 01490511: :edquiac: psamvolu: Initializing Access profile teturad with max concurrent user sessions limit: 7783", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 10930, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7673, + "rsa.counters.dclass_c1": 7783, + "rsa.counters.dclass_c1_str": " Max Concurrent User Sessions Limit", + "rsa.internal.messageid": "01490511", + "rsa.misc.log_session_id": "psamvolu", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-06-25T20:53:40.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "01490000", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 11090, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 72, + "rsa.internal.event_desc": "dip", + "rsa.internal.messageid": "01490000", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "01490007", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 11162, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7057, + "rsa.internal.messageid": "01490007", + "rsa.misc.change_attrib": "maccu", + "rsa.misc.change_new": "ame", + "rsa.misc.log_session_id": "ecillum", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "destination.bytes": 2132, + "event.code": "01490521", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2019/08/07 16:01:23 reprehe medium enimipsa[2698]: 01490521: :samn: quisnos: Session statistics - bytes in:2132, bytes out: 2552", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 11276, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2698, + "rsa.internal.messageid": "01490521", + "rsa.misc.log_session_id": "quisnos", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "f5", + "source.bytes": 2552, + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T01:03:57.000Z", + "event.code": "01490019", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscipi: AD agent: Query: query with '(sAMAccountName=xplicabo)' successful", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 11412, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 613, + "related.user": [ + "xplicabo" + ], + "rsa.internal.messageid": "01490019", + "rsa.misc.disposition": " Successful", + "rsa.misc.log_session_id": "suscipi", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "xplicabo" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "01490544", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", + "fileset.name": "bigipapm", + "http.request.referrer": "https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", + "input.type": "log", + "log.level": "very-high", + "log.offset": 11562, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1306, + "rsa.internal.messageid": "01490544", + "rsa.misc.log_session_id": "utei", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "event.code": "01490079", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 11745, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490079", + "rsa.misc.log_session_id": "ciad", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "event.code": "01490013", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 11960, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5944, + "rsa.internal.messageid": "01490013", + "rsa.misc.log_session_id": "umetMa", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.action": "deny", + "event.code": "Rule", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure***", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12084, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 71, + "related.user": [ + "aecon" + ], + "rsa.internal.event_desc": "qui", + "rsa.internal.messageid": "Rule", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.misc.rule_name": "enimadmi", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rule.name": "enimadmi", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "aecon" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng]", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 12208, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.db.index": "[syslog-ng]", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "tasnu", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "01490019", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12264, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3538, + "related.user": [ + "texp" + ], + "rsa.internal.messageid": "01490019", + "rsa.misc.disposition": " Successful", + "rsa.misc.log_session_id": "orisnis", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "texp" + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.code": "sSMTP", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12416, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6673, + "rsa.db.index": "ptateve", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.client": "sSMTP", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.action": "allow", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2019/12/14 07:24:31 olupta medium oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 12482, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2121, + "related.user": [ + "oditem" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.log_session_id": "uptatev", + "rsa.misc.result": "failure", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "oditem" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/f5/fields.go b/x-pack/filebeat/module/f5/fields.go new file mode 100644 index 00000000000..c54966f5028 --- /dev/null +++ b/x-pack/filebeat/module/f5/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package f5 + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "f5", asset.ModuleFieldsPri, AssetF5); err != nil { + panic(err) + } +} + +// AssetF5 returns asset data. +// This is the base64 encoded gzipped contents of module/f5. +func AssetF5() string { + return "eJzsff9zGzey5+/7V+Dyw9lOOXTiJH63vn175ZWUjW5tR8+ynVdXWzUFYkASKwwwBjCkmL/+Cg3MF85gSIkChvK72x+2YpFsNBpAo7vR/env0A3dvkaLn/+EkGGG09fob2z53eUVekMI1RpdSc7IFr3DAi+p+hNCOdVEsdIwKV6jv/4JIYQWP6MFozzXsz8h/1+v4QP7v++QwAV9jQQ1G6luZkwYqhaY0Jn9e/M1hOSaqo1ihr5GRlXdT8y2pK8toxup8s7fc7rAFTcZDPkaLTDXdOfjAaf1/97jgiK5QGZFa8ZQwxjarKii8JlReLFgBK2wRnNKBZJzTdWa5rPB/JTG95jMUsmqvPtU+kJthwWuBeY70xsffWz80BDtIIVe7vx9/wjjCzZYlY8rpu33ENOo0jRHRiKCS1N5+Su8QQXVGi/tv7FBRBZU20lL+3mPNEJv5RKdUyJz2KqBiTharM/UsdOp6dI1FSazU4tM2DOcWPpe5BpkTqQwVBhtzwcT2mBhajZ0kEfDimMYzLHpfzDkjjme7BAIG7RZMbJCGGmqNZMCrZjRCKP31PzOjLD6yq/+bLA1msnqlax4jgRdU4XmtNl3JVaaonfUYMsaRgsli85QT9/KpX5xhckNNfrZgPw5U5QYvn2OjOcbow/UKQu3w0WHzVlQkJyuKT9CklyK/vnckeQ5LRUl2HhOcrpgguZICg5sGTznFBW4DHNV6GUW7cDsWeN3/pxfnv+A1phX/sSznArDFszvTnqLiUFcLt16qcFCwOyYJe93C3zPLkeJlWGk4ljB7/3CzkZ3xoD0UTsltDMGlMd3yuiSrKddk5f/f032r4kdNc2CPOz4yvm/MphIf1keDXdrfIzSS86aolpWiiS6ex8utlTn/2GcaYMNLagwj5E5XOXMZITj3hl+JOxRYdT2MTK2sjbVY2SMieMYS2sx1Zrj8e60nOJjtEdasS0ozWP6UCN2TcjP7HyxDgtYbgZ2yMBIeJgX0bNDBtQPeBHjUuyFViaSouhEVYLic+IaTDOS+FBAgvcWH5nCrK4E+1LR1oxWzfz9n7a7Tu2ZFMReDtjIx+7ZjqibNUurDrvSPbPDsAUjuHue38olulhTYdA1KGdUiZwq64Io6hXVYOoLdktzpKmxRHZ+vDuGHndY6kUY0H6ww9IswoD0vRZlGAmMH186bmMO5nUPmdxPBiupE9mr3X35q9SmqyJ5f0dqKnImlvWHOrRtOjGkr0e+7JgNNvjRqGAvr9Y/IZznyurKsePeF+5g9kZ+rcJdv0ot3lf/74rXSiu9bujrBRdI60bLcoTRkq2paIJkX68hYEV0XPwirQeSP0bj7+t40RgNaMhymyn6JcFadx8PYYFh3vMtSPnCDY2u4CA999Fsg9HHbUkRwUMNMqeIMrOiCn26FOaHV0gq9AuX2Pz4Es2xhl1UP5At2LJSYPodmPcx5u5XPG94Bk3nfEaIL9hfL2WqMNs+77ge+asPMEi1wSpPZtR1NFpn2l1JXl593rH3MFKU4/6SIqS32tDCX6KebUttRd1O1U549t9SsSUTmNe/2bVWDsghlf21JzHi8urzq4AIPPsDSTxcBA1HQynHuH3ajTo0HI+9fVYU51RN8nb9KwyFLs8f8krq+O0+lgKZ495KH3WQjZMseZwN14bWZWtowUGxrsuZ5JwSI9XXqICt9E6Qc2P3HNOIONHR3HK6Y6i+lX2zBe0R9CP0+AoyfyymaiE1JLsVUqD5drBoCCn6paLaWIKaFSXf+nWyX7aKHlFMVkiznKKn3yOzUhV6+fPPz9AGa6QpFc0oeyTxKIzXO0hCl1Jomk4U5KvZFURWwjQxhaqYO6Vnj7IOUkBP8VyuaUcYTAQzK2v1po2iuBg9P+Sr2TYnFhXNWdW302II6puQ5dgEFtgCMfPP6uX3P/xZO5X+ogQFWjP9z8Fs/mn9wbd4SxV6iS4EwaWuuHtZsS7lvfR6iPoDHz8CuZWhUX58if7dTvc5+vFH9O+ISGXtZZiFH/Q5+u/c/E/7RabRrlC+CS6hkDl9tL6u2NCMYM7nmNyktYAdc0IaODbYOL/CCpGKvJRMGHBNDA0nOMPmyKhSMlF+WmsP6pIShjlwDJxqI5W1rMXWWR32gzXmLHcbI8QUQgtZidzeMJwC80wsvXF0MHlx90QMKMd4C/THYc+z0cgqbLnE+WO55zw7SLM/KCqoUYwEvA7vCne/DL6wu+5rJWyvfWxai1Yu6mWboV/lxi7N0OdkAkllnTEj0Q2l5QGhPYob7ysRmpKEap2tWZ7lqV5dL2rNs6SCKmzgkOdWgh2/cM2UqTC3TvtO7F0EQhysYNbthrdyEIabhT/ql+dIWW2tIaACQsNqSU3ztYOS0CpR0tPJJeEy4fZLQiV5Choq/svzOvb6gRbSUHTt9ztRFC7a+XZMUdr/1Q8xX8HDix8p0yVnKTMbHrU7r9nA7H8UtpnVuQn3O5w6ewf4vV7vutpr8VfIf40XRqdeFoyf4I3ejmqdo6uzN1fe9iVYWPGwopSqb/EiuCK/ujSI6nGEPz65qwoccXDdQ6HUXVe+an/SOuzOzgHPfIZe/vwKbUDuBcUCYc7DsQII6oOZ1MaP0IYq6shigzjF2iApeuUiu0I8uZn4dQsxcFZTPNt62f0uVQ6Cg6wmSlZCcrnc9h/iFkwNrFiEfkZkhRUmxgnRHuot8A9Bc4Eq4XN6+E7MfLSiNnZBt3uoT/mIsOftEjyKwhqZUtTPCApvRnUaaNaeWYkJWKzujUL4mIMkpFI1RW2wyLHKkZCqwJz9EcrvlaoIyif3WQ5Hi0hW88GVdC8htVw3zLzgbEFhxgEHX1MiRT5iYLfLnWmTMs6yZ0JMEFmUnJrgBhgNomIw4I1iPTXYqTdT5kQb+dqOHdzOY1t5d2eObr9CCrOKtExtfWqsnJc2yyk/keAvRJ5C7JbkH1KkRlvYoxbt6LWJ6dJrP/YlPFBRyU70G2TorfGHD62p0p1yinxfHlhgfR+62bYUx5pmW6ZHpMppnu4e9Ek2/prSzYi1jVFn2jRf7L6vD28rJYsZUK2gKF8TKrBi0pn1RcUN+84wqhAuS15Xv7RYNgVA+ARKcxHi8LxT+4uOKcerRsw80UhuhHsZM7go+5FBz7EdzbI4PH1GI7Ji1ruROdUz9K7SBtykLlF7KrEZycvFhh65SHsV2GJh+V7TKSwhWOR6QCc7RRdUUUHchsDWtM7ZmuXWsoH9EFZk17Ui+9gTXniStyVTk82wXU/3FnRrdyIzfOsmq63Ss/aaZQo26P7YaMRFHw3hPLfauNFns8GQTTqZrGJroGJgyD2UYiP/2EcFLMgvFa0m20p2d7td1OrHDdYImMhH9g0w90NsoUY0CnYEmkCnLQuT4PZdFil4LbMErJZZCuu5jKmKdom+jE41ga3UuUVO40L23MfgHTO4Lu915xyrNg/ptWMeC9oLooeGEDsQhMnAiI9hWOuKp352GvGiZGWILOgLx0PjvEBWtlwMdggWXgQ7DuTIBqFrqphJWTqyZ2L16L4IsPOysy/kk7Z4cYAd6G7pptLFUoN3p5IStmCt4xO2bt1jzhimireV02czBRagCTGyvC2YqENUuX9kCfLt3eapFuHzrpfe9QSlQr9d+9RYpuuEgH5cDcavV2isSlKXUrOIiuNOewvcaZE7hClI5a/P7igKT8VNlg666J6qSFQFVYzcVxcF5zZBFdueiXUr2ZqT4dSSO9+Dqa2pyKXyCbN7Zybn/zoBek39tCvn/6Ik7EdbxtLXgg/EbTXofsacpk+JVffN8ED6qn+vZnyUa4Wb3GIhDcJo5REvwgm0XC6zOlHlJEq93oj3VupTYKbs6L6/Q7oVoFaD+ggb/gDVnfr07NELHivcgWsLvh3RyxVPmTcdFuCHilNgLKxOpTD0NrXF2jB0KVy8rsVDxXmu7f/BpYp5zVAIAObA5UxWWCxpJugmtS4Ye7ikm85TPxghxig2rwztaIhhjr52rFtrvXv9hVWHLnE0ZddIjrNksJX7hAaOYD+/yDHTtd8Czi1UgFmB1YCDus35UmuqZuiaukWpNFUzvKQA5e0z3RdS1TwMaNdknN1O4PfI/b6DWyEVmiu5sZ/Vf/W2pnO7RvGkL/MrrEzsMF1DOHZExZ8pOagOnepMSZ43ZmOqIyVL6h8UU93FbwTCnCrTZBepdlD/N/e85dVHBwQAkpACBnOOhBTfKVpS8GT2ZT+A2zDllUMqpeyBafwVWEmw414w98JWP/8MZrZhZuWNZafr0TkMOIdqE4Gk+G4p7X/vuQnASMkChmPCeePOY+ALYMAyKRfIagfDqJ6h61an9BsbdCur0nB85sr5Km2dGFcy6pJtcq9+veAxIrzSpt6Q/h+DZYKfMG1X0tdE+/iGNXzh03ETaHLrx52wsEfvYJnSGWVPDjlelstz4AJhrSVhEC+1qxH0J2HB3rIb+hphVK62mhHMUc70zXNUKuiJ8hxRQ56EDWWs8DG1l/e86F2djcIFNVRpVGINKF4agBwcFgGRRWG1mNx5tB+W1lBD9pp77j44lcXXWcMEF5NT30QWZTU8gwmWDaMNE7nc+HxaIgWhpXneZFKMCmMwzUXF+RZ9qTB3wc9cFpgJrzVEZyAuR66ubtQzlrm0Z+rWJHzLxA3NfS1QnYiONUSnvINiP/mmYW3G8n0LxweoEElVXbezkwtL9Bmo2fvt+lR8/Vb6yCu6HsL1NI/OVBWs39gpdYjVjwncuv2/39L+MbKlvWA8/RlvpvwLjNYcY0XzilBUvxzRcLhNU8UwzwK3abJL5BqGrM3m/v3YuQDtDTMaF6DkRh8FORAjYuxHtxfdCutVc0KtWRioMqzIymX+1jU2TZnhWU2pBxFmJ9IMM9OK2F81/x5WmiKrzwVikHNXCcIpVvZPAITXsuYLCH20U9WFnYdfH5zyq4Y4T4/6xiKymDPR4GZ3LyxfNqrucXutmar01JG+rjUCDIxH/KZ5IA0ciTM3usNkHI+UOg8ueWi8EZ+LMl+eo/dO0zz1wA3IddvzRb+Wt2dhu9oFoE8Ry++Eny/PQaS+5K1RE8Powe6LnEsDdFOYuU1kdcGG6bCTutbblFj2u6+6vkDbmQt749jCOd8T7hor+rNmYHR5ftCSjRWfO2DJWsZeiry1aGfozNVnerxT7j7Yb80Cg2r3Gz9848Nx88o0lZvSNJdRJTjVTjLSXSgbidZYMTzngypAB8rABCo5HlEEmgqdFB9lZ0G7pqobeWY1lbUw6vpCZtf5+sXlVd+GRh4y1kUUxuqyj2woeOdayPalxTGJLoVB12wpMCiLkS1aSpUSvPbJQH/ZTXpV224SUB3hPy0jnbMMuyyXgY3z/rePiAnCq5xadeYb2dqfz9DTi1tclJy+RlcuIOLIgvaeheMi8DI3+dsmBKfaqyXMGdM31uQ+gq97lOJ1wpjv/dXwgembPU+uRrHlkqp0LezCIvvcfQvwPIB1ulJUryTP7e5xvvpIp9Gdp/cJIgvDt3evlZ9+cDbGswaM4/I8XEZy59d5IosymzjvClbF515BG1cX39PV/DvLjhRQn7qAdjMyr8iYl+bN0hNljXU5b7SlVIA8YPV6zd9Ilzis8g1Wp8nQG6LqW+2K/UVkJzECjfzUKlGM3mFS4ymHjVurgib1Y6T4rjZQ1X4t5HzN6E2tFcU6em6wNthUsQznJh6FGT+Z22EHn8tbxPIX4/eXvVmrKTi0HH0aAB+7s2C5CB/d+h5L3H1vsMnPh333jrnOmJBVrDfOTh2JXkY/U1aTxgw6DCKyP0UmnBqZcWdLvOHc6j2kK0Ko1ouKows7PiIyp9puiRrsN+xZMJHT28gC4Eyb4yzPB+oWGBhcMVUzMacK3jcLrBiHDJ5ABM+9v4slwiDE7+xvgzMTCfahnDtwoRNZxH509LTJ5yyp0qUvunUaZiAybyK0CfE1wtOzkSJDF+Ya3sepE0qc8dUkeflYlfu2/RAzoVFODWY8EGSYy8p0fjcyNcknz82sI7a4yWMDPsYvUkOLkifL5nmDcrrA/gnII1/Wb/g+W9NaxWuqON5CIZeR/nJFTwMn0n4AXrf/NV3UVeAuVq8NMxUAM6LgxFrfYAjY9NDjGvUVqxPfITg2pwl0FZFFYc9Tmm105qgj1kn2LZVcs9zFz2oUuYLq0USoXJLjHxrvHy37hfHWaiTdvLywaXBbQtLTaXR9PXpaXf8vOT8y7nT09P63nPsHmPDpKlk64NxzSCh2K399dYkuBwZVl41kqLW+umQ/BxELu5pq2GVUR/o+8TCfWx027p2KyOYyT13xNai46xsdnhdkeRkxj1bx0RLck8EEleedELAvHXYJtM17CFuyvHnKGQniFbG9xkEZeISbP56R18y7rFJeU3V376tPDj2nfoiCZI1bSqpuFMGlfs1pqLy1RmHal7gxQSAkGBXPdwMiTXUlXmPG8fAhAzWhcAT1lQuq1EinBXeGjon1x3t3885K4QGg3APsYEo+3UCz5WxEI7Iim1d5vo0en2FFFrUOqEO30vQ4oPO9Uar4FBWTEVEOeiV2ma6mKEhgupu96jBXcZUz01TWtbhonqNQY7u2YsOpkvZ5Yf8kXZZYbAmuJ/PKzz5foKe+VuJzxa2tPGccCjggD+zitpTafvMZ+m4YaBD9V5gbITdixxHSlFQAZrHepT7SaZPgCUJw/bTQs7rK/b0vTXpLl5hs0adRd42zucKnKMr3A++ImAlUYCYWChd0bzpGiRV07U2Pk7BjXF7BsOi9zF1ydAsL2Mk6CzCFDlhfkCpgBZHKQ9rFjXtPN+jXSoAr+U7mlKOnTKxn3z5HTJLnaG7/j9r/wwLzrWZ69m34fdGQMltwPOicH9uG2rXwz64QDAqxLtCT27r5lVzsBWowMimn7q9zz2cNg6Cpshs5yNC6iKt3e5x9fvc7VhR9dAnA3377+d3vbz5cfPuty7ldY4XZ6J7cSHUTs2T54AH7vR6w+8I2GgTDIrYR4Wt24qKUNNcBJva62CZwYRZSUaEZialAOqGkBBwX8aMggfeBWESzDWbD5sQPjg4A9nlsovb4xC5R19U80aEw81wbFbvyHeq1kwXEundptHu0rvlIFyQ9ttilbQw2MGl8sUlb9+LrXSyJBRsNNNVTTRaIPXaqQTSiwDT75T1hpXw0nuD9AxeWeW//fxiO2prMrvPfSbZY3onRe0b2MnmSzVG/4+7jT8oJkrZ2Vrbjlz41TUZ7nWUHOJnPIOw22LmHX6ZryGo2xXsYFH0tMONW1jWYy5XXGZfn3do2QOKy7qChywCEwXhWYZ1znVkT8Yj5HJN4DenWvvroTBZFJfqRqAF34jjgpody957emr/TsE3d8KaPs6wfyts1FvnfZPjVrOXNYMOO0QwP5m448A5zutIlI0xGyxKdyoMH7jdYieGjw2NnXYuizGQqZXz9/t0V+s3FUduk1DAjXyZNJbj+j7foS0XVCHZrxUWmaB+pM21yQycgukUf6qKzYFpXY6WTiBdpl6iM3UbAEi2PChwdomoCj2MPppvHb9CAOVZFgtWyZBOEF3AZsQC5IVrl0brS7tCMi3a1QzrHpm8VPpTunAqyKrCKVVbS0N2WeNC++MGvT5gM0qmi0MxW0fcCoYu4BVQN4cUSoJYSkJXzfyWgWuLonTAc4lT07QWP7hmLfeF45LaCWtMzOtMiwwQao8QvP7G0tYjovHcIz5fl+idxa1bR73ciMmJUluuouOsd6pbycS9PdyC85ji6xhAZFUsmIhZFDkmnyI0W2SLTG2ZIdP0hsgWXG42L+LkrXdrCrNNRT/DqQkTGREp1wkRJVTHfRkt4H9AuyU0a4mvMU+wVVmalkkZm8Z+kgPr6pwwijvFp82Rnk8tllqcQtiUcP/+NiKzAt5kxscIGu4TtjuY0waVQMJGIaSbSMV1ynfE5z2I/i+7Q/j4h8ejI4B3asbEQu7RjV/V2af+ckParhLT/LSHt/5GQ9p/T0Day5HhOU6iUhnp890xkRcXB+J5vE9yTNfHyJoFdUlScLYsyjfVtrUzMl7GTkDxllsIo0fQLiR8bEZl2CYkJVlArksabtITTeJN6q6syQS9SIpqy6iSuqpHGuh70NoEKMdJYxywVbXBrkhCvBLsVWEhNSYJNuH5lpZLoUli/kqVZUZwnCKvJoswITxDDtoQTPJIAXTXfmvhhUUtZJ6FcVlmCNw2imGEE8wQFRDrDSyrINmLWVZe2wHz7B83nKfheZwADmoSyg4NJw7VLrE1Cfb4s16/SxKB1Nmfmz0mAxojO4vaK6xFWMrqq1kmOOVClRMWvctMuxh+t11aHMDUrF+ePHxxxxMHsS0LcocnHQ5Dr0F4wTlP4MDpbpFhEtohZnL1LOIVtoDNWQpJilkTVsXL9U65NOQDzj0RbK5KENmcLmsKN0RBoLmjOohWM7tJmIs0uKWRecaqJTCFtT5wtE+gmWeoNNlF7/neohzLIoxBWdMm0UTh+JKSlncDiU7RMJWqVTNYakMhVIv3qMvPdFk9A3SiKiwSGpCsFSsV2OuN6s5JMZ67DbHzqW6xwkg2ejxTCxqC8dv3tY9Nl2mARvc9xrs28UrGaBdZUqesVlIJqFZ3X+HZ0XZMcmyx0bljEb3Z9LNLAPppLnOexzwDLYz+r1tBBCe4iVmRESVkkQSWyhBO4aazI0iRHesSjFGIub6LDM5U6PmQpK3WpWGSiHBtmqujZZ5wJGg9ip6Wqo3bUaehC8W38sBaXDvU0W3AZ/TpviCdI+bc+b3StY4km0DjWh07AavTcBC6XSbauWCY5wKVUsRVYMa+WKY5ZwTRJoRYKnWTDpugDIagBcKXodKPrcAcAHTvjz1GNnY4nNpvYHkiSijLpGkBH90RlfMtIKrbMAv24Hkx3I6iKf2eVmWvKG51s1M7ULVnX4jXJJktQuOl74sRWBp5sbG1QZi6QFJ1drLX9MCOrWHX+A9L0tmTRHwJKqoqlwsIMMHdjUN4kIRz/6nVIZJ8+9bqARiCs5DLDuozYMKBLWuHYVBXFPIV9pygBOTjU0UTE4wvZUo4L4dqhLFWegOP4gUydIDasXWw4QT6AprETAVzD4wTOiaZf4m+AEEBrNKoJXCnNlgkUry5jR9m0IinOgSJ5dENaKxJCxY1A2MRrsdWlWenoqJprImIXSgS7xT6UqAPpjD19szTxt5UjGv9Fr+npGZvutoyO1lrl8yR56JXiCe7CSlOV5Sx21XuSthX1y1AKMRiiDS5iR4PXGRPa4EUCy2DNlElhhq9LkQC6yUhViZhh1hAsWgBR9E1lJPpQCTQYuskeSdgs7zPmLEdniubMoDOsco9mqAH+PcyO65yVUEpjHUKBDDTRR4BvQCRHoVKdJh+CiXSSuyhKLrd00FjwoPwWsooG6n3HPWZl6GJG0O9M0SW9RQXuAy20b7FiWfWbgSRnkjMNzRnq0f3SA4AS0lVZSmXQEHgUoc0KG8QMKhVdjG2FB6Tl3qcJRUjw3utoWEBMeGT3EVxozkTqjvwdVu1oXT41MnJJzYqqWft9vZLV4EZDSNA1VU07IiNRiZWm6B01GDqCu7OKGxE8fSuX+sWVK3t9hs59i6/nyKwCXYoADPgD9a2PgW2B3lPzOzOC6vA6Dzd1EuEtoGV3c4pgcDdZTbEiqxkTLMgf9NydAF+7pz6hFwYkQ7zguBLQ63dZQR/XGsQ9DODew2vfM6f0cNzNnBoQbt+/eMTZtwuRRaxpuhvyKgyLPtJbA6diLFwwRTfqEYXUNq57Dx2qBR/peAnouQnbgQN+rqYGKfqlotrsAe0+Plv5/lj5zmSAtjxuVKex+xGpJu90N5yyjyfHEbyN7fwdENr16+DMY/b+P9zf0A52eV4rBRg7vDfAa4iXxHvPLWwvlznWFLl07YYbNDhVzSr5X5yGX9G0gm84l8rB1wfFiBDWSFMK7c7w/n5VCguNyQTtfQcI025oAWZvu2lIpaAD2j6mS6oK5syNqZhuh3SNOdiacbqkiNM15QhrzZbCLVzbrz+89QGS+YT6G8bfs9PnJ+n0bDmrBPtS0X6bRBw+fB1+j0NMPK4LSm3RsNwdSCKFoJBbgTbMrMYUBUKBypDGYlf0qPKie7sWVpygT5orisslI5gjy8GI6wNcnJY7GGqkTePpZFeutjrMXiedbSN7Wa2xL3jMGdbZSib3CZwT17hr0EulbWpktWK3BU8YDwC5Q2O5hTvNN2IhnGI1e8O1tI74znk7h8dy9Kv/xQy9EdvmXwPqBnx5LQzC+YzIoqwMVWE1nCSMbyeWzj37pr8W0GNxZ0GY+Wf18vsf/mx93/POctQS+ybItt+nWdwXs7sGbvCWKvRvTUxOv/BsAHPhUx+7/if9nhctzzu7fu96HJm8fEi3Pek3TLHjzND73z5e2LlTRV3wBOKlOdNE0RILsrVWpTfPeD8XBIGEnqOP716jS2F+fPkcXb4/v/jP1+jTpTCvfkJPN6stEpSZFVWIrKT2rdKkUpQY+NYPr/7Xf3v2JCgRalYJdVxfHqBTZwUOt+PRiXffPY/5tduLlzVT4SOePy6mu7rpAOdHAsbd+YIP8dszTFvv5DNTpsIcvX3zPsjsH1LQdLGs43bG/5GCzsKytex+NSoUJnJYecISPMY7eM86LLGhG3yCFumwu6/QmzxXEKd1uzzETnP1kqI89p3zoW8hl2fvrtytNPo8VmA94evHTlDJWar+7kaXV5aVkeiXleGRnSCiyNCOPS7D2hLLXHetaRVEh12c58x+GfP2wbbTyz98z024AaxLCAdc+hN+vrsFBqy0udZJ7Lq7XmkYvfccXkllGpU8ULo5PLDBAjCzPax59cSyd/NhYllfJvW03o0JXtCQ3zhVFNdzB54v1loSZk1OFzca2DjI6mWFxZLOGteJSLFgy0rRHM23QJOKHLKGwnqmPBJ6YFA0OmItBwddJMA74BFt/24JV/QAgKKFNDTzmd3x84ziizYXOsOZS8VPQLo0Kg3xRYItsUhQLcxTHIdU+CdlAqHiPKsjcenM8r4Hb+cx64/WDSacwIK9MCuqBDXo47akz9Gn+hp7CwGwH9FVHQAb3AS/jVlqdaueCYyJEde4ZtrHxZ8jzHnQmCjbL0KCG1aQmLemyt6BTBiJtIHLnAn06XJUoRBIkE2mr6KrbEtUlgnavlnCiurYGb2WbIISF3cjxk5Fh3h7Am5da4WMU7GM3ikSeLbGR0IrdMQCdSYP5p0HGIEIpBMsEEa/SLXBKh/26UbozRKSvRTC9sTfQi7dnJoNpSJsekZGTbzvG7c0mHef6hwzCCDjITNiMEMmfJ4rpCUUzFi15FtshKe45lhM8Y5/hwBlnSDSCVEOJrgbsmxfUtbWg12CA7t788R+qaQEUAjW8fDg7vZij5VhpOJYIcCLRjUTTy9uX7+VS7lYhLu/U5KZFU2+vDvMfrQDutPY4fvC8m3ZfVOZFRXGJ4uPsq2rmMgJd0vocUOOs/5JUzXKsKwMkdNK2g85zvB1RQjVeoRnQB4/DhztuMQT4AtZE3cp1RYFChMGvE2hnHZ4pD0erVaCBz5dSmHvFau3QsZh80M0MJR2Z7WOh0c3cm9i5FBLoWaAM5o38/FxmJ49zATSzFQB/YmguIB6Fe2prrBGOJelvV3MijKF5Ea0S+YEZ/CtFLIYyauFnhyaOYj6aY0Ia9wzkVv9I5VuBIDRL4xT9MYzNhuI4S7BXtFMzJ3J0YTxZv4nSVcYFcG1z1qIK4XQHAOCiFnv/gBBuHy9a1+vEVsS4wmhc5myeiAw+Tld4TWTFViXRBalkgUbyVCkUzN3IfCcQxHZAp3t542JdaN2EjLZ53DH6kRBBnY4jNpc5ggGA+M3/KVe3c4t25630W3XlllWwvTL2WJb9DmUgWfkGLf+TlYQ3MdLKqhipJ4SCAQS/fqpBcys4KoN9XZDntkZ+WGmjRp//KzndAzs1snm9HL/nLx54cZKOK+ga9o44YYVVFu97qw9RUs6+ojkVyEaKMTBhQDgwQcug7rj1joGu/tkW+vHu83ph0xHa3J656n5gPGhGQ7mBjNuFcIdlMHXO7uXB2enJl07d9CizE0dXrloWKrTKJADerxRIF/vdvzx8JLFam0wzZLdTT+qSTVIzDN2B/0x6XaMObfBZmyMeihB68Wpo1fuVGaVFdSs5AleSfBOJBk5NvzXRhccsJSUTBp12vOq80FyH6+1jOzZl4kiIf85+/n779HTt+dvrp6hc6YNE8uK6RXNoRQ+yAuXS5kcF2jfSxhkyy4cH36Z4YsjGWNKJo4q7qv/tKsa4qA5MRCRj9b0+T7HhUDaf1P32wn8AU+hN1MsQjDpbaYY5rHQ6XoT+YBzVmk3ApIKaVYwjpVTT1Zt2jNE4F4Pl1fBOdcsnxJppJsp/8luhDqK2MPFbA95ujqLN2LfWYdnDV9p2In/+iARfDLYCz5wQztlGXk4lClVysSAwZMNiFqqJRbsjz1Z1SLdVrirsI+QdHdPjYh7wVSwljQR6s8vdji4LRzEl8Mu2slq/pViblYEK4pKRXNZMIGDBXcd9XSFDaPC6IPp8RxPOdu3+KSTddCPtEy0ce3ReWIVV4mVATCkdqr71eqEYEde2dxFoy5oThU2NM+iJZXt2R9W+fxSj9g8nl0puWZ5Ax7mv4fLkntLdbAxPPiPvdZ2bdqwgdNOkuUTzbIZ0mP9me3INIPNQyFzcs3c6/mqb7iPQMA1RmfMpuD3tTzpLdhMnR91KqGXgYk6GxUsVqyRNlI5jW+pFdRgGO0JfGtmv/UkPPuC5Tmn02m5dzDeXfVcYHk7eu8oPVe3x5hmuld+tA7CkNjWr7PPUcmxXTJ7P0uFqCBqW45F+SEVcgJ/8g4ZdKrxLX+V2qB3mKyYGHHpcpxIc3zTl/UnAZn+paJWfVj7yIGc6Rl6m+MSfYZ/OPsol8LVnf5zeHmiFV5TazlxihX6UlG1RYBBqEspNK0tqnBxqp1vBr+ZRl96DDxiKStWo0AKN32HyzfOZz2lCVhtN9AHD456V06hy1PagFl/j9fQ0jsgRtY39Bcv00hVQgT9WP28uXncy7ODkRqpsfMUM+9hpl8IjDZM5HKjkS4pYQtG7CfPQ3WCPk92eEDs9By/bc4NegqIsFSQ9hqCp8tnHWmhSsA9/pYuMdmiT3oX+LZ5gS36hbTRs2vtCBM47CO3fdfVAlagVg02mb0RBxJvcAAC1f87laZQzjMU3+600xvUY+i8zrwOzBhmGNxo/jdHTHaavN6xqfoMXx96r3XdBUx9HAV0OJtpAnbNg8Hu2rQJmW4ZBisUBqQ4XPwMZQMxWwKOVrjBlHO6YMLH6kE5AapfgcsR0EHg7qhCsUS8tQGYnvkXWzE2MdvUc/dYSiPYlE0M2xhMVsXEEPjtqCBwNPCOusuRpMnLnIl4HcSing07ZSgqTHt5BpRUt2wHlsXBaLfl/YGunQOu0959B7gusar3lP3z83YqmxUbQKkjezqsL+uS3+80PRO9Z4mDtZBqm27B/6JLLP56EDGmZmQXRb02z0NXkxXLX14A9QNzO5lJNJhVjbe+f1ajuyCjwihZHqM6clnNB8GFO+1xP6b1tumBcgTg0VV3THsOz2RRYrFtziMcO2in7/yVNVX2GsqYWMiwUYD1TeoaoQP6o+dF1pxtaFpU9MWXVDkCv1Scb9F/VJizBaM5Ooe6ZxccDLKyofOMSHnDTvTo/judIzd+6z9jPmbNR0ebbZ/Dy8qAyX1kC9PDZ/1DM4TvsuPD0S4mP0Mft6Wbehs5sMJxKzi+eIousqhgsj22LQ8uEKGe6BBsbZ+ZKUJ1jXG5y52LLJZS1dF+eGL+8HZkyTtYOZG3Uy2LMm0foj2isCMfjNzXbCopE1kiu0zZcex6oBKbcGiSiAzrmK/9HcLKl9NHplwpHnGZO1QjrkrjjGaVihUN6dDUVGV4Gc+nbElHv552SUdNf9wl7Xd9AsVCbw0VYFrFd04s/Wi7uTH0Vor2UmViW1RuiClqCXd07kcYFsyrF/6/zzwLL/x/+LymUNgfc6rC2Xl+Oid8PXeT6T6eQ8S102ptMJ3cN0SzLhUTC6rUyLvrcN6TzKtr+B8UfTA8OwGTNS7xorMMgSMFz9oy6ZEKDDHZ9rtw7/Z2232EDGLV/dM/6DBBa7zhJytXVE0Tj7A2u894enoGrR+foTMYP8waVWYisJQROZ9R5Zt/0p0szD3gvDTp03FHkJ0Ft4M+0R2k6L0rzf44Nip5f2iU8Gqja/ZHOFrDbhLplMt/XCBBl9Iwt4DlCuuRDlCaTA0r1FlKN/h4c0G71Mk6QA0SXHp7rAZOr+tvwgkpmi2nqKjYxTdquh5+HG20bLUJ07qKbnQCZUiWShete9gbCnBIlUoaAx0sSld7XtjB0TU8Tu/TTpNkSDTI4P4V+ek1pHbuv4w62vM4Ju+vPffwOK5CtebZOuWN3n9S9YHsIDN5ZrcerqLDNOpUhNkN9R51InCDb9p2Jd0LCXTrT0jDe51U6PL6zT/eXaEre0+h38RI95WW20SV1Mdw+3Ejw9yCGiIrSm70UUHkuynhtBhkoaZzDV5nAxEGaaC+BWGrBfdYuVSxASjkCYxcx0eDCjLqNADPBptqsg6fXS7XmLPcbcQAE31FOBmq9T5FCBK7oVvdV9uRdn6dQBqZ9sqYUmcMetAmIQ1LmUIgBD+C08SWoq58kYqZ7YETRWRRJMWJuyPfjg8fEAqX4G+YorzvacYOsWw4FpnWp2p4a0d2Ovx3P9u6RivIrSs1zkrJpkirDjHsOEDAATAV9gZArGSFhRgAZ6SGm/KjAiMjb7YTwTY3F4vvefj72zfv/b33ojd8c6EYqfqx/+iYbUzfZGvJq1QCeFP3cRa+z03TGbtu51sJZjR66pjQzwCtAwp76466PfIImA7OhleJtNlbz+snwYxPF5jtFh2sqYJMgUXFEZGC0NJYR/nareEIvMJmk1L7OsFbh71uoW0ZLaUySFr5/vq3N6EU3KDYY+87qZbTJ1j2Cwx2Qqxz7MBOgkAxf7/47eryCr3DtwUTedPWO7ysdm6Tp2HuNFEcmZafxmB2+6bVmE/hksXo6dmuyjFbTFeweeoi/HrKyc2OnWCZ18qX5x6l13Oxl0M+3aKcGCugnnHxX75uuCnMEfnQkox9uiFeYl3oE2U3+nbV4MU3j7qFK+59jnQVSFHHGv1FGyXF8q9zjskNZ9rQ/C8v/N+eN58ysaAk/NGCKbrBPGjI4Dnv/AZhkSMt0ci2VHTJtFFb69lPqSxKbFYerL/hAfV5GDAJQamp2HSF0K5ei0jVQSFv7MmGcypMJyel5ts3ZJw13dRmvcM/zvsY3zld4IqbDM7Ea7TAfKcUeWdKuxn87zvJEXWnyLZlfFu2ZhReLBiBRgJzSgWSc8CN6AB6Neui8T0m0z/YB6YyPPVNyNhyLRKbk4VODZM0olEU3qCCao2XHpeISKu/oYFZyJB8K5fonBKZjzz7eFrRY1QO8zliAlOP4Sm1ERRh2htNLhAT2mBhajbCPr5hR13i+fCeCpricA6Z9W6Nq3Nq2xOglfVtocPu78wIqnW9+oe7IAi6pqoLUFFipSl6Rw0GS93X3DZDPX0rl/rFlUuqfTYgf+7TwVqzAqMP1CkLt8NFh80RJBm6ThLCedhrc6GXaY1nv8bv/Dm/PP/BP7g42LfWuwZMgFtMDOJy6dZriGsDs4NO1n63wPf0bt8h+3u/sLPRnTEgfdROCe2MAeXxnTK6JOtp1+Tl/1+T/WtiR02zIA87vnL+ryyIdfVouFuneip9GGuKpsyKfbjYUp3/h3EGvl+6gvuHMYernJkM8KgfI3u7jtMjYmwVsaNuVMaYOI6xtBZTrTke707L6VHNYtOKbUFpnroIZPzZogub6IAkaT6wQwZGwsO8iJ4dMqB+wIsYl+L0deb9xrhB8TlxDaYZSXwoIMF7i49MYVb714HGjFbN/P2ftrtO7ZkUxF4O2MjH7tmOqBsAqUuoDrvSPbPDuOSXznl+K5e+rauvYgAsOeuCKOoV1WDqC3ZLc6QpdNrd+fHuGHrcYakXYUD7wQ5LswgD0vdalGEkMH586biNOZjXPWRyPxlEhFjYsy9/rfNK/Y7k/R2pqWiQh7lc6tC26cSQvh75smM22OBHo4K9vFr/1OIBjhz3vnAHszfyaxXu+lVq8b76f1e8iWufvIz7esEF0rrRshxhtGRrKpog2ddrCFgRHRe/SOuB5I/R+Ps6XjRGAxqy3GaKfkmw1t3HQ1hgmLcH87vwmGJXcJCe+2i2wa7CmuChBpnTOnn006UwP7xCUqFfuMTmx5e7aV5EigVbVmo8v6Wd9zHm7lc8b3gGfaxlk+AZT4CZMZYdU1cTfe0BBqk2WOXJjLr9neqdQfJ5x97DSFGOh6lpDlrVX6KebQ+GCTtVtygfUrElE5jXv9m1Vg7IIZX9tScx4vLq86uACFAQTRZFEEHD0VDKMW6fdqMODcdjb58VxXnC8vod1w6GQpfnD3kldfx2H0uBzHFvpY86yMZJljzOhpsc3NbQgoNiXZczyTngpn6NCthK7wQ5N3bPMY2IE13dHq5jqL6Vw3YW44J+hB5fQeaPxVQtpDZ14d58O1i0phOXJahZUfKtXyf7ZUhmppiskGY5RU+/R2alKvTy55+foQ32rYTqUfZI4lEYr3eQhO+rk0wU5KvZFa6pSh1TaHBX7VHWQQroKZ7LNe0Ig4VLdGr1po2iuBg9P+Sr2TYnFhXN2VGgCYcE9U3IcmwCC2yBmKlxf0Clv3AwoTXTw3ZW/0RQL7KlCr1EF4LgUlccN2Bl99LrIeoPfPwI5FaGRvnxJfp3O93n6Mcf0b8jIpW1lx3mQN1M7b9z8z/tF5lGu0IJw18ImdNH6+uKDc0I5nyOyU360qecCmnq1mjgV1gh1jUv4JqMdaWDzZEczAi2DABuYw4cuz72RiprWYutszrsBx0wihBTCC1kJXJ7w3BoyKABEeBuyYu7J2JAOcZboD8Oe56NRlZhyyXOH8s959lBmv0BzSgVIwGvw7vC3S+DL+yu+1oJ22sfm9ailYt62WboV7mxSzP0OZlAUllnzEh0Q2l5QGiP4sb7SoTmGlNk65QNzy9qzQNtqVx/agGd+Dt+4ZopaJl6eb4bexeBEEe3pzsIw83CH/XLc6SsttYQUBn2Fhnt/t9IIlk988klsduPZCRfLslT0FDxt+BXHwANv+nRTBTFvhHQiKK0/6sfYr6Chxc/UqZLzlKjlzxad16zVIWwD0yRPg406q77HU6dvQPqjkB+19Vei79C/mu8MDr1MmgXNMkbPbQAkgpdnb258rYvwcKKhxWlVH2LF8EV+dWlQVSPI/zxyV1V4IiHWt2ioStftT9pHXZn54BnPkMvf36FNiD3gmKBMOfhWEFd/bxAbfwIbaiijiw2iFOsDZKiVy6yK8STm4lftxADZzXFs62X3e9S5SA4yGqiZCUkl8tt/yFuwdTAikXoZ0RWWGFinBApwBdZLlwHd1QJn9PDd2LmoxW1sQu63UN9ykeEfd0WrEdRWCNTivoZQeHNqE4DzdozKzEBi9W9UQgfc5CEVKqmqA0WOVY5ElIVmLM/Qvm9UhVB+eQ+y+FoEd2tF94eIbVcN8y84GxBYcYBB19TIkU+YmC3y51pMwGgfWhCTBBZlJya4AYYDaJiMODHgaa1wcqcaCNf27GD23lsK+/uzNHtV0gRHQk5HyRIPBj0QOQnEvyFyFOI3ZL8Q4oToefUo9cmpkuv/diX8EBFJTvRbxA04/YtyD0cbs1dvi8PLLC+D91s234r8IeTVJRIldM83T3ok2z8NaWbEWsbo860ab7YfV8f3lZKFjOgWkFRviZUYMWkM+uLihv2nWFUIVyWvK5+abFsCizwMlSaixCH553aX3RMOV41YuaJRnIj3MuYwUXZjwx6juuuScPTZzQiK2a9G5lTPUPvKm3ATeoSdehZI3m52NAjF2mvAlssLN9rOoUlBItcD+hk55qmCeI2BLamdc7WLLeWDeyHsCK7rhXZx57wwpO8LZmabIbterq3oFu7E5nhWzdZbZWetdcsU7BB98dGIy76AbTvWp/NBkO26GpVbA1URG/F2cg/9lEBC/JLRavJtpLd3W4Xtfpxg6HtadUF4OqyWQJzsVo9NEKNaBTsCDSBTlsWJsHtuyxS8FpmCVgtsxTWcxlTFe0SjdXqo6WawFbq3CKncSF77mPwjhlcl/e6c45Vm4f02jGPBe0F0UNDiB0IwmRgxMcwrHXFTwSaLytDZEFfOB4a58U3cBnsECy8CHYcyJENQtdUMZMaGnQMfdqP7osAx1qT9kI+Ezduc7d0U+liqcG7k2t13zo+YevWPeaMYap4Wzl9NlNgAZoQI8sHnWGbTrBBvkNdZBIuwuddL73rCUqFfrv2qbFM1wkB/bgajF+v0FiVpC6lZhEVx532FrjTIm/RhZuzO4rCU3GTpYMuuqcqElVBFSP31UXBuU3U+fkOlWzNyXBqyZ3vwdTWVOTQJ/mg3pLzf50AvaZ+2pXD7rRdxtLXgg/EDf2A9zLmNH1KrLpvRjvBejXjo1wr3OQWC2kQbjqphRNouVxmdaLKSZR6vRHvrdSnwEzZ0X1/h3QrQK0ewn43hr/kjGyn6LYzoheugAEPri34dkQvVzxl3nRYgB8qD/4fVqdSGHqb2mJtGLpsWwXU1VV5ru3/waWKec1QCADmwOVMVlgsaSboJrUuGHu4pJvOUz8YIcYoNq8M7WiIYY6+dqxba717/Y00JS5xNGXXSI4POnRMcnLAEeznFzlmuvZbwLmFCjArsBpwULc5X2pN1QxdU7colaZqhpcUoLx9pvtCqpqHAe2ajLPbCfweud93cCukQnMlN/az+q+k7uNo3a5RPOnL/AorEztM1xCOHVHxZ0oOqkOnOlOS520P0kRHSpbUPyimuovfCIQ5VabJLlLtoP5v7nnLq48OCAAkIQUM5hwJKb5TtKTgyezLfpiiL8oujn6oG4qz414w98JWP/8MZuabarS6Hp3DgHOoNhFIiu+W0v73npsAjJQsYDgmnDfuPAa+AAYsk3KBoMM8o3qGrlud0m9s0K2sSsPxmSvnq7R1YlzJqEu2yb36bbqZEF5pU29I/4/BMsFPmLYr6WuifXzDGr7w6bgJNLn1405Y2KN3sEzpjLInhxwvy+U5cIGw1pIwiJfa1Qj6k7Bgb9kNfd1pZAiNC5+jUkFPlOeIGvIkbChjhWM1rD7wiAVDUUOVRiXWgOKlAcjBd5OWRWG1mNx5tB+W1lBD9pp77j44lcXXWcMEF5NT30QWZTU8gwmWDaMNE7nc+Hxa323yeZNJMSqMwTQXFedb9KXC3AU/c1lg5hvxwrzrgbgcubq6Uc9EDewHreGYuKG5rwWqE9GxhuiUd1DsJ980rM1Yvm/h+AAVIqmq63Z2cmGJPgM1e79dn4qv30ofeUXXQ7ie5tGZqoL1GzulDrH6MTtt8vZb2j9GtrQXjKc/482Uf4HRmmOsaF4RiuqXIxoOt7me+lngNk12iVzvtPHv34+dC9DeMKNxAUpu9FGQAzEixn50e9GtsF41J9SahYEqw4qsXOZvXWPTlBme1ZR6EGF2Is0wM62I/VXz72GlKbL6XCAGOXeVIJxiZf8EQHgta76AsO78Whd2Hn59cMqvGuI8Peobi8hi3rTvXexcWL5sVN3j9lozVempI31dawQYGI/4TfNAGjgSZ250h8k4Hil1Htx0jWtdlPny3LfgRk89cEPdm9IV/VrenoXtaheAPlWDfx9+vjzv9ndt1MQwerD7IufSAN0UZm4TWV2wYTrspK71NiWW/e6rri/QdubC3ji2cM73xO2Oz5qB0eX5QUs2VnzugCVrGXsp8tainaEzV5/p8U65+2C/NQsMqt1v/PCND8fNK9NUbkrTXEaV4FQ7yUh3oWwkWmPF8JwPqgAdKAMTqOR4RBFoKnRSfJSdBe2aqm7kmdVU1sKo6wuZXefrF5dXfRsaechYF1EYq8s+sqHgnWsh25cWxyS6FAZds6XAoCxGtmgpVUrw2icD/WU36VVtu0lAdYT/tIx0zjLsslwGNs773z4iJgivcmrVmW9ka38+Q08vbnFRcvoaXbmAiCML2nsWjovAy9zkb5sQnGqvljBnTN9Yk/sIvu5RitcJY773V8MHpm/2PLkaxZZLqtK1sAuL7HP3LcDzANbpSlG9kjy3u8f56iOdRnee3ieILAzf3r1WfvrB2RjPGjCOy/NwGcmdX+eJLMps4rwrWBWfewVtXF18T1fz7yw7UkB96gLazci8ImNemjdLT5Q11uW80ZZSAfKA1es1fyNd4rDKN1idJkNviKpvtSv2F5GdxAg08lOrRDF6h0mNpxw2bq0KmtSPkeK72kBV+7WQ8zWjN7VWFOvoucHaYFPFMpybeBRm/GRuhx18Lm8Ry1+M31/2Zq2m4NBy9GkAfOzOguUifHTreyxx973BJj8f9t075jpjQlax3jg7dSR6Gf1MWU0aM+gwiMj+FJlwamTGnS3xhnOr95CuCKFaLyqOLuz4iMicarslarDfsGfBRE5vIwuAM22OszwfqFtgYHDFVM3EnCp43yywYhwyeAIRPPf+LpYIgxC/s78Nzkwk2Idy7sCFTmQR+9HR0yafs6RKl77o1mmYgci8idAmxNcIT89GigxdmGt4H6dOKHHGV5Pk5WNV7tv2Q8yERjk1mPFAkGEuK9P53cjUJJ88N7OO2OImjw34GL9IDS1Kniyb5w3K6QL7JyCPfFm/4ftsTWsVr6nieAuFXEb6yxU9DZxI+wF43f7XdFFXgbtYvTbMVADMiIITa32DIWDTQ49r1FesTnyH4NicJtBVRBaFPU9pttGZo45YJ9m3VHLNchc/q1HkCqpHE6FySY5/aLx/tOwXxlurkXTz8sKmwW0JSU+n0fX16Gl1/b/k/Mi409HT+99y7h9gwqerZOmAc88hodit/PXVJbocGFRdNpKh1vrqkv0cRCzsaqphl1Ed6fvEw3xuddi4dyoim8s8dcXXoOKub3R4XpDlZcQ8WsVHS3BPBhNUnndCwL502CXQNu8hbMny5ilnJIhXxPYaB2XgEW7+eEZeM++ySnlN1d29rz459Jz6IQqSNW4pqbpRBJf6Naeh8tYahWlf4sYEgZBgVDzfDYg01ZV4jRnHw4cM1ITCEdRXLqhSI50W3Bk6JtYf793NOyuFB4ByD7CDKfl0A82WsxGNyIpsXuX5Nnp8hhVZ1DqgDt1K0+OAzvdGqeJTVExGRDnoldhlupqiIIHpbvaqw1zFVc5MU1nX4qJ5jkKN7dqKDadK2ueF/ZN0WWKxJbiezCs/+3yBnvpaic8Vt7bynHEo4IA8sIvbUmr7zWfou2GgQfRfYW6E3IgdR0hTUgGYxXqX+kinTYInCMH100LP6ir397406S1dYrJFn0bdNc7mCp+iKN8PvCNiJlCBmVgoXNC96RglVtC1Nz1Owo5xeQXDovcyd8nRLSxgJ+sswBQ6YH1BqoAVRCoPaRc37j3doF8rAa7kO5lTjp4ysZ59+xwxSZ6juf0/av8PC8y3munZt+H3RUPKbMHxoHN+bBtq18I/u0IwKMS6QE9u6+ZXcrEXqMHIpJy6v849nzUMgqbKbuQgQ+sirt7tcfb53e9YUfTRJQB/++3nd7+/+XDx7bcu53aNFWaje3Ij1U3MkuWDB+z3esDuC9toEAyL2EaEr9mJi1LSXAeY2Otim8CFWUhFhWYkpgLphJIScFzEj4IE3gdiEc02mA2bEz84OgDY57GJ2uMTu0RdV/NEh8LMc21U7Mp3qNdOFhDr3qXR7tG65iNdkPTYYpe2MdjApPHFJm3di693sSQWbDTQVE81WSD22KkG0YgC0+yX94SV8tF4gvcPXFjmvf3/YThqazK7zn8n2WJ5J0bvGdnL5Ek2R/2Ou48/KSdI2tpZ2Y5f+tQ0Ge11lh3gZD6DsNtg5x5+ma4hq9kU72FQ9LXAjFtZ12AuV15nXJ53a9sAicu6g4YuAxAG41mFdc51Zk3EI+ZzTOI1pFv76qMzWRSV6EeiBtyJ44CbHsrde3pr/k7DNnXDmz7Osn4ob9dY5H+T4VezljeDDTtGMzyYu+HAO8zpSpeMMBktS3QqDx6432Alho8Oj511LYoyk6mU8fX7d1foNxdHbZNSw4x8mTSV4Po/3qIvFVUj2K0VF5mifaTOtMkNnYDoFn2oi86CaV2NlU4iXqRdojJ2GwFLtDwqcHSIqgk8jj2Ybh6/QQPmWBUJVsuSTRBewGXEAuSGaJVH60q7QzMu2tUO6RybvlX4ULpzKsiqwCpWWUlDd1viQfviB78+YTJIp4pCM1tF3wuELuIWUDWEF0uAWkpAVs7/lYBqiaN3wnCIU9G3Fzy6Zyz2heOR2wpqTc/oTIsME2iMEr/8xNLWIqLz3iE8X5brn8StWUW/34nIiFFZrqPirneoW8rHvTzdgfCa4+gaQ2RULJmIWBQ5JJ0iN1pki0xvmCHR9YfIFlxuNC7i5650aQuzTkc9wasLERkTKdUJEyVVxXwbLeF9QLskN2mIrzFPsVdYmZVKGpnFf5IC6uufMog4xqfNk51NLpdZnkLYlnD8/DcisgLfZsbEChvsErY7mtMEl0LBRCKmmUjHdMl1xuc8i/0sukP7+4TEoyODd2jHxkLs0o5d1dul/XNC2q8S0v63hLT/R0Laf05D28iS4zlNoVIa6vHdM5EVFQfje75NcE/WxMubBHZJUXG2LMo01re1MjFfxk5C8pRZCqNE0y8kfmxEZNolJCZYQa1IGm/SEk7jTeqtrsoEvUiJaMqqk7iqRhrretDbBCrESGMds1S0wa1JQrwS7FZgITUlCTbh+pWVSqJLYf1KlmZFcZ4grCaLMiM8QQzbEk7wSAJ01Xxr4odFLWWdhHJZZQneNIhihhHMExQQ6QwvqSDbiFlXXdoC8+0fNJ+n4HudAQxoEsoODiYN1y6xNgn1+bJcv0oTg9bZnJk/JwEaIzqL2yuuR1jJ6KpaJznmQJUSFb/KTbsYf7ReWx3C1KxcnD9+cMQRB7MvCXGHJh8PQa5De8E4TeHD6GyRYhHZImZx9i7hFLaBzlgJSYpZElXHyvVPuTblAMw/Em2tSBLanC1oCjdGQ6C5oDmLVjC6S5uJNLukkHnFqSYyhbQ9cbZMoJtkqTfYRO3536EeyiCPQljRJdNG4fiRkJZ2AotP0TKVqFUyWWtAIleJ9KvLzHdbPAF1oyguEhiSrhQoFdvpjOvNSjKduQ6z8alvscJJNng+Uggbg/La9bePTZdpg0X0Pse5NvNKxWoWWFOlrldQCqpVdF7j29F1TXJsstC5YRG/2fWxSAP7aC5xnsc+AyyP/axaQwcluItYkRElZZEElcgSTuCmsSJLkxzpEY9SiLm8iQ7PVOr4kKWs1KVikYlybJipomefcSZoPIidlqqO2lGnoQvFt/HDWlw61NNswWX067whniDl3/q80bWOJZpA41gfOgGr0XMTuFwm2bpimeQAl1LFVmDFvFqmOGYF0ySFWih0kg2bog+EoAbAlaLTja7DHQB07Iw/RzV2Op7YbGJ7IEkqyqRrAB3dE5XxLSOp2DIL9ON6MN2NoCr+nVVmrilvdLJRO1O3ZF2L1ySbLEHhpu+JE1sZeLKxtUGZuUBSdHax1vbDjKxi1fkPSNPbkkV/CCipKpYKCzPA3I1BeZOEcPyr1yGRffrU6wIagbCSywzrMmLDgC5phWNTVRTzFPadogTk4FBHExGPL2RLOS6Ea4eyVHkCjuMHMnWC2LB2seEE+QCaxk4EcA2PEzgnmn6JvwFCAK3RqCZwpTRbJlC8uowdZdOKpDgHiuTRDWmtSAgVNwJhE6/FVpdmpaOjaq6JiF0oEewW+1CiDqQz9vTN0sTfVo5o/Be9pqdnbLrbMjpaa5XPk+ShV4onuAsrTVWWs9hV70naVtQvQynEYIg2uIgdDV5nTGiDFwksgzVTJoUZvi5FAugmI1UlYoZZQ7BoAUTRN5WR6EMl0GDoJnskYbO8z5izHJ0pmjODzrDKPZqhBvj3MDuuc1ZCKY11CAUy0EQfAb4BkRyFSnWafAgm0knuoii53NJBY8GD8lvIKhqo9x33mJWhixlBvzNFl/QWFbgPtNC+xYpl1W8GkpxJzjQ0Z6hH90sPAEpIV2UplUFD4FGENitsEDOoVHQxthUekJZ7nyYUIcF7r6NhATHhkd1HcKE5E6k78ndYtaN1+dTIyCU1K6pm7ff1SlaDGw0hQddUNe2IjEQlVpqid9Rg6AjuzipuRPD0rVzqF1eu7PUZOvctvp4jswp0KQIw4A/Utz4GtgV6T83vzAiqw+s83NRJhLeAlt3NKYLB3WQ1xYqsZkywIH/Qc3cCfO2e+oReGJAM8YLjSkCv32UFfVxrEPcwgHsPr33PnNLDcTdzakC4ff/iEWffLkQWsabpbsirMCz6SG8NnIqxcMEU3ahHFFLbuO49dKgWfKTjJaDnJmwHDvi5mhqk6JeKarMHtPv4bOX7Y+U7kwHa8rhRncbuR6SavNPdcMo+nhxH8Da283dAaNevgzOP2fv/cH9DO9jlea0UYOzw3gCvIV4S7z23sL1c5lhT5NK1G27Q4FQ1q+R/cRp+RdMKvuFcKgdfHxQjQlgjTSm0O8P7+1UpLDQmE7T3HSBMu6EFmL3tpiGVgg5o+5guqSqYMzemYrod0jXmYGvG6ZIiTteUI6w1Wwq3cG2//vDWB0jmE+pvGH/PTp+fpNOz5awS7EtF+20Scfjwdfg9DjHxuC4otUXDcncgiRSCQm4F2jCzGlMUCAUqQxqLXdGjyovu7VpYcYI+aa4oLpeMYI4sByOuD3BxWu5gqJE2jaeTXbna6jB7nXS2jexltca+4DFnWGcrmdwncE5c465BL5W2qZHVit0WPGE8AOQOjeUW7jTfiIVwitXsDdfSOuI75+0cHsvRr/4XM/RGbJt/Dagb8OW1MAjnMyKLsjJUhdVwkjC+nVg69+yb/lpAj8WdBWHmn9XL73/4s/V9zzvLUUvsmyDbfp9mcV/M7hq4wVuq0L81MTn9wrMBzIVPfez6n/R7XrQ87+z6vetxZPLyId32pN8wxY4zQ+9/+3hh504VdcETiJfmTBNFSyzI1lqV3jzj/VwQBBJ6jj6+e40uhfnx5XN0+f784j9fo0+Xwrz6CT3drLZIUGZWVCGyktq3SpNKUWLgWz+8+l//7dmToESoWSXUcX15gE6dFTjcjkcn3n33PObXbi9e1kyFj3j+uJju6qYDnB8JGHfnCz7Eb88wbb2Tz0yZCnP09s37ILN/SEHTxbKO2xn/Rwo6C8vWsvvVqFCYyGHlCUvwGO/gPeuwxIZu8AlapMPuvkJv8lxBnNbt8hA7zdVLivLYd86HvoVcnr27crfS6PNYgfWErx87QSVnqfq7G11eWVZGol9Whkd2gogiQzv2uAxrSyxz3bWmVRAddnGeM/tlzNsH204v//A9N+EGsC4hHHDpT/j57hYYsNLmWiex6+56pWH03nN4JZVpVPJA6ebwwAYLwMz2sObVE8vezYeJZX2Z1NN6NyZ4QUN+41RRXM8deL5Ya0mYNTld3Ghg4yCrlxUWSzprXCcixYItK0VzNN8CTSpyyBoK65nySOiBQdHoiLUcHHSRAO+AR7T9uyVc0QMAihbS0MxndsfPM4ov2lzoDGcuFT8B6dKoNMQXCbbEIkG1ME9xHFLhn5QJhIrzrI7EpTPL+x68ncesP1o3mHACC/bCrKgS1KCP25I+R5/qa+wtBMB+RFd1AGxwE/w2ZqnVrXomMCZGXOOaaR8Xf44w50Fjomy/CAluWEFi3poqewcyYSTSBi5zJtCny1GFQiBBNpm+iq6yLVFZJmj7ZgkrqmNn9FqyCUpc3I0YOxUd4u0JuHWtFTJOxTJ6p0jg2RofCa3QEQvUmTyYdx5gBCKQTrBAGP0i1QarfNinG6E3S0j2UgjbE38LuXRzajaUirDpGRk18b5v3NJg3n2qc8wggIyHzIjBDJnwea6QllAwY9WSb7ERnuKaYzHFO/4dApR1gkgnRDmY4G7Isn1JWVsPdgkO7O7NE/ulkhJAIVjHw4O724s9VoaRimOFAC8a1Uw8vbh9/VYu5WIR7v5OSWZWNPny7jD70Q7oTmOH7wvLt2X3TWVWVBifLD7Ktq5iIifcLaHHDTnO+idN1SjDsjJETitpP+Q4w9cVIVTrEZ4Befw4cLTjEk+AL2RN3KVUWxQoTBjwNoVy2uGR9ni0Wgke+HQphb1XrN4KGYfND9HAUNqd1ToeHt3IvYmRQy2FmgHOaN7Mx8dhevYwE0gzUwX0J4LiAupVtKe6whrhXJb2djEryhSSG9EumROcwbdSyGIkrxZ6cmjmIOqnNSKscc9EbvWPVLoRAEa/ME7RG8/YbCCGuwR7RTMxdyZHE8ab+Z8kXWFUBNc+ayGuFEJzDAgiZr37AwTh8vWufb1GbEmMJ4TOZcrqgcDk53SF10xWYF0SWZRKFmwkQ5FOzdyFwHMORWQLdLafNybWjdpJyGSfwx2rEwUZ2OEwanOZIxgMjN/wl3p1O7dse95Gt11bZlkJ0y9ni23R51AGnpFj3Po7WUFwHy+poIqRekogEEj066cWMLOCqzbU2w15Zmfkh5k2avzxs57TMbBbJ5vTy/1z8uaFGyvhvIKuaeOEG1ZQbfW6s/YULenoI5JfhWigEAcXAoAHH7gM6o5b6xjs7pNtrR/vNqcfMh2tyemdp+YDxodmOJgbzLhVCHdQBl/v7F4enJ2adO3cQYsyN3V45aJhqU6jQA7o8UaBfL3b8cfDSxartcE0S3Y3/agm1SAxz9gd9Mek2zHm3AabsTHqoQStF6eOXrlTmVVWULOSJ3glwTuRZOTY8F8bXXDAUlIyadRpz6vOB8l9vNYysmdfJoqE/Ofs5++/R0/fnr+5eobOmTZMLCumVzSHUvggL1wuZXJcoH0vYZAtu3B8+GWGL45kjCmZOKq4r/7TrmqIg+bEQEQ+WtPn+xwXAmn/Td1vJ/AHPIXeTLEIwaS3mWKYx0Kn603kA85Zpd0ISCqkWcE4Vk49WbVpzxCBez1cXgXnXLN8SqSRbqb8J7sR6ihiDxezPeTp6izeiH1nHZ41fKVhJ/7rg0TwyWAv+MAN7ZRl5OFQplQpEwMGTzYgaqmWWLA/9mRVi3Rb4a7CPkLS3T01Iu4FU8Fa0kSoP7/Y4eC2cBBfDrtoJ6v5V4q5WRGsKCoVzWXBBA4W3HXU0xU2jAqjD6bHczzlbN/ik07WQT/SMtHGtUfniVVcJVYGwJDaqe5XqxOCHXllcxeNuqA5VdjQPIuWVLZnf1jl80s9YvN4dqXkmuUNeJj/Hi5L7i3Vwcbw4D/2Wtu1acMGTjtJlk80y2ZIj/VntiPTDDYPhczJNXOv56u+4T4CAdcYnTGbgt/X8qS3YDN1ftSphF4GJupsVLBYsUbaSOU0vqVWUINhtCfwrZn91pPw7AuW55xOp+XewXh31XOB5e3ovaP0XN0eY5rpXvnROghDYlu/zj5HJcd2yez9LBWigqhtORblh1TICfzJO2TQqca3/FVqg95hsmJixKXLcSLN8U1f1p8EZPqXilr1Ye0jB3KmZ+htjkv0Gf7h7KNcCld3+s/h5YlWeE2t5cQpVuhLRdUWAQahLqXQtLaowsWpdr4Z/GYafekx8IilrFiNAinc9B0u3zif9ZQmYLXdQB88OOpdOYUuT2kDZv09XkNL74AYWd/QX7xMI1UJEfRj9fPm5nEvzw5GaqTGzlPMvIeZfiEw2jCRy41GuqSELRixnzwP1Qn6PNnhAbHTc/y2OTfoKSDCUkHaawieLp91pIUqAff4W7rEZIs+6V3g2+YFtugX0kbPrrUjTOCwj9z2XVcLWIFaNdhk9kYcSLzBAQhU/+9UmkI5z1B8u9NOb1CPofM68zowY5hhcKP53xwx2Wnyesem6jN8fei91nUXMPVxFNDhbKYJ2DUPBrtr0yZkumUYrFAYkOJw8TOUDcRsCTha4QZTzumCCR+rB+UEqH4FLkdAB4G7owrFEvHWBmB65l9sxdjEbFPP3WMpjWBTNjFsYzBZFRND4LejgsDRwDvqLkeSJi9zJuJ1EIt6NuyUoagw7eUZUFLdsh1YFgej3Zb3B7p2DrhOe/cd4LrEqt5T9s/P26lsVmwApY7s6bC+rEt+v9P0TPSeJQ7WQqptugX/iy6x+OtBxJiakV0U9do8D11NVix/eQHUD8ztZCbRYFY13vr+WY3ugowKo2R5jOrIZTUfBBfutMf9mNbbpgfKEYBHV90x7Tk8k0WJxbY5j3DsoJ2+81fWVNlrKGNiIcNGAdY3qWuEDuiPnhdZc7ahaVHRF19S5Qj8UnG+Rf9RYc4WjOboHOqeXXAwyMqGzjMi5Q070aP773SO3Pit/4z5mDUfHW22fQ4vKwMm95EtTA+f9Q/NEL7Ljg9Hu5j8DH3clm7qbeTACset4PjiKbrIooLJ9ti2PLhAhHqiQ7C1fWamCNU1xuUudy6yWEpVR/vhifnD25El72DlRN5OtSzKtH2I9ojCjnwwcl+zqaRMZInsMmXHseuBSmzCoUkiMqxjvvZ3CCtfTh+ZcqV4xGXuUI24Ko0zmlUqVjSkQ1NTleFlPJ+yJR39etolHTX9cZe03/UJFAu9NVSAaRXfObH0o+3mxtBbKdpLlYltUbkhpqgl3NG5H2FYMK9e+P8+8yy88P/h85pCYX/MqQpn5/npnPD13E2m+3gOEddOq7XBdHLfEM26VEwsqFIj767DeU8yr67hf1D0wfDsBEzWuMSLzjIEjhQ8a8ukRyowxGTb78K929tt9xEyiFX3T/+gwwSt8YafrFxRNU08wtrsPuPp6Rm0fnyGzmD8MGtUmYnAUkbkfEaVb/5Jd7Iw94Dz0qRPxx1BdhbcDvpEd5Ci9640++PYqOT9oVHCq42u2R/haA27SaRTLv9xgQRdSsPcApYrrEc6QGkyNaxQZynd4OPNBe1SJ+sANUhw6e2xGji9rr8JJ6RotpyiomIX36jpevhxtNGy1SZM6yq60QmUIVkqXbTuYW8owCFVKmkMdLAoXe15YQdH1/A4vU87TZIh0SCD+1fkp9eQ2rn/Mupoz+OYvL/23MPjuArVmmfrlDd6/0nVB7KDzOSZ3Xq4ig7TqFMRZjfUe9SJwA2+aduVdC8k0K0/IQ3vdVKhy+s3/3h3ha7sPYV+EyPdV1puE1VSH8Ptx40McwtqiKwoudFHBZHvpoTTYpCFms41eJ0NRBikgfoWhK0W3GPlUsUGoJAnMHIdHw0qyKjTADwbbKrJOnx2uVxjznK3EQNM9BXhZKjW+xQhSOyGbnVfbUfa+XUCaWTaK2NKnTHoQZuENCxlCoEQ/AhOE1uKuvJFKma2B04UkUWRFCfujnw7PnxAKFyCv2GK8r6nGTvEsuFYZFqfquGtHdnp8N/9bOsarSC3rtQ4KyWbIq06xLDjAAEHwFTYGwCxkhUWYgCckRpuyo8KjIy82U4E29xcLL7n4e9v37z3996L3vDNhWKk6sf+o2O2MX2TrSWvUgngTd3HWfg+N01n7LqdbyWY0eipY0I/A7QOKOytO+r2yCNgOjgbXiXSZm89r58EMz5dYLZbdLCmCjIFFhVHRApCS2Md5Wu3hiPwCptNSu3rBG8d9rqFtmW0lMogaeX769/ehFJwg2KPve+kWk6fYNkvMNgJsc6xAzsJAsX8/eK3q8sr9A7fFkzkTVvv8LLauU2ehrnTRHFkWn4ag9ntm1ZjPoVLFqOnZ7sqx2wxXcHmqYvw6yknNzt2gmVeK1+ee5Rez8VeDvl0i3JirIB6xsV/+brhpjBH5ENLMvbphniJdaFPlN3o21WDF9886hauuPc50lUgRR1r9BdtlBTLv845JjecaUPzv7zwf3vefMrEgpLwRwum6AbzoCGD57zzG4RFjrREI9tS0SXTRm2tZz+lsiixWXmw/oYH1OdhwCQEpaZi0xVCu3otIlUHhbyxJxvOqTBq+6f/GwAA//8elVjt" +} diff --git a/x-pack/filebeat/module/f5/firepass/_meta/fields.yml b/x-pack/filebeat/module/f5/firepass/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/firepass/config/input.yml b/x-pack/filebeat/module/f5/firepass/config/input.yml new file mode 100644 index 00000000000..467922155dc --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "FirePass" + type: "VPN" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/f5/firepass/config/liblogparser.js + - ${path.home}/module/f5/firepass/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr2 = match("HEADER#1:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([ + setc("header_id","0006"), +])); + +var hdr3 = match("HEADER#2:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: %{payload}", processor_chain([ + setc("header_id","0007"), +])); + +var hdr4 = match("HEADER#3:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0008"), + dup1, +])); + +var hdr5 = match("HEADER#4:0001", "message", "%{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr6 = match("HEADER#5:0002", "message", "%{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr7 = match("HEADER#6:0003", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr8 = match("HEADER#7:0004", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, +]); + +var part1 = match("MESSAGE#0:firepass:01", "nwparser.payload", "Entered %{fld2}", processor_chain([ + dup2, + dup3, + dup4, +])); + +var msg1 = msg("firepass:01", part1); + +var part2 = match("MESSAGE#1:firepass:02", "nwparser.payload", "Logged out%{}", processor_chain([ + setc("eventcategory","1401070000"), + dup5, + dup6, + dup3, + dup4, +])); + +var msg2 = msg("firepass:02", part2); + +var part3 = match("MESSAGE#2:firepass:03", "nwparser.payload", "Finished using %{fld2}", processor_chain([ + dup2, + dup3, + dup4, +])); + +var msg3 = msg("firepass:03", part3); + +var part4 = match("MESSAGE#3:firepass:04", "nwparser.payload", "Open %{fld2->} to Remote Host:%{dhost}", processor_chain([ + dup7, + dup3, + dup4, +])); + +var msg4 = msg("firepass:04", part4); + +var part5 = match("MESSAGE#4:firepass:05", "nwparser.payload", "param %{fld1->} = %{fld2}", processor_chain([ + setc("eventcategory","1701020000"), + dup3, + dup4, +])); + +var msg5 = msg("firepass:05", part5); + +var part6 = match("MESSAGE#5:firepass:06", "nwparser.payload", "Access menu %{fld2}", processor_chain([ + dup2, + dup3, + dup4, +])); + +var msg6 = msg("firepass:06", part6); + +var part7 = match("MESSAGE#6:firepass:07", "nwparser.payload", "Accessing %{url}", processor_chain([ + dup2, + dup3, + dup4, +])); + +var msg7 = msg("firepass:07", part7); + +var part8 = match("MESSAGE#7:firepass:08", "nwparser.payload", "Network Access: dialing Click to connect to Network Access%{}", processor_chain([ + setc("eventcategory","1801000000"), + dup3, + dup4, +])); + +var msg8 = msg("firepass:08", part8); + +var part9 = match("MESSAGE#8:firepass:09", "nwparser.payload", "FirePass service stopped on %{hostname}", processor_chain([ + dup8, + dup9, + setc("ec_activity","Stop"), + dup3, + dup4, +])); + +var msg9 = msg("firepass:09", part9); + +var part10 = match("MESSAGE#9:firepass:10", "nwparser.payload", "FirePass service started on %{hostname}", processor_chain([ + dup8, + dup9, + setc("ec_activity","Start"), + dup3, + dup4, +])); + +var msg10 = msg("firepass:10", part10); + +var part11 = match("MESSAGE#10:firepass:11", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ + setc("eventcategory","1606000000"), + dup3, + setc("event_description","shutting down for system reboot"), +])); + +var msg11 = msg("firepass:11", part11); + +var part12 = match("MESSAGE#11:firepass:12", "nwparser.payload", "%{event_description}", processor_chain([ + dup8, + dup3, +])); + +var msg12 = msg("firepass:12", part12); + +var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, +]); + +var part13 = match("MESSAGE#12:GarbageCollection:01", "nwparser.payload", "User: '%{username}' session expired due to inactivity. %{result}.", processor_chain([ + dup10, + dup3, +])); + +var msg13 = msg("GarbageCollection:01", part13); + +var part14 = match("MESSAGE#13:GarbageCollection:02", "nwparser.payload", "User: '%{username}' session was terminated.", processor_chain([ + dup10, + dup3, +])); + +var msg14 = msg("GarbageCollection:02", part14); + +var part15 = match("MESSAGE#14:GarbageCollection:03", "nwparser.payload", "session '%{sessionid}' is expired due to inactivity. %{result}.", processor_chain([ + dup10, + dup3, +])); + +var msg15 = msg("GarbageCollection:03", part15); + +var part16 = match("MESSAGE#15:GarbageCollection:04", "nwparser.payload", "apache server is not running. start it%{}", processor_chain([ + dup8, + dup3, +])); + +var msg16 = msg("GarbageCollection:04", part16); + +var part17 = match("MESSAGE#16:GarbageCollection:05", "nwparser.payload", "%{fld2->} already started with pid %{process_id}", processor_chain([ + dup8, + dup3, +])); + +var msg17 = msg("GarbageCollection:05", part17); + +var part18 = match("MESSAGE#17:GarbageCollection:06", "nwparser.payload", "no servers defined for Radius Accounting%{}", processor_chain([ + dup11, + dup3, +])); + +var msg18 = msg("GarbageCollection:06", part18); + +var part19 = match("MESSAGE#18:GarbageCollection:07", "nwparser.payload", "DHCP Agent is not running... Restarting it.%{}", processor_chain([ + dup11, + dup3, +])); + +var msg19 = msg("GarbageCollection:07", part19); + +var part20 = match("MESSAGE#19:GarbageCollection:08", "nwparser.payload", "session '%{sessionid}' is terminated.", processor_chain([ + dup11, + dup3, +])); + +var msg20 = msg("GarbageCollection:08", part20); + +var part21 = match("MESSAGE#20:GarbageCollection:09", "nwparser.payload", "can not connect to database %{fld1}", processor_chain([ + dup11, + dup3, + setc("event_description","can not connect to database"), +])); + +var msg21 = msg("GarbageCollection:09", part21); + +var part22 = match("MESSAGE#21:GarbageCollection:10", "nwparser.payload", "timeout happened. restarting %{fld1->} services", processor_chain([ + dup11, + dup3, + setc("event_description","timeout happened. restarting services"), +])); + +var msg22 = msg("GarbageCollection:10", part22); + +var select3 = linear_select([ + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, +]); + +var part23 = match("MESSAGE#22:maintenance:01", "nwparser.payload", "Failed to upload backup file %{filename}. %{info->} Server returned:%{result}", processor_chain([ + dup11, + dup3, + dup4, +])); + +var msg23 = msg("maintenance:01", part23); + +var part24 = match("MESSAGE#23:maintenance:02", "nwparser.payload", "Logged out Sid = %{sessionid}", processor_chain([ + dup8, + dup12, + dup6, + dup13, + dup3, + dup4, +])); + +var msg24 = msg("maintenance:02", part24); + +var part25 = match("MESSAGE#24:maintenance:03", "nwparser.payload", "Network Access: %{info}", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg25 = msg("maintenance:03", part25); + +var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying connect to %{fld2->} on %{fqdn}:%{network_port}", processor_chain([ + dup11, + dup3, + dup4, +])); + +var msg26 = msg("maintenance:04", part26); + +var part27 = match("MESSAGE#26:maintenance:05", "nwparser.payload", "%{info}", processor_chain([ + dup11, + dup3, + dup4, +])); + +var msg27 = msg("maintenance:05", part27); + +var select4 = linear_select([ + msg23, + msg24, + msg25, + msg26, + msg27, +]); + +var part28 = match("MESSAGE#27:NetworkAccess:01", "nwparser.payload", "\u003c\u003c%{sessionid}> Open Network Access Connection using remote IP address %{daddr}", processor_chain([ + dup7, + dup12, + dup13, + dup3, + dup4, +])); + +var msg28 = msg("NetworkAccess:01", part28); + +var part29 = match("MESSAGE#28:NetworkAccess:02", "nwparser.payload", "\u003c\u003c%{sessionid}> Network Access Connection terminated", processor_chain([ + dup10, + dup12, + dup13, + dup3, + dup4, +])); + +var msg29 = msg("NetworkAccess:02", part29); + +var part30 = match("MESSAGE#29:NetworkAccess:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - %{info}", processor_chain([ + setc("eventcategory","1801010000"), + dup12, + dup13, + dup3, + dup4, +])); + +var msg30 = msg("NetworkAccess:03", part30); + +var select5 = linear_select([ + msg28, + msg29, + msg30, +]); + +var part31 = match("MESSAGE#30:security:01/0", "nwparser.payload", "User %{username->} logged on from %{p0}"); + +var part32 = match("MESSAGE#30:security:01/1_0", "nwparser.p0", "%{saddr->} to %{daddr->} Sid = %{sessionid->} "); + +var part33 = match("MESSAGE#30:security:01/1_1", "nwparser.p0", "%{saddr->} Sid = %{sessionid->} "); + +var part34 = match("MESSAGE#30:security:01/1_2", "nwparser.p0", "%{saddr->} "); + +var select6 = linear_select([ + part32, + part33, + part34, +]); + +var all1 = all_match({ + processors: [ + part31, + select6, + ], + on_success: processor_chain([ + setc("eventcategory","1401060000"), + dup5, + dup14, + dup15, + dup3, + ]), +}); + +var msg31 = msg("security:01", all1); + +var part35 = match("MESSAGE#31:security:02/0", "nwparser.payload", "%{} %{p0}"); + +var part36 = match("MESSAGE#31:security:02/1_0", "nwparser.p0", "Invalid %{p0}"); + +var part37 = match("MESSAGE#31:security:02/1_1", "nwparser.p0", "Valid %{p0}"); + +var select7 = linear_select([ + part36, + part37, +]); + +var part38 = match("MESSAGE#31:security:02/2", "nwparser.p0", "%{}user %{username->} failed to log on from %{saddr}"); + +var all2 = all_match({ + processors: [ + part35, + select7, + part38, + ], + on_success: processor_chain([ + dup16, + dup5, + dup14, + dup15, + dup17, + dup3, + ]), +}); + +var msg32 = msg("security:02", all2); + +var part39 = match("MESSAGE#32:security:03", "nwparser.payload", "Successful password update for user %{user_fullname}, username: %{username}", processor_chain([ + setc("eventcategory","1402040100"), + setc("ec_activity","Modify"), + setc("ec_theme","Password"), + setc("ec_outcome","Success"), + dup3, +])); + +var msg33 = msg("security:03", part39); + +var part40 = match("MESSAGE#33:security:04", "nwparser.payload", "Possible intrusion attempt! %{fld1->} consecutive authentication failures happened within %{fld2->} min. Last Source IP Address: %{saddr->} %{info}", processor_chain([ + dup16, + dup14, + dup15, + dup17, + dup3, +])); + +var msg34 = msg("security:04", part40); + +var part41 = match("MESSAGE#34:security:05", "nwparser.payload", "User [%{action}] logon from %{saddr}", processor_chain([ + dup18, + dup5, + dup14, + dup15, + setc("ec_outcome","Error"), + dup3, +])); + +var msg35 = msg("security:05", part41); + +var part42 = match("MESSAGE#35:security:06", "nwparser.payload", "Non-administrator account %{username->} attempted to access admin account", processor_chain([ + dup18, + dup5, + dup14, + setc("ec_theme","Policy"), + dup17, + dup3, +])); + +var msg36 = msg("security:06", part42); + +var part43 = match("MESSAGE#36:security:07", "nwparser.payload", "User %{username->} exceeded the allowed number of concurrent logons", processor_chain([ + dup16, + dup5, + dup14, + dup15, + dup17, + dup3, + setc("event_description","user exceeded the allowed number of concurrent logons"), +])); + +var msg37 = msg("security:07", part43); + +var part44 = match("MESSAGE#37:security:08", "nwparser.payload", "User %{username->} from %{saddr->} presented with challenge", processor_chain([ + dup19, + dup5, + dup3, + setc("event_description","user presented with challenge"), +])); + +var msg38 = msg("security:08", part44); + +var part45 = match("MESSAGE#38:security:09", "nwparser.payload", "Possible intrusion attempt detected against account %{fld1->} from source IP address %{saddr->} for URI=[%{fld2}]%{info}", processor_chain([ + dup19, + dup5, + dup3, + setc("event_description","Possible intrusion attempt detected"), +])); + +var msg39 = msg("security:09", part45); + +var select8 = linear_select([ + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, +]); + +var part46 = match("MESSAGE#39:httpd", "nwparser.payload", "scr_monitor: %{fld1}", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg40 = msg("httpd", part46); + +var part47 = match("MESSAGE#40:Miscellaneous:01", "nwparser.payload", "Purge logs: not started. Next purge scheduled time %{fld1->} is not exceeded", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg41 = msg("Miscellaneous:01", part47); + +var part48 = match("MESSAGE#41:Miscellaneous:02", "nwparser.payload", "Purge logs: finished. Deleted %{fld1->} logon records", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg42 = msg("Miscellaneous:02", part48); + +var part49 = match("MESSAGE#42:Miscellaneous:03", "nwparser.payload", "Purge logs: auto started%{}", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg43 = msg("Miscellaneous:03", part49); + +var part50 = match("MESSAGE#43:Miscellaneous:04", "nwparser.payload", "Database error detected, dump: %{info}", processor_chain([ + setc("eventcategory","1603000000"), + dup3, + dup4, +])); + +var msg44 = msg("Miscellaneous:04", part50); + +var part51 = match("MESSAGE#44:Miscellaneous:05", "nwparser.payload", "Recovered database successfully%{}", processor_chain([ + dup8, + dup3, + dup4, +])); + +var msg45 = msg("Miscellaneous:05", part51); + +var select9 = linear_select([ + msg41, + msg42, + msg43, + msg44, + msg45, +]); + +var part52 = match("MESSAGE#45:kernel:07", "nwparser.payload", "kernel: Marketing_resource:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([ + dup8, + dup3, +])); + +var msg46 = msg("kernel:07", part52); + +var part53 = match("MESSAGE#46:kernel:01", "nwparser.payload", "kernel: Marketing_resource: %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg47 = msg("kernel:01", part53); + +var part54 = match("MESSAGE#47:kernel:02", "nwparser.payload", "kernel: CSLIP: %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg48 = msg("kernel:02", part54); + +var part55 = match("MESSAGE#48:kernel:03", "nwparser.payload", "kernel: PPP %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg49 = msg("kernel:03", part55); + +var part56 = match("MESSAGE#49:kernel:04", "nwparser.payload", "kernel: cdrom: open failed.%{}", processor_chain([ + dup8, + dup3, +])); + +var msg50 = msg("kernel:04", part56); + +var part57 = match("MESSAGE#50:kernel:06", "nwparser.payload", "kernel: GlobalFilter:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([ + dup8, + dup3, +])); + +var msg51 = msg("kernel:06", part57); + +var part58 = match("MESSAGE#51:kernel:05", "nwparser.payload", "kernel: %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg52 = msg("kernel:05", part58); + +var select10 = linear_select([ + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, +]); + +var part59 = match("MESSAGE#52:sshd", "nwparser.payload", "Accepted publickey for %{username->} from %{saddr->} port %{sport->} %{fld2}", processor_chain([ + setc("eventcategory","1401050100"), + dup3, +])); + +var msg53 = msg("sshd", part59); + +var part60 = match("MESSAGE#53:ntpd:01", "nwparser.payload", "frequency initialized %{fld1->} PPM from %{fld2}", processor_chain([ + dup8, + dup3, +])); + +var msg54 = msg("ntpd:01", part60); + +var part61 = match("MESSAGE#54:ntpd:02", "nwparser.payload", "kernel time sync status %{resultcode}", processor_chain([ + dup8, + dup3, +])); + +var msg55 = msg("ntpd:02", part61); + +var part62 = match("MESSAGE#55:ntpd:03", "nwparser.payload", "Listening on interface %{interface}, %{hostip}#%{network_port}", processor_chain([ + dup8, + dup3, +])); + +var msg56 = msg("ntpd:03", part62); + +var part63 = match("MESSAGE#56:ntpd:04", "nwparser.payload", "precision = %{duration_string}", processor_chain([ + dup8, + dup3, +])); + +var msg57 = msg("ntpd:04", part63); + +var part64 = match("MESSAGE#57:ntpd:05", "nwparser.payload", "ntpd %{info}", processor_chain([ + dup8, + dup3, +])); + +var msg58 = msg("ntpd:05", part64); + +var select11 = linear_select([ + msg54, + msg55, + msg56, + msg57, + msg58, +]); + +var part65 = match("MESSAGE#58:AppTunnel:01", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport->} terminated", processor_chain([ + dup10, + dup12, + dup13, + dup3, + dup4, +])); + +var msg59 = msg("AppTunnel:01", part65); + +var part66 = match("MESSAGE#59:AppTunnel:02", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport}", processor_chain([ + dup7, + dup12, + dup13, + dup3, + dup4, +])); + +var msg60 = msg("AppTunnel:02", part66); + +var part67 = match("MESSAGE#60:AppTunnel:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Connection timed out", processor_chain([ + dup7, + dup12, + dup13, + dup17, + dup3, + dup4, +])); + +var msg61 = msg("AppTunnel:03", part67); + +var part68 = match("MESSAGE#61:AppTunnel:04", "nwparser.payload", "Connection to %{daddr->} port %{dport->} failed", processor_chain([ + dup7, + dup12, + dup13, + dup17, + dup3, + dup4, +])); + +var msg62 = msg("AppTunnel:04", part68); + +var part69 = match("MESSAGE#62:AppTunnel:05", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Invalid session id", processor_chain([ + dup7, + dup12, + dup13, + dup3, +])); + +var msg63 = msg("AppTunnel:05", part69); + +var select12 = linear_select([ + msg59, + msg60, + msg61, + msg62, + msg63, +]); + +var part70 = match("MESSAGE#63:run-crons", "nwparser.payload", "%{fld2->} returned %{resultcode}", processor_chain([ + dup8, + dup3, +])); + +var msg64 = msg("run-crons", part70); + +var part71 = match("MESSAGE#64:/USR/SBIN/CRON", "nwparser.payload", "(%{username}) CMD (%{action})", processor_chain([ + dup2, + dup3, +])); + +var msg65 = msg("/USR/SBIN/CRON", part71); + +var part72 = match("MESSAGE#65:ntpdate", "nwparser.payload", "adjust time server %{daddr->} offset %{duration_string}", processor_chain([ + setc("eventcategory","1605030000"), + dup3, +])); + +var msg66 = msg("ntpdate", part72); + +var part73 = match("MESSAGE#66:heartbeat", "nwparser.payload", "info: %{info}", processor_chain([ + setc("eventcategory","1604000000"), + dup3, +])); + +var msg67 = msg("heartbeat", part73); + +var part74 = match("MESSAGE#67:mailer", "nwparser.payload", "Failed to send \\'%{subject}\\' to \\'%{to}\\'", processor_chain([ + setc("eventcategory","1207010200"), + setc("ec_subject","Message"), + setc("ec_activity","Send"), + dup13, + dup17, + dup3, +])); + +var msg68 = msg("mailer", part74); + +var part75 = match("MESSAGE#68:EndpointSecurity/0", "nwparser.payload", "id[%{fld1}]: \"%{p0}"); + +var part76 = match("MESSAGE#68:EndpointSecurity/1_0", "nwparser.p0", "%{fld2->} - Connected%{p0}"); + +var part77 = match("MESSAGE#68:EndpointSecurity/1_1", "nwparser.p0", "Connected%{p0}"); + +var select13 = linear_select([ + part76, + part77, +]); + +var part78 = match("MESSAGE#68:EndpointSecurity/2", "nwparser.p0", "%{}from %{saddr->} %{info}\""); + +var all3 = all_match({ + processors: [ + part75, + select13, + part78, + ], + on_success: processor_chain([ + dup20, + dup13, + dup3, + ]), +}); + +var msg69 = msg("EndpointSecurity", all3); + +var part79 = match("MESSAGE#69:EndpointSecurity:01", "nwparser.payload", "id[%{fld1}]: %{event_description}", processor_chain([ + dup20, + dup13, + dup3, +])); + +var msg70 = msg("EndpointSecurity:01", part79); + +var select14 = linear_select([ + msg69, + msg70, +]); + +var part80 = match("MESSAGE#70:snmp", "nwparser.payload", "SNMP handler started%{}", processor_chain([ + dup20, + dup3, + setc("event_description","SNMP handler started"), + setc("action","started"), + setc("protocol","SNMP"), +])); + +var msg71 = msg("snmp", part80); + +var part81 = match("MESSAGE#71:snmp:01", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup3, +])); + +var msg72 = msg("snmp:01", part81); + +var select15 = linear_select([ + msg71, + msg72, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "/USR/SBIN/CRON": msg65, + "AppTunnel": select12, + "EndpointSecurity": select14, + "GarbageCollection": select3, + "Miscellaneous": select9, + "NetworkAccess": select5, + "firepass": select2, + "heartbeat": msg67, + "httpd": msg40, + "kernel": select10, + "mailer": msg68, + "maintenance": select4, + "ntpd": select11, + "ntpdate": msg66, + "run-crons": msg64, + "security": select8, + "snmp": select15, + "sshd": msg53, + }), +]); diff --git a/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml b/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml new file mode 100644 index 00000000000..d303dbfff86 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for F5 Firepass + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/f5/firepass/manifest.yml b/x-pack/filebeat/module/f5/firepass/manifest.yml new file mode 100644 index 00000000000..becd0eb7cd1 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["f5.firepass", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9509 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log b/x-pack/filebeat/module/f5/firepass/test/generated.log new file mode 100644 index 00000000000..dcd42eb4778 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur +February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819 +February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu +firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example +NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105 +April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape +GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting +May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS +May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat +June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: "con - Connected from 10.38.189.242 ommodic" +/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept) +/USR/SBIN/CRON[llu]: (uptassi) CMD (accept) +/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny) +August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev +maintenance[giatq]: [quid] [fug] uatDuis +firepass[veri]: [rsita] [siutaliq] exercit +September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu +September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \'uam\' to \'temq\' +October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: "eataevit - Connected from 10.50.112.141 mqua" +sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci +November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \'idexea\' to \'riat\' +heartbeat[umdolor]: [osquir] info: inim +December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services +December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: "Connected from 10.243.206.225 mol" +January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan +January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records +snmp[gni]: [tquiinea] [mquaera] SNMP handler started +February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb +March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it +sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus +April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm +ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup +April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \'lupt\' to \'xea\' +run-crons[luptatev]: admi returned modocons +May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam +June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214 +June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem +firepass[rehe]: [ume] Logged out +July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) +August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc +kernel[olupt]: [modoco] kernel: cdrom: open failed. +September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia +September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames +Miscellaneous[iciatisu]: [rehender] Purge logs: auto started +October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42 +heartbeat[dolo]: [Loremip] [idolor] info: emeumfu +November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio +EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connected from 10.26.236.35 lumqui" +httpd[rpo]: [uipe] [inesci] scr_monitor: serror +ntpd[apariat]: kernel time sync status tlabore +January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) +snmp[ationemu]: [ice] estiae +February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect +maintenance[etconse]: [tincu] ari +March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp +Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded +EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connected from 10.164.6.207 olestiae" +/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow) +May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \'sectetur\' to \'uioffi\' +May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \'reseos\' to \'pariatu\' +June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor +June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex +/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny) +run-crons: returned gel +August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate +August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started +mailer[itatione]: [isnis] [uptasn] Failed to send \'reme\' to \'acommod\' +mailer[udantium]: Failed to send \'pre\' to \'xeacom\' +httpd[dictasu]: [lorinre] scr_monitor: olorsita +ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide +October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc +ntpd[aturQui]: frequency initialized utlabor PPM from rau +firepass[nisi]: [dant] shutting down for system reboot +AppTunnel[tinvolu]: < Error - Invalid session id +December 21 23:20:14 quidolor5025.home run-crons: returned rem +run-crons[idolor]: [uisau] [eleum] sintoc returned volupt +heartbeat[uiinea]: info: Utenima +February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese +February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc +kernel: ionofdeF +March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte +AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id +/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) +April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 +heartbeat[exe]: [imadmini] [sauteiru] info: mod +/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) +httpd[eriti]: [litessec] scr_monitor: itas +June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor +July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host +mailer[untut]: [uamni] Failed to send \'ctet\' to \'ati\' +August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist +August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) +kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm +September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi +October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau +October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo +November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account +heartbeat[iduntu]: [idestlab] info: rnatur +run-crons[essequam]: acommo returned nturma +December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json new file mode 100644 index 00000000000..e783667b492 --- /dev/null +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -0,0 +1,2321 @@ +[ + { + "destination.ip": [ + "10.232.59.7" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 0, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.232.59.7" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "tur", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819", + "fileset.name": "firepass", + "host.ip": "10.58.254.89", + "input.type": "log", + "log.offset": 100, + "network.interface.name": "lo4377", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.58.254.89" + ], + "rsa.internal.messageid": "ntpd", + "rsa.network.interface": "lo4377", + "rsa.network.network_port": 4819, + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 216, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.36.11.87" + ], + "related.user": [ + "uii" + ], + "rsa.internal.messageid": "sshd", + "service.type": "f5", + "source.ip": [ + "10.36.11.87" + ], + "source.port": 1803, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "uii" + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example", + "fileset.name": "firepass", + "host.name": "eosquir5191.www.example", + "input.type": "log", + "log.offset": 347, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "quipexe" + ], + "rsa.internal.messageid": "firepass", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_subject": "Service", + "rsa.network.alias_host": [ + "eosquir5191.www.example" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "quipexe" + }, + { + "destination.ip": [ + "10.194.156.105" + ], + "event.code": "NetworkAccess", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 432, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.194.156.105" + ], + "related.user": [ + "uidolor" + ], + "rsa.internal.messageid": "NetworkAccess", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "nibus", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "uidolor" + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 544, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "emape", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "GarbageCollection", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 640, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "GarbageCollection", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 720, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "roinBCS", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 795, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "equat", + "rsa.internal.messageid": "firepass", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: \"con - Connected from 10.38.189.242 ommodic\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 869, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.38.189.242" + ], + "rsa.db.index": "ommodic", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "source.ip": [ + "10.38.189.242" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 996, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "atcup" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "accept" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "atcup" + }, + { + "event.action": "accept", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[llu]: (uptassi) CMD (accept)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1060, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "uptassi" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "accept" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "uptassi" + }, + { + "event.action": "deny", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1104, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "isetq" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "isetq" + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1155, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.175.6.112" + ], + "related.user": [ + "sum" + ], + "rsa.internal.messageid": "sshd", + "service.type": "f5", + "source.ip": [ + "10.175.6.112" + ], + "source.port": 5509, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "sum" + }, + { + "event.code": "maintenance", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "maintenance[giatq]: [quid] [fug] uatDuis", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1267, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "quid" + ], + "rsa.db.index": "uatDuis", + "rsa.internal.messageid": "maintenance", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "quid" + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "firepass[veri]: [rsita] [siutaliq] exercit", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1308, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "exercit", + "rsa.internal.messageid": "firepass", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.230.12.79" + ], + "destination.port": 340, + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1351, + "network.protocol": "ggp", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.18.220.102", + "10.230.12.79" + ], + "rsa.db.index": "obeataev", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "source.ip": [ + "10.18.220.102" + ], + "source.port": 5000, + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \\'uam\\' to \\'temq\\'", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1524, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "temq", + "rsa.email.subject": "uam", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: \"eataevit - Connected from 10.50.112.141 mqua\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1630, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.50.112.141" + ], + "rsa.db.index": "mqua", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "source.ip": [ + "10.50.112.141" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1754, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.61.78.108" + ], + "related.user": [ + "err" + ], + "rsa.internal.messageid": "sshd", + "service.type": "f5", + "source.ip": [ + "10.61.78.108" + ], + "source.port": 2398, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "err" + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \\'idexea\\' to \\'riat\\'", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1842, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "riat", + "rsa.email.subject": "idexea", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[umdolor]: [osquir] info: inim", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1935, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "inim", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "GarbageCollection", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 1975, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "timeout happened. restarting services", + "rsa.internal.messageid": "GarbageCollection", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: \"Connected from 10.243.206.225 mol\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2080, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.243.206.225" + ], + "rsa.db.index": "mol", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "source.ip": [ + "10.243.206.225" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2210, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "ccusan", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "Miscellaneous", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2293, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "taevi" + ], + "rsa.internal.messageid": "Miscellaneous", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "taevi" + }, + { + "event.action": "started", + "event.code": "snmp", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "snmp[gni]: [tquiinea] [mquaera] SNMP handler started", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2426, + "network.protocol": "SNMP", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "SNMP handler started", + "rsa.internal.messageid": "snmp", + "rsa.misc.action": [ + "started" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2479, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.0.3.58" + ], + "related.user": [ + "labor" + ], + "rsa.internal.messageid": "sshd", + "service.type": "f5", + "source.ip": [ + "10.0.3.58" + ], + "source.port": 7224, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "labor" + }, + { + "event.code": "GarbageCollection", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2605, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "GarbageCollection", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2732, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.169.144.147" + ], + "related.user": [ + "ist" + ], + "rsa.internal.messageid": "sshd", + "service.type": "f5", + "source.ip": [ + "10.169.144.147" + ], + "source.port": 2399, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "ist" + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2826, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "omm", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.196.105.137" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2921, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.196.105.137" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "lup", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 2984, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "xea", + "rsa.email.subject": "lupt", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "run-crons[luptatev]: admi returned modocons", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3068, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "modocons", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.46.158.31" + ], + "destination.port": 3369, + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3112, + "network.protocol": "rdp", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.117.146.33", + "10.46.158.31" + ], + "rsa.db.index": "dun", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "source.ip": [ + "10.117.146.33" + ], + "source.port": 703, + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "security", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214", + "event.outcome": "unknown", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3287, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.196.136.214" + ], + "rsa.internal.messageid": "security", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Error", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "service.type": "f5", + "source.ip": [ + "10.196.136.214" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "maintenance", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3385, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "mexercit" + ], + "rsa.internal.messageid": "maintenance", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "dtem", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "mexercit" + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "firepass[rehe]: [ume] Logged out", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3477, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "ume" + ], + "rsa.internal.messageid": "firepass", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_subject": "User", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "ume" + }, + { + "event.action": "cancel", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3510, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "dexeaco" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "cancel" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "dexeaco" + }, + { + "event.code": "snmp", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3602, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "erc", + "rsa.internal.messageid": "snmp", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "kernel[olupt]: [modoco] kernel: cdrom: open failed.", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3670, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3722, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "uasia", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3808, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "uames", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "Miscellaneous", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "Miscellaneous[iciatisu]: [rehender] Purge logs: auto started", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3898, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "rehender" + ], + "rsa.internal.messageid": "Miscellaneous", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "rehender" + }, + { + "destination.ip": [ + "10.192.18.42" + ], + "event.code": "NetworkAccess", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 3959, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.192.18.42" + ], + "related.user": [ + "equatD" + ], + "rsa.internal.messageid": "NetworkAccess", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "isno", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "equatD" + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[dolo]: [Loremip] [idolor] info: emeumfu", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4103, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "emeumfu", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4153, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.86.63.253" + ], + "related.user": [ + "amvolup" + ], + "rsa.internal.messageid": "sshd", + "service.type": "f5", + "source.ip": [ + "10.86.63.253" + ], + "source.port": 2133, + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "amvolup" + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connected from 10.26.236.35 lumqui\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4288, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.26.236.35" + ], + "rsa.db.index": "lumqui", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "source.ip": [ + "10.26.236.35" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "httpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "httpd[rpo]: [uipe] [inesci] scr_monitor: serror", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4378, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "uipe" + ], + "rsa.internal.messageid": "httpd", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "uipe" + }, + { + "event.code": "ntpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "ntpd[apariat]: kernel time sync status tlabore", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4426, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "ntpd", + "rsa.misc.result_code": "tlabore", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4473, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "isc" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "isc" + }, + { + "event.code": "snmp", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "snmp[ationemu]: [ice] estiae", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4569, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "estiae", + "rsa.internal.messageid": "snmp", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.170.148.40" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4598, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.170.148.40" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "hitect", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "maintenance", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "maintenance[etconse]: [tincu] ari", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4706, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "tincu" + ], + "rsa.db.index": "ari", + "rsa.internal.messageid": "maintenance", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "tincu" + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4740, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "texp", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "Miscellaneous", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4819, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "eaq" + ], + "rsa.internal.messageid": "Miscellaneous", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "eaq" + }, + { + "event.code": "EndpointSecurity", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connected from 10.164.6.207 olestiae\"", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 4919, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.164.6.207" + ], + "rsa.db.index": "olestiae", + "rsa.internal.messageid": "EndpointSecurity", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "source.ip": [ + "10.164.6.207" + ], + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5016, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "amre" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "allow" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "amre" + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \\'sectetur\\' to \\'uioffi\\'", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5071, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "uioffi", + "rsa.email.subject": "sectetur", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \\'reseos\\' to \\'pariatu\\'", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5170, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "pariatu", + "rsa.email.subject": "reseos", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5259, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "olor", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5350, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "tasuntex", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5430, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "lamcolab" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "lamcolab" + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "run-crons: returned gel", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5494, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "gel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5519, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "uptate", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "Miscellaneous", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5599, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "aliquam" + ], + "rsa.internal.messageid": "Miscellaneous", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "aliquam" + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "mailer[itatione]: [isnis] [uptasn] Failed to send \\'reme\\' to \\'acommod\\'", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5692, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "acommod", + "rsa.email.subject": "reme", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "mailer[udantium]: Failed to send \\'pre\\' to \\'xeacom\\'", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5766, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "xeacom", + "rsa.email.subject": "pre", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "httpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "httpd[dictasu]: [lorinre] scr_monitor: olorsita", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5821, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "lorinre" + ], + "rsa.internal.messageid": "httpd", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "lorinre" + }, + { + "destination.ip": [ + "10.105.76.230" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5869, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.105.76.230" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "aliquide", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 5942, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "intocc", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "ntpd[aturQui]: frequency initialized utlabor PPM from rau", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6036, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "ntpd", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "firepass[nisi]: [dant] shutting down for system reboot", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6094, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.event_desc": "shutting down for system reboot", + "rsa.internal.messageid": "firepass", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "AppTunnel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "AppTunnel[tinvolu]: < Error - Invalid session id", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6149, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "AppTunnel", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "iurer", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "December 21 23:20:14 quidolor5025.home run-crons: returned rem", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6205, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "rem", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "run-crons[idolor]: [uisau] [eleum] sintoc returned volupt", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6269, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "volupt", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[uiinea]: info: Utenima", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6327, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "Utenima", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.25.52.65" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6360, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.25.52.65" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "ese", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6466, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "ntocc", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "kernel: ionofdeF", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6547, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "ionofdeF", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6564, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "ntpd", + "rsa.time.duration_str": "epte", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "AppTunnel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6636, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "AppTunnel", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "uatD", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6709, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "ntocca" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "ntocca" + }, + { + "event.code": "maintenance", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6764, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "ntmollit" + ], + "rsa.internal.messageid": "maintenance", + "rsa.network.network_port": 6980, + "rsa.web.fqdn": "ipsumd6116.local", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "ntmollit" + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[exe]: [imadmini] [sauteiru] info: mod", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6886, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "mod", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6934, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "tnulapa" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "deny" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "tnulapa" + }, + { + "event.code": "httpd", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "httpd[eriti]: [litessec] scr_monitor: itas", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 6985, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "litessec" + ], + "rsa.internal.messageid": "httpd", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "litessec" + }, + { + "destination.ip": [ + "10.186.101.163" + ], + "event.code": "ntpdate", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7028, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.186.101.163" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.time.duration_str": "utlabor", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "firepass", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host", + "fileset.name": "firepass", + "host.name": "eufugi2923.internal.host", + "input.type": "log", + "log.offset": 7151, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "tvolupt" + ], + "rsa.internal.messageid": "firepass", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_subject": "Service", + "rsa.network.alias_host": [ + "eufugi2923.internal.host" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "tvolupt" + }, + { + "event.code": "mailer", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "mailer[untut]: [uamni] Failed to send \\'ctet\\' to \\'ati\\'", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7270, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.email.email_dst": "ati", + "rsa.email.subject": "ctet", + "rsa.internal.messageid": "mailer", + "rsa.investigations.ec_activity": "Send", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Message", + "rsa.investigations.ec_theme": "Communication", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "NetworkAccess", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7328, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "ven" + ], + "rsa.db.index": "nisist", + "rsa.internal.messageid": "NetworkAccess", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.log_session_id": "con", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "ven" + }, + { + "event.action": "cancel", + "event.code": "/USR/SBIN/CRON", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel)", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7416, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "laudant" + ], + "rsa.internal.messageid": "/USR/SBIN/CRON", + "rsa.misc.action": [ + "cancel" + ], + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "laudant" + }, + { + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7518, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "runtm", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7569, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "oremi", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7646, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "mquelau", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7717, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "idolo", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "security", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account", + "event.outcome": "failure", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7821, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.user": [ + "fugi" + ], + "rsa.internal.messageid": "security", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Policy", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ], + "user.name": "fugi" + }, + { + "event.code": "heartbeat", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "heartbeat[iduntu]: [idestlab] info: rnatur", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7948, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.db.index": "rnatur", + "rsa.internal.messageid": "heartbeat", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "event.code": "run-crons", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "run-crons[essequam]: acommo returned nturma", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 7991, + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "rsa.internal.messageid": "run-crons", + "rsa.misc.result_code": "nturma", + "service.type": "f5", + "tags": [ + "f5.firepass", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.225.181.30" + ], + "destination.port": 5390, + "event.code": "kernel", + "event.dataset": "f5.firepass", + "event.module": "f5", + "event.original": "December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut", + "fileset.name": "firepass", + "input.type": "log", + "log.offset": 8035, + "network.protocol": "udp", + "observer.product": "FirePass", + "observer.type": "VPN", + "observer.vendor": "F5", + "related.ip": [ + "10.65.175.9", + "10.225.181.30" + ], + "rsa.db.index": "uia", + "rsa.internal.messageid": "kernel", + "service.type": "f5", + "source.ip": [ + "10.65.175.9" + ], + "source.port": 4412, + "tags": [ + "f5.firepass", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index 969d618f808..0b2eb336295 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -11,3 +11,22 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 + + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc index a879cd60e06..ee6448f4cdd 100644 --- a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc @@ -59,6 +59,53 @@ A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[fortinet-firewall, forwarded]`. +:fileset_ex!: + +[float] +==== `clientendpoint` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9510` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== Fortinet ECS fields diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml b/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml new file mode 100644 index 00000000000..2792f46aafd --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiClient" + type: "Anti-Virus" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/fortinet/clientendpoint/config/liblogparser.js + - ${path.home}/module/fortinet/clientendpoint/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" proto="), + field("hprotocol"), + constant(" service="), + field("messageid"), + constant(" status="), + field("haction"), + constant(" src="), + field("hsaddr"), + constant(" dst="), + field("hdaddr"), + constant(" src_port="), + field("hsport"), + constant(" dst_port="), + field("hdport"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" ("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(" times in last "), + field("hfld6"), + constant(") "), + field("hfld7"), + constant(" "), + field("hfld8"), + constant("::"), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld5"), + constant("::"), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, +]); + +var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ + dup1, + dup2, +])); + +var msg1 = msg("enter", part1); + +var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ + dup1, + dup2, +])); + +var msg2 = msg("repeated", part2); + +var msg3 = msg("ms-wbt-server", dup9); + +var msg4 = msg("http", dup9); + +var msg5 = msg("https", dup9); + +var msg6 = msg("smtp", dup9); + +var msg7 = msg("pop3", dup9); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "enter": msg1, + "http": msg4, + "https": msg5, + "ms-wbt-server": msg3, + "pop3": msg7, + "repeated": msg2, + "smtp": msg6, + }), +]); + +var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, +])); diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml new file mode 100644 index 00000000000..1897a785e50 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Fortinet FortiClient Endpoint Security + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml b/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml new file mode 100644 index 00000000000..b070cd9c37e --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["fortinet.clientendpoint", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9510 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log new file mode 100644 index 00000000000..11c42635932 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure +February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown +February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success +March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success +March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure +April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown +April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure +May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown +May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure +June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success +June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure +July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown +July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success +August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure +August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure +August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure +September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown +September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown +October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure +October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure +November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown +November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure +December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success +December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success +January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success +January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success +February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure +February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success +March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown +March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success +April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure +April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown +April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure +May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success +May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown +June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown +June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success +July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success +July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure +August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown +August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success +September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown +September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure +October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure +October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure +November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown +November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success +December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown +December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success +December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success +January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure +January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure +February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown +February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown +March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success +March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure +April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure +April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success +May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown +May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success +June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown +June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success +July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success +July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown +August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown +August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success +August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure +September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown +September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure +October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure +October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown +November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure +November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure +December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure +December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success +January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure +January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown +February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown +February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success +March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure +March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success +April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success +April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown +April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success +May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure +May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown +June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success +June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure +July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success +July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success +August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure +August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure +September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure +September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown +October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success +October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success +November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success +November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown +November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure +December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json new file mode 100644 index 00000000000..70dc501501d --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -0,0 +1,5702 @@ +[ + { + "@timestamp": "2020-01-29T08:09:59.000Z", + "destination.ip": [ + "10.102.123.34" + ], + "destination.port": 3994, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "boNemoe4402.www.invalid", + "input.type": "log", + "log.offset": 0, + "network.direction": "external", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7880, + "related.ip": [ + "10.150.92.220", + "10.102.123.34" + ], + "related.user": [ + "sumdo" + ], + "rsa.counters.dclass_c1": 5286, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "boNemoe4402.www.invalid" + ], + "rsa.network.domain": "litesse6379.api.domain", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-01-29T08:09:59.000Z", + "server.domain": "litesse6379.api.domain", + "service.type": "fortinet", + "source.ip": [ + "10.150.92.220" + ], + "source.port": 7178, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "sumdo" + }, + { + "@timestamp": "2020-02-12T15:12:33.000Z", + "destination.ip": [ + "10.149.203.46" + ], + "destination.port": 5861, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "olupt4880.api.home", + "input.type": "log", + "log.offset": 281, + "network.direction": "internal", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4539, + "related.ip": [ + "10.149.203.46", + "10.33.212.159" + ], + "related.user": [ + "mipsumq" + ], + "rsa.counters.dclass_c1": 4402, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "olupt4880.api.home" + ], + "rsa.network.domain": "gnaali6189.internal.localhost", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-02-12T15:12:33.000Z", + "server.domain": "gnaali6189.internal.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.33.212.159" + ], + "source.port": 2789, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mipsumq" + }, + { + "@timestamp": "2020-02-26T22:15:08.000Z", + "destination.ip": [ + "10.118.175.9" + ], + "destination.port": 2802, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "aqu1628.internal.domain", + "input.type": "log", + "log.offset": 563, + "network.direction": "unknown", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 445, + "related.ip": [ + "10.173.116.41", + "10.118.175.9" + ], + "related.user": [ + "uame" + ], + "rsa.counters.dclass_c1": 7019, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "aqu1628.internal.domain" + ], + "rsa.network.domain": "quis1130.internal.corp", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-02-26T22:15:08.000Z", + "server.domain": "quis1130.internal.corp", + "service.type": "fortinet", + "source.ip": [ + "10.173.116.41" + ], + "source.port": 3710, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uame" + }, + { + "@timestamp": "2020-03-12T05:17:42.000Z", + "destination.ip": [ + "10.202.204.154" + ], + "destination.port": 3587, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tinculp2940.internal.local", + "input.type": "log", + "log.offset": 837, + "network.direction": "unknown", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5712, + "related.ip": [ + "10.202.204.154", + "10.134.137.177" + ], + "related.user": [ + "orsitame" + ], + "rsa.counters.dclass_c1": 2458, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tinculp2940.internal.local" + ], + "rsa.network.domain": "reprehe189.internal.home", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-03-12T05:17:42.000Z", + "server.domain": "reprehe189.internal.home", + "service.type": "fortinet", + "source.ip": [ + "10.134.137.177" + ], + "source.port": 7868, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "orsitame" + }, + { + "@timestamp": "2020-03-26T12:20:16.000Z", + "destination.ip": [ + "10.70.0.60" + ], + "destination.port": 4982, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "rad2103.api.domain", + "input.type": "log", + "log.offset": 1122, + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6557, + "related.ip": [ + "10.245.142.250", + "10.70.0.60" + ], + "related.user": [ + "eos" + ], + "rsa.counters.dclass_c1": 2638, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "rad2103.api.domain" + ], + "rsa.network.domain": "enimad2283.internal.domain", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-03-26T12:20:16.000Z", + "server.domain": "enimad2283.internal.domain", + "service.type": "fortinet", + "source.ip": [ + "10.245.142.250" + ], + "source.port": 5408, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eos" + }, + { + "@timestamp": "2020-04-09T19:22:51.000Z", + "destination.ip": [ + "10.200.188.142" + ], + "destination.port": 7143, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "enim5316.www5.local", + "input.type": "log", + "log.offset": 1395, + "network.direction": "external", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2061, + "related.ip": [ + "10.200.188.142", + "10.202.72.124" + ], + "related.user": [ + "iusmodt" + ], + "rsa.counters.dclass_c1": 513, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "enim5316.www5.local" + ], + "rsa.network.domain": "doloreeu3553.www5.home", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-04-09T19:22:51.000Z", + "server.domain": "doloreeu3553.www5.home", + "service.type": "fortinet", + "source.ip": [ + "10.202.72.124" + ], + "source.port": 4665, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "iusmodt" + }, + { + "@timestamp": "2020-04-24T02:25:25.000Z", + "destination.ip": [ + "10.214.225.125" + ], + "destination.port": 2121, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "reetdolo2770.www5.local", + "input.type": "log", + "log.offset": 1669, + "network.direction": "outbound", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5722, + "related.ip": [ + "10.12.44.169", + "10.214.225.125" + ], + "related.user": [ + "erep" + ], + "rsa.counters.dclass_c1": 6071, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "reetdolo2770.www5.local" + ], + "rsa.network.domain": "iutal13.api.localdomain", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-04-24T02:25:25.000Z", + "server.domain": "iutal13.api.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.12.44.169" + ], + "source.port": 5710, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "erep" + }, + { + "@timestamp": "2020-05-08T09:27:59.000Z", + "destination.ip": [ + "10.198.136.50" + ], + "destination.port": 2089, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "isiu1114.internal.corp", + "input.type": "log", + "log.offset": 1946, + "network.direction": "unknown", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5037, + "related.ip": [ + "10.66.108.11", + "10.198.136.50" + ], + "related.user": [ + "uptatev" + ], + "rsa.counters.dclass_c1": 3856, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "isiu1114.internal.corp" + ], + "rsa.network.domain": "uovol492.www.localhost", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-05-08T09:27:59.000Z", + "server.domain": "uovol492.www.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.66.108.11" + ], + "source.port": 6875, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uptatev" + }, + { + "@timestamp": "2020-05-22T16:30:33.000Z", + "destination.ip": [ + "10.69.20.77" + ], + "destination.port": 7579, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "usmodte1296.www.corp", + "input.type": "log", + "log.offset": 2213, + "network.direction": "unknown", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 776, + "related.ip": [ + "10.178.244.31", + "10.69.20.77" + ], + "related.user": [ + "umdolor" + ], + "rsa.counters.dclass_c1": 5575, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "usmodte1296.www.corp" + ], + "rsa.network.domain": "osquir6997.corp", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-05-22T16:30:33.000Z", + "server.domain": "osquir6997.corp", + "service.type": "fortinet", + "source.ip": [ + "10.178.244.31" + ], + "source.port": 3857, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "umdolor" + }, + { + "@timestamp": "2020-06-05T23:33:08.000Z", + "destination.ip": [ + "10.203.5.162" + ], + "destination.port": 7290, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tatno4987.www5.localhost", + "input.type": "log", + "log.offset": 2481, + "network.direction": "unknown", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6096, + "related.ip": [ + "10.54.231.100", + "10.203.5.162" + ], + "related.user": [ + "umdolore" + ], + "rsa.counters.dclass_c1": 3162, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tatno4987.www5.localhost" + ], + "rsa.network.domain": "eniam7007.api.invalid", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "server.domain": "eniam7007.api.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.54.231.100" + ], + "source.port": 5616, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "umdolore" + }, + { + "@timestamp": "2020-06-20T06:35:42.000Z", + "destination.ip": [ + "10.136.252.240" + ], + "destination.port": 4105, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tatno6787.internal.localhost", + "input.type": "log", + "log.offset": 2751, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7307, + "related.ip": [ + "10.65.83.160", + "10.136.252.240" + ], + "related.user": [ + "ender" + ], + "rsa.counters.dclass_c1": 7148, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tatno6787.internal.localhost" + ], + "rsa.network.domain": "snulapar3794.api.domain", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "server.domain": "snulapar3794.api.domain", + "service.type": "fortinet", + "source.ip": [ + "10.65.83.160" + ], + "source.port": 3592, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ender" + }, + { + "@timestamp": "2020-07-04T13:38:16.000Z", + "destination.ip": [ + "10.210.213.18" + ], + "destination.port": 3970, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "essecill2595.mail.local", + "input.type": "log", + "log.offset": 3031, + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2703, + "related.ip": [ + "10.210.213.18", + "10.57.40.29" + ], + "related.user": [ + "onse" + ], + "rsa.counters.dclass_c1": 6179, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "essecill2595.mail.local" + ], + "rsa.network.domain": "liq5883.localdomain", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-07-04T13:38:16.000Z", + "server.domain": "liq5883.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.57.40.29" + ], + "source.port": 7616, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "onse" + }, + { + "@timestamp": "2019-07-18T20:40:50.000Z", + "destination.ip": [ + "10.200.156.102" + ], + "destination.port": 6061, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ali6446.localhost", + "input.type": "log", + "log.offset": 3294, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5166, + "related.ip": [ + "10.200.156.102", + "10.144.82.69" + ], + "related.user": [ + "rveli" + ], + "rsa.counters.dclass_c1": 7041, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "ali6446.localhost" + ], + "rsa.network.domain": "rsint7026.test", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-07-18T20:40:50.000Z", + "server.domain": "rsint7026.test", + "service.type": "fortinet", + "source.ip": [ + "10.144.82.69" + ], + "source.port": 2896, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "rveli" + }, + { + "@timestamp": "2019-08-02T03:43:25.000Z", + "destination.ip": [ + "10.72.58.135" + ], + "destination.port": 2382, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "torev7118.internal.domain", + "input.type": "log", + "log.offset": 3551, + "network.direction": "internal", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7668, + "related.ip": [ + "10.109.232.112", + "10.72.58.135" + ], + "related.user": [ + "xea" + ], + "rsa.counters.dclass_c1": 1112, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "torev7118.internal.domain" + ], + "rsa.network.domain": "qua2945.www.local", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-08-02T03:43:25.000Z", + "server.domain": "qua2945.www.local", + "service.type": "fortinet", + "source.ip": [ + "10.109.232.112" + ], + "source.port": 5160, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "xea" + }, + { + "@timestamp": "2019-08-16T10:45:59.000Z", + "destination.ip": [ + "10.72.29.73" + ], + "destination.port": 203, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "dolore6103.www5.example", + "input.type": "log", + "log.offset": 3823, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1044, + "related.ip": [ + "10.38.22.45", + "10.72.29.73" + ], + "related.user": [ + "onproide" + ], + "rsa.counters.dclass_c1": 4979, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "dolore6103.www5.example" + ], + "rsa.network.domain": "luptat6494.www.example", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-08-16T10:45:59.000Z", + "server.domain": "luptat6494.www.example", + "service.type": "fortinet", + "source.ip": [ + "10.38.22.45" + ], + "source.port": 1493, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "onproide" + }, + { + "@timestamp": "2019-08-30T17:48:33.000Z", + "destination.ip": [ + "10.76.72.111" + ], + "destination.port": 7388, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "errorsi6996.www.domain", + "input.type": "log", + "log.offset": 4096, + "network.direction": "internal", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7183, + "related.ip": [ + "10.70.95.74", + "10.76.72.111" + ], + "related.user": [ + "ivelits" + ], + "rsa.counters.dclass_c1": 2362, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "errorsi6996.www.domain" + ], + "rsa.network.domain": "moenimi6317.internal.invalid", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-08-30T17:48:33.000Z", + "server.domain": "moenimi6317.internal.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.70.95.74" + ], + "source.port": 6119, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ivelits" + }, + { + "@timestamp": "2019-09-14T00:51:07.000Z", + "destination.ip": [ + "10.73.69.75" + ], + "destination.port": 6218, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "lumquido5839.api.corp", + "input.type": "log", + "log.offset": 4379, + "network.direction": "unknown", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6907, + "related.ip": [ + "10.73.69.75", + "10.19.201.13" + ], + "related.user": [ + "tat" + ], + "rsa.counters.dclass_c1": 2655, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "lumquido5839.api.corp" + ], + "rsa.network.domain": "tion1761.home", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-09-14T00:51:07.000Z", + "server.domain": "tion1761.home", + "service.type": "fortinet", + "source.ip": [ + "10.19.201.13" + ], + "source.port": 5006, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tat" + }, + { + "@timestamp": "2019-09-28T07:53:42.000Z", + "destination.ip": [ + "10.84.105.75" + ], + "destination.port": 98, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "aperia4409.www5.invalid", + "input.type": "log", + "log.offset": 4640, + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 499, + "related.ip": [ + "10.84.105.75", + "10.78.151.178" + ], + "related.user": [ + "iquaUten" + ], + "rsa.counters.dclass_c1": 4085, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "aperia4409.www5.invalid" + ], + "rsa.network.domain": "santium4235.api.local", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "server.domain": "santium4235.api.local", + "service.type": "fortinet", + "source.ip": [ + "10.78.151.178" + ], + "source.port": 1846, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "iquaUten" + }, + { + "@timestamp": "2019-10-12T14:56:16.000Z", + "destination.ip": [ + "10.25.192.202" + ], + "destination.port": 6462, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tem2496.api.lan", + "input.type": "log", + "log.offset": 4925, + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1531, + "related.ip": [ + "10.135.233.146", + "10.25.192.202" + ], + "related.user": [ + "emeumfu" + ], + "rsa.counters.dclass_c1": 4610, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tem2496.api.lan" + ], + "rsa.network.domain": "CSed2857.www5.example", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-10-12T14:56:16.000Z", + "server.domain": "CSed2857.www5.example", + "service.type": "fortinet", + "source.ip": [ + "10.135.233.146" + ], + "source.port": 4181, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "emeumfu" + }, + { + "@timestamp": "2019-10-26T21:58:50.000Z", + "destination.ip": [ + "10.104.134.200" + ], + "destination.port": 2508, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "eme6710.mail.invalid", + "input.type": "log", + "log.offset": 5204, + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6051, + "related.ip": [ + "10.104.134.200", + "10.121.219.204" + ], + "related.user": [ + "uptat" + ], + "rsa.counters.dclass_c1": 7084, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "eme6710.mail.invalid" + ], + "rsa.network.domain": "equep5085.mail.domain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-10-26T21:58:50.000Z", + "server.domain": "equep5085.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.121.219.204" + ], + "source.port": 3611, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uptat" + }, + { + "@timestamp": "2019-11-10T05:01:24.000Z", + "destination.ip": [ + "10.225.160.182" + ], + "destination.port": 4810, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ihilm1669.mail.invalid", + "input.type": "log", + "log.offset": 5477, + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6994, + "related.ip": [ + "10.225.160.182", + "10.191.105.82" + ], + "related.user": [ + "eirure" + ], + "rsa.counters.dclass_c1": 3936, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ihilm1669.mail.invalid" + ], + "rsa.network.domain": "conseq557.mail.lan", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "server.domain": "conseq557.mail.lan", + "service.type": "fortinet", + "source.ip": [ + "10.191.105.82" + ], + "source.port": 3361, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eirure" + }, + { + "@timestamp": "2019-11-24T12:03:59.000Z", + "destination.ip": [ + "10.161.57.8" + ], + "destination.port": 2716, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "umexerci1284.internal.localdomain", + "input.type": "log", + "log.offset": 5751, + "network.direction": "inbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5200, + "related.ip": [ + "10.141.44.153", + "10.161.57.8" + ], + "related.user": [ + "quisnos" + ], + "rsa.counters.dclass_c1": 3333, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "umexerci1284.internal.localdomain" + ], + "rsa.network.domain": "ite2026.www.invalid", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "server.domain": "ite2026.www.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.141.44.153" + ], + "source.port": 3750, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "quisnos" + }, + { + "@timestamp": "2019-12-08T19:06:33.000Z", + "destination.ip": [ + "10.6.167.7" + ], + "destination.port": 2022, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "adol485.example", + "input.type": "log", + "log.offset": 6034, + "network.direction": "internal", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3365, + "related.ip": [ + "10.6.167.7", + "10.153.111.103" + ], + "related.user": [ + "eumfug" + ], + "rsa.counters.dclass_c1": 7424, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "adol485.example" + ], + "rsa.network.domain": "lit5929.test", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-12-08T19:06:33.000Z", + "server.domain": "lit5929.test", + "service.type": "fortinet", + "source.ip": [ + "10.153.111.103" + ], + "source.port": 4977, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eumfug" + }, + { + "@timestamp": "2019-12-23T02:09:07.000Z", + "destination.ip": [ + "10.134.148.219" + ], + "destination.port": 4430, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "evita5008.www.localdomain", + "input.type": "log", + "log.offset": 6293, + "network.direction": "inbound", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1835, + "related.ip": [ + "10.134.148.219", + "10.248.204.182" + ], + "related.user": [ + "uioffi" + ], + "rsa.counters.dclass_c1": 4168, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "evita5008.www.localdomain" + ], + "rsa.network.domain": "oru6938.invalid", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "server.domain": "oru6938.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.248.204.182" + ], + "source.port": 1331, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uioffi" + }, + { + "@timestamp": "2020-01-06T09:11:41.000Z", + "destination.ip": [ + "10.163.5.243" + ], + "destination.port": 4129, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tsedqu2456.www5.invalid", + "input.type": "log", + "log.offset": 6562, + "network.direction": "unknown", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2019, + "related.ip": [ + "10.163.5.243", + "10.178.77.231" + ], + "related.user": [ + "liquide" + ], + "rsa.counters.dclass_c1": 1123, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tsedqu2456.www5.invalid" + ], + "rsa.network.domain": "etdol5473.local", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "server.domain": "etdol5473.local", + "service.type": "fortinet", + "source.ip": [ + "10.178.77.231" + ], + "source.port": 5294, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "liquide" + }, + { + "@timestamp": "2020-01-20T16:14:16.000Z", + "destination.ip": [ + "10.221.89.228" + ], + "destination.port": 2447, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ris3314.mail.invalid", + "input.type": "log", + "log.offset": 6831, + "network.direction": "outbound", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2493, + "related.ip": [ + "10.221.89.228", + "10.177.194.18" + ], + "related.user": [ + "aliquam" + ], + "rsa.counters.dclass_c1": 1747, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "ris3314.mail.invalid" + ], + "rsa.network.domain": "nimid893.mail.corp", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "server.domain": "nimid893.mail.corp", + "service.type": "fortinet", + "source.ip": [ + "10.177.194.18" + ], + "source.port": 766, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "aliquam" + }, + { + "@timestamp": "2020-02-03T23:16:50.000Z", + "destination.ip": [ + "10.32.239.1" + ], + "destination.port": 3128, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "reme622.mail.example", + "input.type": "log", + "log.offset": 7099, + "network.direction": "unknown", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3022, + "related.ip": [ + "10.241.65.49", + "10.32.239.1" + ], + "related.user": [ + "idata" + ], + "rsa.counters.dclass_c1": 3522, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "reme622.mail.example" + ], + "rsa.network.domain": "rumwritt6003.host", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-02-03T23:16:50.000Z", + "server.domain": "rumwritt6003.host", + "service.type": "fortinet", + "source.ip": [ + "10.241.65.49" + ], + "source.port": 3027, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "idata" + }, + { + "@timestamp": "2020-02-18T06:19:24.000Z", + "destination.ip": [ + "10.101.57.120" + ], + "destination.port": 6501, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "non3341.mail.invalid", + "input.type": "log", + "log.offset": 7373, + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2328, + "related.ip": [ + "10.168.90.81", + "10.101.57.120" + ], + "related.user": [ + "eporr" + ], + "rsa.counters.dclass_c1": 5516, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "non3341.mail.invalid" + ], + "rsa.network.domain": "xeacomm6855.api.corp", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-02-18T06:19:24.000Z", + "server.domain": "xeacomm6855.api.corp", + "service.type": "fortinet", + "source.ip": [ + "10.168.90.81" + ], + "source.port": 6866, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eporr" + }, + { + "@timestamp": "2020-03-04T13:21:59.000Z", + "destination.ip": [ + "10.130.14.60" + ], + "destination.port": 2051, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ris727.api.local", + "input.type": "log", + "log.offset": 7646, + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1156, + "related.ip": [ + "10.130.14.60", + "10.14.211.43" + ], + "related.user": [ + "litse" + ], + "rsa.counters.dclass_c1": 7200, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ris727.api.local" + ], + "rsa.network.domain": "icabo4125.mail.domain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "server.domain": "icabo4125.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.14.211.43" + ], + "source.port": 4456, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "litse" + }, + { + "@timestamp": "2020-03-18T20:24:33.000Z", + "destination.ip": [ + "10.248.101.25" + ], + "destination.port": 5740, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "stquido5705.api.host", + "input.type": "log", + "log.offset": 7918, + "network.direction": "unknown", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6003, + "related.ip": [ + "10.248.101.25", + "10.60.129.15" + ], + "related.user": [ + "evolup" + ], + "rsa.counters.dclass_c1": 6437, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "stquido5705.api.host" + ], + "rsa.network.domain": "ionofdeF5643.www.localhost", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-03-18T20:24:33.000Z", + "server.domain": "ionofdeF5643.www.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.60.129.15" + ], + "source.port": 106, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "evolup" + }, + { + "@timestamp": "2020-04-02T03:27:07.000Z", + "destination.ip": [ + "10.111.187.12" + ], + "destination.port": 3994, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "etcons7378.api.lan", + "input.type": "log", + "log.offset": 8192, + "network.direction": "inbound", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5651, + "related.ip": [ + "10.111.187.12", + "10.72.93.28" + ], + "related.user": [ + "niamqui" + ], + "rsa.counters.dclass_c1": 3427, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "etcons7378.api.lan" + ], + "rsa.network.domain": "orem6702.invalid", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "server.domain": "orem6702.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.72.93.28" + ], + "source.port": 3577, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "niamqui" + }, + { + "@timestamp": "2020-04-16T10:29:41.000Z", + "destination.ip": [ + "10.66.2.232" + ], + "destination.port": 5764, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "vita2681.www5.local", + "input.type": "log", + "log.offset": 8450, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3470, + "related.ip": [ + "10.66.2.232", + "10.27.14.168" + ], + "related.user": [ + "uirati" + ], + "rsa.counters.dclass_c1": 6708, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "vita2681.www5.local" + ], + "rsa.network.domain": "oin6780.mail.domain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "server.domain": "oin6780.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.27.14.168" + ], + "source.port": 2224, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uirati" + }, + { + "@timestamp": "2020-04-30T17:32:16.000Z", + "destination.ip": [ + "10.195.2.130" + ], + "destination.port": 202, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tnulapa7592.www.local", + "input.type": "log", + "log.offset": 8727, + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6932, + "related.ip": [ + "10.75.99.127", + "10.195.2.130" + ], + "related.user": [ + "inibusB" + ], + "rsa.counters.dclass_c1": 3828, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tnulapa7592.www.local" + ], + "rsa.network.domain": "eprehen3224.www5.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "server.domain": "eprehen3224.www5.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.75.99.127" + ], + "source.port": 1766, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "inibusB" + }, + { + "@timestamp": "2020-05-15T00:34:50.000Z", + "destination.ip": [ + "10.245.104.182" + ], + "destination.port": 55, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "lup2134.www.localhost", + "input.type": "log", + "log.offset": 9015, + "network.direction": "outbound", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6945, + "related.ip": [ + "10.245.104.182", + "10.201.238.90" + ], + "related.user": [ + "ovol" + ], + "rsa.counters.dclass_c1": 4198, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "lup2134.www.localhost" + ], + "rsa.network.domain": "ptasn6599.www.localhost", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-05-15T00:34:50.000Z", + "server.domain": "ptasn6599.www.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.201.238.90" + ], + "source.port": 3759, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ovol" + }, + { + "@timestamp": "2020-05-29T07:37:24.000Z", + "destination.ip": [ + "10.105.91.31" + ], + "destination.port": 5987, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tanimid3337.mail.corp", + "input.type": "log", + "log.offset": 9287, + "network.direction": "external", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 853, + "related.ip": [ + "10.217.150.196", + "10.105.91.31" + ], + "related.user": [ + "con" + ], + "rsa.counters.dclass_c1": 4444, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tanimid3337.mail.corp" + ], + "rsa.network.domain": "nisist2752.home", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", + "server.domain": "nisist2752.home", + "service.type": "fortinet", + "source.ip": [ + "10.217.150.196" + ], + "source.port": 2056, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "con" + }, + { + "@timestamp": "2020-06-12T14:39:58.000Z", + "destination.ip": [ + "10.184.18.202" + ], + "destination.port": 205, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "eumiu765.api.lan", + "input.type": "log", + "log.offset": 9556, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4153, + "related.ip": [ + "10.4.157.1", + "10.184.18.202" + ], + "related.user": [ + "oditem" + ], + "rsa.counters.dclass_c1": 725, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "eumiu765.api.lan" + ], + "rsa.network.domain": "gitsedqu2649.mail.lan", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "server.domain": "gitsedqu2649.mail.lan", + "service.type": "fortinet", + "source.ip": [ + "10.4.157.1" + ], + "source.port": 52, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "oditem" + }, + { + "@timestamp": "2020-06-26T21:42:33.000Z", + "destination.ip": [ + "10.113.95.59" + ], + "destination.port": 4367, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "mquelau5326.mail.lan", + "input.type": "log", + "log.offset": 9824, + "network.direction": "internal", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1693, + "related.ip": [ + "10.113.95.59", + "10.255.39.252" + ], + "related.user": [ + "persp" + ], + "rsa.counters.dclass_c1": 3147, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "mquelau5326.mail.lan" + ], + "rsa.network.domain": "entsunt3962.www.example", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "server.domain": "entsunt3962.www.example", + "service.type": "fortinet", + "source.ip": [ + "10.255.39.252" + ], + "source.port": 863, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "persp" + }, + { + "@timestamp": "2020-07-11T04:45:07.000Z", + "destination.ip": [ + "10.83.177.2" + ], + "destination.port": 1827, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "idestlab2631.www.lan", + "input.type": "log", + "log.offset": 10097, + "network.direction": "internal", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 337, + "related.ip": [ + "10.27.16.118", + "10.83.177.2" + ], + "related.user": [ + "borios" + ], + "rsa.counters.dclass_c1": 1300, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "idestlab2631.www.lan" + ], + "rsa.network.domain": "tut2703.www.host", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-07-11T04:45:07.000Z", + "server.domain": "tut2703.www.host", + "service.type": "fortinet", + "source.ip": [ + "10.27.16.118" + ], + "source.port": 18, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "borios" + }, + { + "@timestamp": "2019-07-25T11:47:41.000Z", + "destination.ip": [ + "10.167.227.44" + ], + "destination.port": 5736, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "inesci6789.test", + "input.type": "log", + "log.offset": 10353, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7041, + "related.ip": [ + "10.38.54.72", + "10.167.227.44" + ], + "related.user": [ + "riamea" + ], + "rsa.counters.dclass_c1": 7644, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "inesci6789.test" + ], + "rsa.network.domain": "entorev160.test", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "server.domain": "entorev160.test", + "service.type": "fortinet", + "source.ip": [ + "10.38.54.72" + ], + "source.port": 6595, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "riamea" + }, + { + "@timestamp": "2019-08-08T18:50:15.000Z", + "destination.ip": [ + "10.215.205.216" + ], + "destination.port": 647, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ccaeca7077.internal.corp", + "input.type": "log", + "log.offset": 10608, + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3854, + "related.ip": [ + "10.216.54.184", + "10.215.205.216" + ], + "related.user": [ + "ameiusm" + ], + "rsa.counters.dclass_c1": 7536, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ccaeca7077.internal.corp" + ], + "rsa.network.domain": "proide3714.mail.localdomain", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "server.domain": "proide3714.mail.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.216.54.184" + ], + "source.port": 1495, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ameiusm" + }, + { + "@timestamp": "2019-08-23T01:52:50.000Z", + "destination.ip": [ + "10.9.18.237" + ], + "destination.port": 2486, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ima2031.api.corp", + "input.type": "log", + "log.offset": 10891, + "network.direction": "internal", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 55, + "related.ip": [ + "10.9.18.237", + "10.9.12.248" + ], + "related.user": [ + "uradi" + ], + "rsa.counters.dclass_c1": 6379, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "ima2031.api.corp" + ], + "rsa.network.domain": "tot5313.mail.invalid", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-08-23T01:52:50.000Z", + "server.domain": "tot5313.mail.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.9.12.248" + ], + "source.port": 765, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uradi" + }, + { + "@timestamp": "2019-09-06T08:55:24.000Z", + "destination.ip": [ + "10.41.123.102" + ], + "destination.port": 2300, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ian867.internal.corp", + "input.type": "log", + "log.offset": 11153, + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 228, + "related.ip": [ + "10.83.130.226", + "10.41.123.102" + ], + "related.user": [ + "tenim" + ], + "rsa.counters.dclass_c1": 7661, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ian867.internal.corp" + ], + "rsa.network.domain": "rumet3801.internal.domain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-09-06T08:55:24.000Z", + "server.domain": "rumet3801.internal.domain", + "service.type": "fortinet", + "source.ip": [ + "10.83.130.226" + ], + "source.port": 1542, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tenim" + }, + { + "@timestamp": "2019-09-20T15:57:58.000Z", + "destination.ip": [ + "10.80.152.108" + ], + "destination.port": 2742, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "lorin4249.corp", + "input.type": "log", + "log.offset": 11432, + "network.direction": "outbound", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4253, + "related.ip": [ + "10.175.112.197", + "10.80.152.108" + ], + "related.user": [ + "tametcon" + ], + "rsa.counters.dclass_c1": 6984, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "lorin4249.corp" + ], + "rsa.network.domain": "liqua2834.www5.lan", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-09-20T15:57:58.000Z", + "server.domain": "liqua2834.www5.lan", + "service.type": "fortinet", + "source.ip": [ + "10.175.112.197" + ], + "source.port": 1749, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tametcon" + }, + { + "@timestamp": "2019-10-04T23:00:32.000Z", + "destination.ip": [ + "10.142.25.100" + ], + "destination.port": 5770, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "gnaaliqu3935.api.test", + "input.type": "log", + "log.offset": 11701, + "network.direction": "internal", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2200, + "related.ip": [ + "10.142.25.100", + "10.134.18.114" + ], + "related.user": [ + "osqui" + ], + "rsa.counters.dclass_c1": 624, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "gnaaliqu3935.api.test" + ], + "rsa.network.domain": "sequat7273.api.host", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-10-04T23:00:32.000Z", + "server.domain": "sequat7273.api.host", + "service.type": "fortinet", + "source.ip": [ + "10.134.18.114" + ], + "source.port": 2761, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "osqui" + }, + { + "@timestamp": "2019-10-19T06:03:07.000Z", + "destination.ip": [ + "10.223.119.218" + ], + "destination.port": 300, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "nsequat1859.internal.localhost", + "input.type": "log", + "log.offset": 11966, + "network.direction": "internal", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5717, + "related.ip": [ + "10.28.118.160", + "10.223.119.218" + ], + "related.user": [ + "ntsunt" + ], + "rsa.counters.dclass_c1": 4387, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "nsequat1859.internal.localhost" + ], + "rsa.network.domain": "uidol4575.localhost", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-10-19T06:03:07.000Z", + "server.domain": "uidol4575.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.28.118.160" + ], + "source.port": 6247, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ntsunt" + }, + { + "@timestamp": "2019-11-02T13:05:41.000Z", + "destination.ip": [ + "10.47.28.48" + ], + "destination.port": 3032, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ritin2495.api.corp", + "input.type": "log", + "log.offset": 12249, + "network.direction": "unknown", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4469, + "related.ip": [ + "10.110.114.175", + "10.47.28.48" + ], + "related.user": [ + "plicab" + ], + "rsa.counters.dclass_c1": 4488, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ritin2495.api.corp" + ], + "rsa.network.domain": "oremq2000.api.corp", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "server.domain": "oremq2000.api.corp", + "service.type": "fortinet", + "source.ip": [ + "10.110.114.175" + ], + "source.port": 4986, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "plicab" + }, + { + "@timestamp": "2019-11-16T20:08:15.000Z", + "destination.ip": [ + "10.90.33.138" + ], + "destination.port": 7876, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tetur2694.mail.local", + "input.type": "log", + "log.offset": 12516, + "network.direction": "external", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5524, + "related.ip": [ + "10.40.251.202", + "10.90.33.138" + ], + "related.user": [ + "nvolupt" + ], + "rsa.counters.dclass_c1": 6847, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tetur2694.mail.local" + ], + "rsa.network.domain": "oremi1485.api.localhost", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "server.domain": "oremi1485.api.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.40.251.202" + ], + "source.port": 5733, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "nvolupt" + }, + { + "@timestamp": "2019-12-01T03:10:49.000Z", + "destination.ip": [ + "10.227.173.252" + ], + "destination.port": 5337, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "rem7043.localhost", + "input.type": "log", + "log.offset": 12794, + "network.direction": "external", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3624, + "related.ip": [ + "10.65.2.106", + "10.227.173.252" + ], + "related.user": [ + "itation" + ], + "rsa.counters.dclass_c1": 7576, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "rem7043.localhost" + ], + "rsa.network.domain": "sequatD5469.www5.lan", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "server.domain": "sequatD5469.www5.lan", + "service.type": "fortinet", + "source.ip": [ + "10.65.2.106" + ], + "source.port": 5410, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "itation" + }, + { + "@timestamp": "2019-12-15T10:13:24.000Z", + "destination.ip": [ + "10.28.84.106" + ], + "destination.port": 4844, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "emqu2846.internal.home", + "input.type": "log", + "log.offset": 13075, + "network.direction": "inbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1609, + "related.ip": [ + "10.193.233.229", + "10.28.84.106" + ], + "related.user": [ + "tla" + ], + "rsa.counters.dclass_c1": 3096, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "emqu2846.internal.home" + ], + "rsa.network.domain": "item2738.test", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-12-15T10:13:24.000Z", + "server.domain": "item2738.test", + "service.type": "fortinet", + "source.ip": [ + "10.193.233.229" + ], + "source.port": 2859, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tla" + }, + { + "@timestamp": "2019-12-29T17:15:58.000Z", + "destination.ip": [ + "10.210.89.183" + ], + "destination.port": 2589, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "dqu6144.api.localhost", + "input.type": "log", + "log.offset": 13341, + "network.direction": "external", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6248, + "related.ip": [ + "10.150.245.88", + "10.210.89.183" + ], + "related.user": [ + "sequa" + ], + "rsa.counters.dclass_c1": 2700, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "dqu6144.api.localhost" + ], + "rsa.network.domain": "iosamnis1047.internal.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-12-29T17:15:58.000Z", + "server.domain": "iosamnis1047.internal.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.150.245.88" + ], + "source.port": 3642, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "sequa" + }, + { + "@timestamp": "2020-01-13T00:18:32.000Z", + "destination.ip": [ + "10.85.185.13" + ], + "destination.port": 7793, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "giatquov1918.internal.example", + "input.type": "log", + "log.offset": 13637, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7224, + "related.ip": [ + "10.85.185.13", + "10.180.195.43" + ], + "related.user": [ + "voluptas" + ], + "rsa.counters.dclass_c1": 1867, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "giatquov1918.internal.example" + ], + "rsa.network.domain": "orroq6677.internal.example", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "server.domain": "orroq6677.internal.example", + "service.type": "fortinet", + "source.ip": [ + "10.180.195.43" + ], + "source.port": 4540, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "voluptas" + }, + { + "@timestamp": "2020-01-27T07:21:06.000Z", + "destination.ip": [ + "10.210.28.247" + ], + "destination.port": 7257, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "estl5804.internal.local", + "input.type": "log", + "log.offset": 13936, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 430, + "related.ip": [ + "10.207.211.230", + "10.210.28.247" + ], + "related.user": [ + "tate" + ], + "rsa.counters.dclass_c1": 7672, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "estl5804.internal.local" + ], + "rsa.network.domain": "onevo4326.internal.local", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "server.domain": "onevo4326.internal.local", + "service.type": "fortinet", + "source.ip": [ + "10.207.211.230" + ], + "source.port": 3449, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tate" + }, + { + "@timestamp": "2020-02-10T14:23:41.000Z", + "destination.ip": [ + "10.248.165.185" + ], + "destination.port": 5460, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "Sedut1775.www.domain", + "input.type": "log", + "log.offset": 14222, + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3589, + "related.ip": [ + "10.86.11.48", + "10.248.165.185" + ], + "related.user": [ + "dquiac" + ], + "rsa.counters.dclass_c1": 4801, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "Sedut1775.www.domain" + ], + "rsa.network.domain": "itaedict7233.mail.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "server.domain": "itaedict7233.mail.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.86.11.48" + ], + "source.port": 3436, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "dquiac" + }, + { + "@timestamp": "2020-02-24T21:26:15.000Z", + "destination.ip": [ + "10.47.125.38" + ], + "destination.port": 3896, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "mac7484.www5.test", + "input.type": "log", + "log.offset": 14513, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4814, + "related.ip": [ + "10.47.125.38", + "10.118.6.177" + ], + "related.user": [ + "quunt" + ], + "rsa.counters.dclass_c1": 1844, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "mac7484.www5.test" + ], + "rsa.network.domain": "numquam5869.internal.example", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-02-24T21:26:15.000Z", + "server.domain": "numquam5869.internal.example", + "service.type": "fortinet", + "source.ip": [ + "10.118.6.177" + ], + "source.port": 6977, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "quunt" + }, + { + "@timestamp": "2020-03-11T04:28:49.000Z", + "destination.ip": [ + "10.60.142.127" + ], + "destination.port": 5112, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "oin1140.mail.localhost", + "input.type": "log", + "log.offset": 14789, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 276, + "related.ip": [ + "10.60.142.127", + "10.50.233.155" + ], + "related.user": [ + "atv" + ], + "rsa.counters.dclass_c1": 2241, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "oin1140.mail.localhost" + ], + "rsa.network.domain": "onu6137.api.home", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "server.domain": "onu6137.api.home", + "service.type": "fortinet", + "source.ip": [ + "10.50.233.155" + ], + "source.port": 1081, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "atv" + }, + { + "@timestamp": "2020-03-25T11:31:24.000Z", + "destination.ip": [ + "10.120.10.211" + ], + "destination.port": 7661, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "naaliq3710.api.local", + "input.type": "log", + "log.offset": 15054, + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2452, + "related.ip": [ + "10.120.10.211", + "10.28.82.189" + ], + "related.user": [ + "rcit" + ], + "rsa.counters.dclass_c1": 7705, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "naaliq3710.api.local" + ], + "rsa.network.domain": "aecatcup2241.www5.test", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-03-25T11:31:24.000Z", + "server.domain": "aecatcup2241.www5.test", + "service.type": "fortinet", + "source.ip": [ + "10.28.82.189" + ], + "source.port": 3916, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "rcit" + }, + { + "@timestamp": "2020-04-08T18:33:58.000Z", + "destination.ip": [ + "10.6.38.163" + ], + "destination.port": 4059, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "volupta3552.internal.localhost", + "input.type": "log", + "log.offset": 15318, + "network.direction": "inbound", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3453, + "related.ip": [ + "10.31.237.225", + "10.6.38.163" + ], + "related.user": [ + "olup" + ], + "rsa.counters.dclass_c1": 2820, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "volupta3552.internal.localhost" + ], + "rsa.network.domain": "labor6360.mail.local", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-04-08T18:33:58.000Z", + "server.domain": "labor6360.mail.local", + "service.type": "fortinet", + "source.ip": [ + "10.31.237.225" + ], + "source.port": 6153, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "olup" + }, + { + "@timestamp": "2020-04-23T01:36:32.000Z", + "destination.ip": [ + "10.125.165.144" + ], + "destination.port": 7889, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "onse380.internal.localdomain", + "input.type": "log", + "log.offset": 15594, + "network.direction": "inbound", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2302, + "related.ip": [ + "10.226.5.189", + "10.125.165.144" + ], + "related.user": [ + "mvolu" + ], + "rsa.counters.dclass_c1": 5407, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "onse380.internal.localdomain" + ], + "rsa.network.domain": "mveleum4322.www5.host", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-04-23T01:36:32.000Z", + "server.domain": "mveleum4322.www5.host", + "service.type": "fortinet", + "source.ip": [ + "10.226.5.189" + ], + "source.port": 3371, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mvolu" + }, + { + "@timestamp": "2020-05-07T08:39:06.000Z", + "destination.ip": [ + "10.46.56.204" + ], + "destination.port": 5070, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "queips4947.mail.example", + "input.type": "log", + "log.offset": 15872, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7079, + "related.ip": [ + "10.97.149.97", + "10.46.56.204" + ], + "related.user": [ + "dolorsit" + ], + "rsa.counters.dclass_c1": 2441, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "queips4947.mail.example" + ], + "rsa.network.domain": "archite1843.mail.home", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-05-07T08:39:06.000Z", + "server.domain": "archite1843.mail.home", + "service.type": "fortinet", + "source.ip": [ + "10.97.149.97" + ], + "source.port": 2463, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "dolorsit" + }, + { + "@timestamp": "2020-05-21T15:41:41.000Z", + "destination.ip": [ + "10.28.105.124" + ], + "destination.port": 4797, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "oloreseo5039.test", + "input.type": "log", + "log.offset": 16138, + "network.direction": "outbound", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5773, + "related.ip": [ + "10.218.0.197", + "10.28.105.124" + ], + "related.user": [ + "ntNe" + ], + "rsa.counters.dclass_c1": 5749, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "oloreseo5039.test" + ], + "rsa.network.domain": "itanim4024.api.example", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "server.domain": "itanim4024.api.example", + "service.type": "fortinet", + "source.ip": [ + "10.218.0.197" + ], + "source.port": 7581, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ntNe" + }, + { + "@timestamp": "2020-06-04T22:44:15.000Z", + "destination.ip": [ + "10.17.87.79" + ], + "destination.port": 3414, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "minim459.mail.local", + "input.type": "log", + "log.offset": 16405, + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1586, + "related.ip": [ + "10.17.87.79", + "10.123.199.198" + ], + "related.user": [ + "ratvolu" + ], + "rsa.counters.dclass_c1": 5006, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "minim459.mail.local" + ], + "rsa.network.domain": "nreprehe715.api.home", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "server.domain": "nreprehe715.api.home", + "service.type": "fortinet", + "source.ip": [ + "10.123.199.198" + ], + "source.port": 6332, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ratvolu" + }, + { + "@timestamp": "2020-06-19T05:46:49.000Z", + "destination.ip": [ + "10.115.68.40" + ], + "destination.port": 5483, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "eratv211.api.host", + "input.type": "log", + "log.offset": 16672, + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5137, + "related.ip": [ + "10.115.68.40", + "10.38.86.177" + ], + "related.user": [ + "mpo" + ], + "rsa.counters.dclass_c1": 2841, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "eratv211.api.host" + ], + "rsa.network.domain": "unte893.internal.host", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "server.domain": "unte893.internal.host", + "service.type": "fortinet", + "source.ip": [ + "10.38.86.177" + ], + "source.port": 5768, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mpo" + }, + { + "@timestamp": "2020-07-03T12:49:23.000Z", + "destination.ip": [ + "10.115.174.107" + ], + "destination.port": 5597, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "aparia1179.www.localdomain", + "input.type": "log", + "log.offset": 16935, + "network.direction": "internal", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5704, + "related.ip": [ + "10.115.174.107", + "10.193.118.163" + ], + "related.user": [ + "exeacomm" + ], + "rsa.counters.dclass_c1": 10, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "aparia1179.www.localdomain" + ], + "rsa.network.domain": "aspe951.mail.domain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-07-03T12:49:23.000Z", + "server.domain": "aspe951.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.193.118.163" + ], + "source.port": 548, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "exeacomm" + }, + { + "@timestamp": "2019-07-17T19:51:58.000Z", + "destination.ip": [ + "10.77.77.208" + ], + "destination.port": 1101, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "iatqu6203.mail.corp", + "input.type": "log", + "log.offset": 17210, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2310, + "related.ip": [ + "10.77.77.208", + "10.37.128.49" + ], + "related.user": [ + "moles" + ], + "rsa.counters.dclass_c1": 2653, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "iatqu6203.mail.corp" + ], + "rsa.network.domain": "dipiscin4957.www.home", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-07-17T19:51:58.000Z", + "server.domain": "dipiscin4957.www.home", + "service.type": "fortinet", + "source.ip": [ + "10.37.128.49" + ], + "source.port": 625, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "moles" + }, + { + "@timestamp": "2019-08-01T02:54:32.000Z", + "destination.ip": [ + "10.1.96.93" + ], + "destination.port": 428, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ptasnula6576.api.invalid", + "input.type": "log", + "log.offset": 17477, + "network.direction": "internal", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5398, + "related.ip": [ + "10.1.96.93", + "10.54.73.158" + ], + "related.user": [ + "lloinven" + ], + "rsa.counters.dclass_c1": 4392, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ptasnula6576.api.invalid" + ], + "rsa.network.domain": "econs2687.internal.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "server.domain": "econs2687.internal.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.54.73.158" + ], + "source.port": 5752, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "lloinven" + }, + { + "@timestamp": "2019-08-15T09:57:06.000Z", + "destination.ip": [ + "10.182.152.242" + ], + "destination.port": 6998, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "mag1506.internal.domain", + "input.type": "log", + "log.offset": 17766, + "network.direction": "inbound", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2465, + "related.ip": [ + "10.131.126.109", + "10.182.152.242" + ], + "related.user": [ + "dolor" + ], + "rsa.counters.dclass_c1": 3208, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "mag1506.internal.domain" + ], + "rsa.network.domain": "tiumto5834.api.lan", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "server.domain": "tiumto5834.api.lan", + "service.type": "fortinet", + "source.ip": [ + "10.131.126.109" + ], + "source.port": 1877, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "dolor" + }, + { + "@timestamp": "2019-08-29T16:59:40.000Z", + "destination.ip": [ + "10.77.229.168" + ], + "destination.port": 3777, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "fugits1163.host", + "input.type": "log", + "log.offset": 18041, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6064, + "related.ip": [ + "10.181.247.224", + "10.77.229.168" + ], + "related.user": [ + "adol" + ], + "rsa.counters.dclass_c1": 329, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "fugits1163.host" + ], + "rsa.network.domain": "iutal6032.www.test", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-08-29T16:59:40.000Z", + "server.domain": "iutal6032.www.test", + "service.type": "fortinet", + "source.ip": [ + "10.181.247.224" + ], + "source.port": 260, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "adol" + }, + { + "@timestamp": "2019-09-13T00:02:15.000Z", + "destination.ip": [ + "10.72.162.6" + ], + "destination.port": 5516, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "gitse2463.www5.invalid", + "input.type": "log", + "log.offset": 18303, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2861, + "related.ip": [ + "10.72.162.6", + "10.235.116.121" + ], + "related.user": [ + "oinv" + ], + "rsa.counters.dclass_c1": 1444, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "gitse2463.www5.invalid" + ], + "rsa.network.domain": "inculp2078.host", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-09-13T00:02:15.000Z", + "server.domain": "inculp2078.host", + "service.type": "fortinet", + "source.ip": [ + "10.235.116.121" + ], + "source.port": 1, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "oinv" + }, + { + "@timestamp": "2019-09-27T07:04:49.000Z", + "destination.ip": [ + "10.28.124.236" + ], + "destination.port": 3434, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "temse6953.www.example", + "input.type": "log", + "log.offset": 18572, + "network.direction": "internal", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3559, + "related.ip": [ + "10.149.193.117", + "10.28.124.236" + ], + "related.user": [ + "mullam" + ], + "rsa.counters.dclass_c1": 3176, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "temse6953.www.example" + ], + "rsa.network.domain": "mexerc2757.internal.home", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-09-27T07:04:49.000Z", + "server.domain": "mexerc2757.internal.home", + "service.type": "fortinet", + "source.ip": [ + "10.149.193.117" + ], + "source.port": 5343, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mullam" + }, + { + "@timestamp": "2019-10-11T14:07:23.000Z", + "destination.ip": [ + "10.196.96.162" + ], + "destination.port": 6378, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "deriti6952.mail.domain", + "input.type": "log", + "log.offset": 18860, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1710, + "related.ip": [ + "10.196.96.162", + "10.34.131.224" + ], + "related.user": [ + "tnonproi" + ], + "rsa.counters.dclass_c1": 7174, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "deriti6952.mail.domain" + ], + "rsa.network.domain": "squira4455.api.domain", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-10-11T14:07:23.000Z", + "server.domain": "squira4455.api.domain", + "service.type": "fortinet", + "source.ip": [ + "10.34.131.224" + ], + "source.port": 649, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tnonproi" + }, + { + "@timestamp": "2019-10-25T21:09:57.000Z", + "destination.ip": [ + "10.77.78.180" + ], + "destination.port": 5380, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "abor1370.www.domain", + "input.type": "log", + "log.offset": 19144, + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4984, + "related.ip": [ + "10.97.236.123", + "10.77.78.180" + ], + "related.user": [ + "nisi" + ], + "rsa.counters.dclass_c1": 4782, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "abor1370.www.domain" + ], + "rsa.network.domain": "emveleum3661.localhost", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-10-25T21:09:57.000Z", + "server.domain": "emveleum3661.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.97.236.123" + ], + "source.port": 5159, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "nisi" + }, + { + "@timestamp": "2019-11-09T04:12:32.000Z", + "destination.ip": [ + "10.45.54.107" + ], + "destination.port": 3593, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "emullamc5418.mail.test", + "input.type": "log", + "log.offset": 19419, + "network.direction": "unknown", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3421, + "related.ip": [ + "10.82.133.66", + "10.45.54.107" + ], + "related.user": [ + "olorem" + ], + "rsa.counters.dclass_c1": 5362, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "emullamc5418.mail.test" + ], + "rsa.network.domain": "sedquiac6517.internal.localhost", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", + "server.domain": "sedquiac6517.internal.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.82.133.66" + ], + "source.port": 7229, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "olorem" + }, + { + "@timestamp": "2019-11-23T11:15:06.000Z", + "destination.ip": [ + "10.170.252.219" + ], + "destination.port": 2454, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "squirati7050.www5.lan", + "input.type": "log", + "log.offset": 19708, + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4020, + "related.ip": [ + "10.180.180.230", + "10.170.252.219" + ], + "related.user": [ + "nse" + ], + "rsa.counters.dclass_c1": 7020, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "squirati7050.www5.lan" + ], + "rsa.network.domain": "veniam3148.www5.home", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-11-23T11:15:06.000Z", + "server.domain": "veniam3148.www5.home", + "service.type": "fortinet", + "source.ip": [ + "10.180.180.230" + ], + "source.port": 4147, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "nse" + }, + { + "@timestamp": "2019-12-07T18:17:40.000Z", + "destination.ip": [ + "10.65.144.51" + ], + "destination.port": 2283, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "venia2079.mail.example", + "input.type": "log", + "log.offset": 19984, + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 617, + "related.ip": [ + "10.5.11.205", + "10.65.144.51" + ], + "related.user": [ + "uptat" + ], + "rsa.counters.dclass_c1": 5050, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "venia2079.mail.example" + ], + "rsa.network.domain": "unt3559.www.home", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-12-07T18:17:40.000Z", + "server.domain": "unt3559.www.home", + "service.type": "fortinet", + "source.ip": [ + "10.5.11.205" + ], + "source.port": 4901, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uptat" + }, + { + "@timestamp": "2019-12-22T01:20:14.000Z", + "destination.ip": [ + "10.76.122.196" + ], + "destination.port": 5325, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "snostrum3450.www5.localhost", + "input.type": "log", + "log.offset": 20247, + "network.direction": "external", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 487, + "related.ip": [ + "10.76.122.196", + "10.195.223.82" + ], + "related.user": [ + "umiurer" + ], + "rsa.counters.dclass_c1": 593, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "snostrum3450.www5.localhost" + ], + "rsa.network.domain": "rere5274.mail.domain", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-12-22T01:20:14.000Z", + "server.domain": "rere5274.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.195.223.82" + ], + "source.port": 3128, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "umiurer" + }, + { + "@timestamp": "2020-01-05T08:22:49.000Z", + "destination.ip": [ + "10.225.255.211" + ], + "destination.port": 3369, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "gelitsed3249.corp", + "input.type": "log", + "log.offset": 20522, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2442, + "related.ip": [ + "10.138.210.116", + "10.225.255.211" + ], + "related.user": [ + "fugiatn" + ], + "rsa.counters.dclass_c1": 956, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "gelitsed3249.corp" + ], + "rsa.network.domain": "uaeabi3728.www5.invalid", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "server.domain": "uaeabi3728.www5.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.138.210.116" + ], + "source.port": 5595, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "fugiatn" + }, + { + "@timestamp": "2020-01-19T15:25:23.000Z", + "destination.ip": [ + "10.219.1.151" + ], + "destination.port": 4323, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "dolor7082.internal.localhost", + "input.type": "log", + "log.offset": 20805, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6311, + "related.ip": [ + "10.250.81.189", + "10.219.1.151" + ], + "related.user": [ + "ori" + ], + "rsa.counters.dclass_c1": 3262, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "dolor7082.internal.localhost" + ], + "rsa.network.domain": "uamqu2804.test", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-01-19T15:25:23.000Z", + "server.domain": "uamqu2804.test", + "service.type": "fortinet", + "source.ip": [ + "10.250.81.189" + ], + "source.port": 5404, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ori" + }, + { + "@timestamp": "2020-02-02T22:27:57.000Z", + "destination.ip": [ + "10.76.125.70" + ], + "destination.port": 756, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "totam6886.api.localhost", + "input.type": "log", + "log.offset": 21076, + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7128, + "related.ip": [ + "10.54.23.133", + "10.76.125.70" + ], + "related.user": [ + "oloreeu" + ], + "rsa.counters.dclass_c1": 1916, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "totam6886.api.localhost" + ], + "rsa.network.domain": "olor5201.host", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-02-02T22:27:57.000Z", + "server.domain": "olor5201.host", + "service.type": "fortinet", + "source.ip": [ + "10.54.23.133" + ], + "source.port": 3258, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "oloreeu" + }, + { + "@timestamp": "2020-02-17T05:30:32.000Z", + "destination.ip": [ + "10.189.42.62" + ], + "destination.port": 4262, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "laborum5749.www.example", + "input.type": "log", + "log.offset": 21347, + "network.direction": "unknown", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2780, + "related.ip": [ + "10.189.42.62", + "10.36.110.69" + ], + "related.user": [ + "eque" + ], + "rsa.counters.dclass_c1": 170, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "laborum5749.www.example" + ], + "rsa.network.domain": "eufug3348.www.lan", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "server.domain": "eufug3348.www.lan", + "service.type": "fortinet", + "source.ip": [ + "10.36.110.69" + ], + "source.port": 4187, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eque" + }, + { + "@timestamp": "2020-03-03T12:33:06.000Z", + "destination.ip": [ + "10.183.202.82" + ], + "destination.port": 2208, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "lup3313.api.home", + "input.type": "log", + "log.offset": 21616, + "network.direction": "unknown", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3284, + "related.ip": [ + "10.183.202.82", + "10.47.179.68" + ], + "related.user": [ + "umfugi" + ], + "rsa.counters.dclass_c1": 2645, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "lup3313.api.home" + ], + "rsa.network.domain": "stquidol239.www5.invalid", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-03-03T12:33:06.000Z", + "server.domain": "stquidol239.www5.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.47.179.68" + ], + "source.port": 5107, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "umfugi" + }, + { + "@timestamp": "2020-03-17T19:35:40.000Z", + "destination.ip": [ + "10.221.206.74" + ], + "destination.port": 1480, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "edq5397.www.test", + "input.type": "log", + "log.offset": 21882, + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2314, + "related.ip": [ + "10.221.206.74", + "10.73.28.165" + ], + "related.user": [ + "quas" + ], + "rsa.counters.dclass_c1": 5572, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "edq5397.www.test" + ], + "rsa.network.domain": "gia6531.mail.invalid", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "server.domain": "gia6531.mail.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.73.28.165" + ], + "source.port": 3668, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "quas" + }, + { + "@timestamp": "2020-04-01T02:38:14.000Z", + "destination.ip": [ + "10.14.204.36" + ], + "destination.port": 4887, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "udan6536.www5.test", + "input.type": "log", + "log.offset": 22154, + "network.direction": "inbound", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5284, + "related.ip": [ + "10.14.204.36", + "10.85.104.146" + ], + "related.user": [ + "emp" + ], + "rsa.counters.dclass_c1": 973, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "udan6536.www5.test" + ], + "rsa.network.domain": "lamcola4879.www5.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2020-04-01T02:38:14.000Z", + "server.domain": "lamcola4879.www5.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.85.104.146" + ], + "source.port": 3442, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "emp" + }, + { + "@timestamp": "2020-04-15T09:40:49.000Z", + "destination.ip": [ + "10.30.246.132" + ], + "destination.port": 388, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "rumet6923.www5.lan", + "input.type": "log", + "log.offset": 22429, + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3990, + "related.ip": [ + "10.30.246.132", + "10.208.18.210" + ], + "related.user": [ + "veniam" + ], + "rsa.counters.dclass_c1": 5624, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "rumet6923.www5.lan" + ], + "rsa.network.domain": "edquian330.mail.local", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-04-15T09:40:49.000Z", + "server.domain": "edquian330.mail.local", + "service.type": "fortinet", + "source.ip": [ + "10.208.18.210" + ], + "source.port": 3601, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "veniam" + }, + { + "@timestamp": "2020-04-29T16:43:23.000Z", + "destination.ip": [ + "10.19.119.17" + ], + "destination.port": 3822, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "itse522.internal.localdomain", + "input.type": "log", + "log.offset": 22698, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4337, + "related.ip": [ + "10.106.249.91", + "10.19.119.17" + ], + "related.user": [ + "lit" + ], + "rsa.counters.dclass_c1": 2783, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "itse522.internal.localdomain" + ], + "rsa.network.domain": "santi837.api.domain", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "server.domain": "santi837.api.domain", + "service.type": "fortinet", + "source.ip": [ + "10.106.249.91" + ], + "source.port": 1732, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "lit" + }, + { + "@timestamp": "2020-05-13T23:45:57.000Z", + "destination.ip": [ + "10.181.41.154" + ], + "destination.port": 866, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "amc3059.local", + "input.type": "log", + "log.offset": 22970, + "network.direction": "unknown", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5275, + "related.ip": [ + "10.29.109.126", + "10.181.41.154" + ], + "related.user": [ + "labo" + ], + "rsa.counters.dclass_c1": 6721, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "amc3059.local" + ], + "rsa.network.domain": "lpaquiof804.internal.invalid", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2020-05-13T23:45:57.000Z", + "server.domain": "lpaquiof804.internal.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.29.109.126" + ], + "source.port": 6261, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "labo" + }, + { + "@timestamp": "2020-05-28T06:48:31.000Z", + "destination.ip": [ + "10.164.120.197" + ], + "destination.port": 2304, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "enbyCi3813.api.domain", + "input.type": "log", + "log.offset": 23236, + "network.direction": "external", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2286, + "related.ip": [ + "10.164.207.42", + "10.164.120.197" + ], + "related.user": [ + "pta" + ], + "rsa.counters.dclass_c1": 3116, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "enbyCi3813.api.domain" + ], + "rsa.network.domain": "nonn4478.host", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-05-28T06:48:31.000Z", + "server.domain": "nonn4478.host", + "service.type": "fortinet", + "source.ip": [ + "10.164.207.42" + ], + "source.port": 1901, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "pta" + }, + { + "@timestamp": "2020-06-11T13:51:06.000Z", + "destination.ip": [ + "10.154.191.225" + ], + "destination.port": 7856, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "liquipex1155.mail.corp", + "input.type": "log", + "log.offset": 23505, + "network.direction": "unknown", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2990, + "related.ip": [ + "10.154.191.225", + "10.183.189.133" + ], + "related.user": [ + "ita" + ], + "rsa.counters.dclass_c1": 6105, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "liquipex1155.mail.corp" + ], + "rsa.network.domain": "amquaer3985.www5.example", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-06-11T13:51:06.000Z", + "server.domain": "amquaer3985.www5.example", + "service.type": "fortinet", + "source.ip": [ + "10.183.189.133" + ], + "source.port": 5347, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ita" + }, + { + "@timestamp": "2020-06-25T20:53:40.000Z", + "destination.ip": [ + "10.103.189.199" + ], + "destination.port": 767, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "isn3991.local", + "input.type": "log", + "log.offset": 23783, + "network.direction": "outbound", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 226, + "related.ip": [ + "10.103.189.199", + "10.29.120.226" + ], + "related.user": [ + "emu" + ], + "rsa.counters.dclass_c1": 5452, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "isn3991.local" + ], + "rsa.network.domain": "orem6317.local", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2020-06-25T20:53:40.000Z", + "server.domain": "orem6317.local", + "service.type": "fortinet", + "source.ip": [ + "10.29.120.226" + ], + "source.port": 1296, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "emu" + }, + { + "@timestamp": "2020-07-10T03:56:14.000Z", + "destination.ip": [ + "10.210.153.7" + ], + "destination.port": 7030, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "iumtotam1010.www5.corp", + "input.type": "log", + "log.offset": 24037, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4691, + "related.ip": [ + "10.210.153.7", + "10.133.254.23" + ], + "related.user": [ + "voluptas" + ], + "rsa.counters.dclass_c1": 2088, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "iumtotam1010.www5.corp" + ], + "rsa.network.domain": "velill3230.www.corp", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", + "server.domain": "velill3230.www.corp", + "service.type": "fortinet", + "source.ip": [ + "10.133.254.23" + ], + "source.port": 6251, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "voluptas" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "destination.ip": [ + "10.91.2.135" + ], + "destination.port": 2141, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "onsecte91.www5.localdomain", + "input.type": "log", + "log.offset": 24312, + "network.direction": "outbound", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5647, + "related.ip": [ + "10.91.2.135", + "10.126.245.73" + ], + "related.user": [ + "olore" + ], + "rsa.counters.dclass_c1": 4680, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "onsecte91.www5.localdomain" + ], + "rsa.network.domain": "orumS757.www5.corp", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "server.domain": "orumS757.www5.corp", + "service.type": "fortinet", + "source.ip": [ + "10.126.245.73" + ], + "source.port": 180, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "olore" + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "destination.ip": [ + "10.137.85.123" + ], + "destination.port": 7073, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "abori7686.internal.host", + "input.type": "log", + "log.offset": 24583, + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2313, + "related.ip": [ + "10.183.243.246", + "10.137.85.123" + ], + "related.user": [ + "cid" + ], + "rsa.counters.dclass_c1": 6402, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "abori7686.internal.host" + ], + "rsa.network.domain": "emi4534.www.localdomain", + "rsa.network.network_service": "https", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "server.domain": "emi4534.www.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.183.243.246" + ], + "source.port": 218, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "cid" + }, + { + "@timestamp": "2019-08-22T01:03:57.000Z", + "destination.ip": [ + "10.10.86.55" + ], + "destination.port": 5132, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "reprehen3513.test", + "input.type": "log", + "log.offset": 24859, + "network.direction": "external", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1585, + "related.ip": [ + "10.10.86.55", + "10.61.225.196" + ], + "related.user": [ + "eniamqu" + ], + "rsa.counters.dclass_c1": 3034, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "reprehen3513.test" + ], + "rsa.network.domain": "inimav1576.mail.example", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "server.domain": "inimav1576.mail.example", + "service.type": "fortinet", + "source.ip": [ + "10.61.225.196" + ], + "source.port": 4720, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eniamqu" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "destination.ip": [ + "10.79.73.195" + ], + "destination.port": 457, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "orroquis284.api.domain", + "input.type": "log", + "log.offset": 25128, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3141, + "related.ip": [ + "10.79.73.195", + "10.125.143.153" + ], + "related.user": [ + "emip" + ], + "rsa.counters.dclass_c1": 7645, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "orroquis284.api.domain" + ], + "rsa.network.domain": "aturQu7083.mail.host", + "rsa.network.network_service": "http", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "server.domain": "aturQu7083.mail.host", + "service.type": "fortinet", + "source.ip": [ + "10.125.143.153" + ], + "source.port": 2657, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "emip" + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "destination.ip": [ + "10.64.139.17" + ], + "destination.port": 2438, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tionula2060.www5.localhost", + "input.type": "log", + "log.offset": 25396, + "network.direction": "external", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6331, + "related.ip": [ + "10.240.216.85", + "10.64.139.17" + ], + "related.user": [ + "nimadmin" + ], + "rsa.counters.dclass_c1": 4982, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tionula2060.www5.localhost" + ], + "rsa.network.domain": "lumqui7769.mail.local", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "server.domain": "lumqui7769.mail.local", + "service.type": "fortinet", + "source.ip": [ + "10.240.216.85" + ], + "source.port": 2046, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "nimadmin" + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "destination.ip": [ + "10.222.245.80" + ], + "destination.port": 4017, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "rumSecti111.www5.domain", + "input.type": "log", + "log.offset": 25683, + "network.direction": "inbound", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4474, + "related.ip": [ + "10.222.245.80", + "10.87.90.49" + ], + "related.user": [ + "ptatemse" + ], + "rsa.counters.dclass_c1": 3380, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "rumSecti111.www5.domain" + ], + "rsa.network.domain": "siarc6339.internal.corp", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "server.domain": "siarc6339.internal.corp", + "service.type": "fortinet", + "source.ip": [ + "10.87.90.49" + ], + "source.port": 1486, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ptatemse" + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.ip": [ + "10.87.144.208" + ], + "destination.port": 2440, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "olores7881.local", + "input.type": "log", + "log.offset": 25971, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4855, + "related.ip": [ + "10.87.144.208", + "10.143.53.214" + ], + "related.user": [ + "psumq" + ], + "rsa.counters.dclass_c1": 5772, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "olores7881.local" + ], + "rsa.network.domain": "ptatev6552.www.test", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "server.domain": "ptatev6552.www.test", + "service.type": "fortinet", + "source.ip": [ + "10.143.53.214" + ], + "source.port": 3310, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "psumq" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "destination.ip": [ + "10.105.97.134" + ], + "destination.port": 1935, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tDuis3281.www5.localdomain", + "input.type": "log", + "log.offset": 26239, + "network.direction": "unknown", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1729, + "related.ip": [ + "10.105.97.134", + "10.204.178.19" + ], + "related.user": [ + "mexercit" + ], + "rsa.counters.dclass_c1": 6564, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tDuis3281.www5.localdomain" + ], + "rsa.network.domain": "byC5766.internal.home", + "rsa.network.network_service": "pop3", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "server.domain": "byC5766.internal.home", + "service.type": "fortinet", + "source.ip": [ + "10.204.178.19" + ], + "source.port": 616, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mexercit" + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "destination.ip": [ + "10.194.67.223" + ], + "destination.port": 5767, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "uptasnul2751.www5.corp", + "input.type": "log", + "log.offset": 26526, + "network.direction": "inbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4493, + "related.ip": [ + "10.161.64.168", + "10.194.67.223" + ], + "related.user": [ + "tion" + ], + "rsa.counters.dclass_c1": 3673, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "uptasnul2751.www5.corp" + ], + "rsa.network.domain": "hender6628.local", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "server.domain": "hender6628.local", + "service.type": "fortinet", + "source.ip": [ + "10.161.64.168" + ], + "source.port": 7154, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tion" + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "destination.ip": [ + "10.120.148.241" + ], + "destination.port": 1655, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "upt6017.api.localdomain", + "input.type": "log", + "log.offset": 26795, + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6094, + "related.ip": [ + "10.100.154.220", + "10.120.148.241" + ], + "related.user": [ + "rsitam" + ], + "rsa.counters.dclass_c1": 5150, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "upt6017.api.localdomain" + ], + "rsa.network.domain": "xercit7649.www5.home", + "rsa.network.network_service": "smtp", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "server.domain": "xercit7649.www5.home", + "service.type": "fortinet", + "source.ip": [ + "10.100.154.220" + ], + "source.port": 5535, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "rsitam" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "destination.ip": [ + "10.180.90.112" + ], + "destination.port": 1936, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tpers2217.internal.lan", + "input.type": "log", + "log.offset": 27072, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5012, + "related.ip": [ + "10.180.90.112", + "10.116.153.19" + ], + "related.user": [ + "itessequ" + ], + "rsa.counters.dclass_c1": 2216, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tpers2217.internal.lan" + ], + "rsa.network.domain": "porissu1470.domain", + "rsa.network.network_service": "ms-wbt-server", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "server.domain": "porissu1470.domain", + "service.type": "fortinet", + "source.ip": [ + "10.116.153.19" + ], + "source.port": 6610, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "itessequ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/fields.go b/x-pack/filebeat/module/fortinet/fields.go index 1c8ac2e4fc3..535e8089827 100644 --- a/x-pack/filebeat/module/fortinet/fields.go +++ b/x-pack/filebeat/module/fortinet/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFortinet returns asset data. // This is the base64 encoded gzipped contents of module/fortinet. func AssetFortinet() string { - return "eJzMXV9z47iRf8+nQOUpqYonuc1d6mqq7qoUaRyrYstay3/2TQWRLRFrEOAAoGTPp78CQEokTRqQ1No9P+2O6f79CAKNRnej+4q8wvtXspbKMAHmD4QYZjh8JdeHf0lBJ4oVhknxlfzvHwgh++fJnUxLDn8gZM2Ap/qr++0VETSHllT7Y94L+Eo2SpZF9S89ku3PtZNF1krmByRH6H5RPdSEa0EyDl8yqrMviUr+/tP+9zX6K7zvpEob/z7Awf6MH8Z//4ncUJ0RuXaie/AU7CjnH4Car2l/FHCgGr6SFRjagl/Tkpule6GvZE25hjh2fujtAJGCKs3EZv/RiH7XXG6+NJ7vDljzJWiSmKU21LR+OzxkAWL2Z5QkshTGkrKCgfzpYTSZPi3+vH9ygMmrYTkg8uBU5WSUvAq545BugDw25Q+QQB0I+5sgYPOZszEXhppS2zlrMiAatI6isGXmHY/EzWgvlOSgNd2Ehj1NVS88K45Dns7JKE0VaB0GXFoIxK/tccljU+og+EZ13wwB+l8txTOA3dVO52JPPCyZ0eDiSnOGONVHVhx50qACsJv+r8yEgQ10510A1KoQwgTRkEiRanJFrNIiBdUaUqKZSIBwqg3RAKF1twGBqG3sQHiZ5IrA5ov/7//54538wTinf/2vL3/7Y4CQVZisC3vGYHkNPJ2EYEFhat2WuH5EQfm7YYlOXnWZ40E/ZkCSDJzUWgVb04HocpUzYyB1W/YePpKl/2tcmmtON20ynqTbL0iAGKb6SBKrueaSidBHK4qr301jFwWqZfDo9uakVHaH9CaAN3lpUZBECqMkDzJCXalFwVlCHZHgerXPaswV2wAf+5cnhZIto3uIiWL69TJMHph+JbewheCX0AlF3Nbs3LCSawUymv+F7DKWZMTiCEgJFSlJwUBiFYp9RMlNaR8MEsXcfY9YuNoZpZfBJh3hAxSQNUeTgAmrD63ZRsDAej3SxB1VwuJtXfcHH2B+K3RjaJLlqKZOawODnDJewUALZ5gPpspw8mKsX/egVe7whjwWRrHNBhQpqDGghHYawiqGgiavYFJqKNkxk5EV1fCP/yQgEpkysTmC8MBmc86QVZIJS8lfiZGGhhSt+zPUXc8TCW54ZcqGBoDLxjDGgVppcZg6kQpRa9mp4tEXLcHDBAYdMse/tpun7LCtOfkhCibDPSeXJpOK/fAbfMxpuTQZ6swvTQbCRFtapckKJY3EnQNOZCI5MRk1hAlmGK1NCdpiGKanQW0/LDu8EeqI76WxoiLdsdRkeCz++UHkELKAdKlKjrhKZ6Mx+V5SRYVhAiwVu90+lBwiNpmKkVbJpQktZKkSINOA0bmiogfxvE9j4Vt/2I8sjQCTypxiOp3+6aSSiRMb80Hc80jGVwUea3qttMZUXgtQW5YAWUB4+0oo50tM8DHlHFQErlIM1BIQdw2rMqsIFBl7+QREelU465+lVl2toxRmMhBmOcl4mcwWViBspHqPGBf/4MUU9QeAfhqIamk8Jt+c6R+1FpJUOXsT8xgy/iizHxuEUZQLOmREnvT9x14qmY0ew58f1cM6BlXN+IDys7DIPrsGdsTB2xLIqEa0DJr4Lcn9+OsNNQbRPBpLsWabUvlFZ2WzVRn8DOuNXP16KRJy9SskoRWw3hQU00BrU2jJHiKAeoRt4xtFha7cuMGluN6Yt0LuBozm01RBi83jL6Qtv59HZg0pjkfihSngoDUZdyR/Bo+rHBaLm1pwjHLIqNZsyEQ67UN4keFJUAWJcI2Ubuip9heHHelJtsmApqAQnbQ3j49zctOR2o/OU7n6FXl5CkiMVJV2Cn8QzkCY5WAewkksXtiaVZJdzD9spHBZptgZIWMrNCoXxcGXGvM478HDMfpE8jLvf+mTFuLz/XROxm2hA8B5TgXm1LudknFH6CByKVDzbhazu7kDb8sdgLd7hsvUwjwWtLeirvghJnaxMimQM3LcoW3s1994DxIR7k2kcI4nRCp1tKIWTXKZRrAwijLMI8vL6JpkxhQHH6ACbRRzIxPSTv6skzJNVT4QzDqJlD/G1btV3JHKP4R8tvBC3QTx4Xi3h/mdMcRHvjJA3D2f5zMydkJDwOXA/DjRkiyFcemDlTkbYUbZP6HFgIfrFBKzMl+BsiRGRUHGRnHC5UYTqrVMvKvaRbOiMxw9xe1FGD5jcEvYun/unMluPL1eYPBL+UU+7+R2jsJOXGTwJjOUsXPx6Uvw84FvBIbr9SXordcY3FhxkW87naN8Wz3gWjqTnT3HorC7yLxbLG4x2O3oRaadtXAw2MHqIuxgZY/jBtS5JIsScdefP5GncJZ+oj45m54G7I3zByhK408MUedUxQxLKEe2fQ5fqQYg9hgjNiG7WPUvsxMPzN0RiUhBTBRvPfR7sRjOVznpgyxkDs1nAvBbQHUhPX8Leo1SCjmmq2bi5DnhIWBDFRUDFxtOxDaUOJnunKqgkMoEZn7ajABhMAi9dir0Jwknx4bTJ9bCi8kwsXIQ3zN2RvscXyZFDiaTiHN7UgsmHckDNLb44eMJuFyCuLBxClsmzLq1Ls5mcDNychMgU2FArWkSk2CTwhbX6VANRPicnWZJscx1N+3uHOib8ZzcxdzPS+3wo64Aw4TfWFg9+CEGqHn+Wktd2V0tyYPYXG7UkLY7PhlywvSrNQA3TGyICus9XsCbURTxC9zOiRNJmFhLlUckr6Qy0S7nC5fFmokNqEIxYSxEmVvDowM0wCenTCRGcZeHaIa+zmmG6fR6USG4NEfSlh9BaFBL4PCJ0Bd7Otg5cB/IdAACdJCS4RyLKg8vlIV4AMfdQ5ocIqy2PYva+36BSVKxOQRV9q7+WHKlBnW5Yfog/RM2/qTM0je8MapYVGfwoIHfoIF7563NI2JAEGMLE6aqqeF8DinTPo3IJVy/awN54AJoqs0SNSx1ikFg/8KslcTMve7lQVoYQ2TQI6lNLlFx1FSbC5nqByLpUWa7I4RtLn8gE7EVarOmOeMXGpT7BemIH2KR7bYgUomYYNHkcfNCOuI/46E0aprJByIq7MR0axiM3uKernuWsPa560E6UuPufJ1pEqPnjdQX/Tj3i+iP85mv5aTNt0Ejyu+iDe4VhiaBxSK4+2ujL7tQtFybHVUQ/UVKYQ1ua0Ohn8UatDxKld0PadxxTJuyxPxWT0/TSZ3J2CQ3nccl06WobJyv5Ck0Y4AWkieYQYlvo/n9bXWP15sBAdvMUcDdc1scwrstiES9F4hj8JKByUA1bjQTpmsYSIlURMjguPjHUZfyt73MKEcqFDJBjBd/s+LsecpXleEycdGqiHRf0IVd4IgDsZh3LgQFCbic+bVUiDnQlsXjB7H9BN4GvsRJwHeUcfLtLcmo2EBVvHAyWxAFupBCA6FC70ARDRHRTajk/L+lV7jCI5ptBDUl5v30b5Vol2HwUf4QHYZ52HE5o/8qqUqJ3IJSLIUKw91e14bmRUDTrGmulwUtNaJrZ1/dcSQof9fMl3i4o4JuXM2L/eXMeQt3gN8PXG+2I+eI/QBFbiu39kPQYbpODOQasyhNM+P3m0j9Dc3FYhbkgWorNFkETQZXnBMPe/Y4ryridCQPgHPwLig8Bo++6JkB5fcmI+s7su++wsB67Vd5eJ+yT2RUZ6jX2a8roVFWrX+RoXu7ZwQ93PjEuVEu4QU9cAjPT/sY8qn4dk5UySHiPOzhkX1Ih7cPW7OuCPHGbgh2u8QjMRKG6YLmzmrZUl6GeeyoSiFdY7qPfOp9dZ46YASofE8xdfbPk5B+VjQH3Cmwv6z4UfYABYCU6VdtpEKtJ3qtAFyA+cOfD/CQiAbztbUEoTkFwujLbcJLPbRjnJjn5UqJbJkyJeWkkk+Ey8cLMNJ0CyplmMUZrxcj0hXaD77zTqwlrnZ8gRUplHx7r3xkEVpyQw3saL8ZfGxc9V9eFmFFUy+Q+Xwuv9Wmhc8OC3BSzQq4Z4/KHeRSvUdV+3MVjjGv9brSur7KcWi7zOhVoVh/waaTsG9GZK6YVMELfRldIpd2vhnF1MjK6BI3CHczIg/BiFtGRaoz+op6e/yW3HwQO4COWVPCdRlwJgCRa5LKneCSplEWcrZKxVIB1ZhurRugyqyAGseFdMT382CbDDkd+6YWSdZ0pVhCdJnnNGQsZxIzSn8jtQlrX0axPc3bfxAWMMJYkhdJ8w7p+cANJ/tcKlM736fju3lcGX/LCbXilDcMipPJ4BqNroThe+FW6RE8qgJRmBbTDMxOqldiFF2vWdKH0c9FLHXB8EZkOl98GxMmVrIUKVnMpyH4xDHVoBjlAnGXnFaSiRcdZTsy4R0RmCwq18bd3SIO22r44bsbJ5/ta/G++jwP391oZIFiBxanB9FRLhcmMGvd1zOUuULRwbXqa2FinrDvFdswQd1FzSr9zYE5o/p671zYe5tDBLvJUWcTfADugryReVe4meBHg28pZ2lOEf2BVqvfjcb7w47LiauAyP1TSKXhJLPW4xBKZGXIW9oBN8IV1o9wBvq//R8dYpgaqEoCpbxeGWa5FlcopiWyF5RTMZBBfXy45HY0szuhzJnYHHZwQVbvBgInW06FLPu142k8ZGn83n0kD6CY0S2XXNGW2Q/LEhAalpyh9kO5o28sL/PGBdBGBMd7P6zpeevRQxSHqJ1Wx6jyiVXpwg/gd1By24IZYCIQFYVbJy2RA6ADVXMwmi0FoGVCB8yoI5XxrZVkVaLrj0Pm8/mkUT8oxALxgtat3MSdMZxtgYdb1R8IXengcod85r/2J/0PgnvhUa0Ap4JymsQ5wnPKrVG7TKnpv5R1etGySjSkpCX8cxqo91N7aMTfws6pKBHtwzsrjiamVFF+8JxqAyrVBnVu3DmpzdlRaYZMauPtxbzkhhUciKhO5nuDNjiTrGytEnSb1ktumbYN1q70f0b1GcwhZWV+GQXgZZMYJQCI8bAqxlBahVvfhNGGGqbD3dpy0FmO6o/bxyit6Ih6cdVOgVxEz2sDLzrijIB9Vd1VYItJrsw3uUHNvHV9uPYWoU+Jlor9gLSu6bnm0rXRsUrP5WEZH04OzRTUWeIdHBGzo+7WjIQ7H0+vJotFV+4AtmBGqivcOOkNUG4ycueFR9zdr2ngLpAOjXB1ybzAvMq+1xJ388W/A8B6g9xNpioeQOZ1NclZhN81N4ili+7om8/5rVtXPglmyHM4nwZ3LoYnn8DMIXM1/yO7gAjArnxelVaegQlFwwXsltjN/2awq9MQZOVP7SRMD1Jpp1mhMOkc0CPmAezQS69bIlXV9agV6DlgFz+vWEQVQBew01xiFu+CHVlwaSLf/80M9rw/x1NhQG0pb/aHrp1HFrJhS34JEFwjW3EzeehRE7FFCckw/XuuEPqsJbMXVvIUXV3s4y+LiMwhSwBZSezxO5oifJiVPEXXFHs2XcmfMMDWE3sOtbKIWbKSp7gK4zAvYrWGpYDoZLvnKVnER6slT3eFkoi+FUvgBVbk2qdCz2M6LkuxY5hXfka+j6uRhInUd9VhddtjwnSFV93wC1ArQKEXYbgvwNeA9JWxQ9lHlgN6d5cDh7jOLth32A/4C+8SiVBd+FfYP7CIujItS4Ob8XJfmnCeiywNbpjcokaGyAuqNaSXcct52TFuOfvkDvPU4Sz81Jv7TrhUaXztMtzmU3NqMiLXhEtZ+IYFjZYXPoxdtfb3mYsBboB5++plNCOyMCyvu9y2xA8SWAprIOLReJ7PnFwiZGxzxCKjGn5CzqV3PJzgCK1VZBI9ZDpvyeyHxTSu5kq61vShA1ghOUvecQ8Zcycz4nhRSIlciM2OtJQ85iPLgVaIJw33rdyQsuCSpgSUkoqE70XYJ1YwFK89Le+wenuXKFv5rI0kbZRBMjCQT4NJBUIJNoWSK0D2Tt4y8br3y84twN5RGSSTNP1qZzN5eritzeyu7M8IDLZfP0s1uC7s0TWei86x4OyxqM4ZEa6yCnq5xcz3OtZfV5FAvlpTD4K/VBTNAllfVyTCCvu7RdkOpdec2r34ewna1E2GYu7Afi+p0q8DKZcnDcHPh77mVjCBt4JTEWGtfC+lofCWAKSYrbCmay/ZheZXAIJ8wBimk9P+K+LHpwbWGXGeC+Vc7iAlV03Hpj2msxyuVlTXv3KJg+4XPpnQ/y6COO60/tmRDoeqHXSpBz7f8YPmcUt9wki5X/35c7qKpkyuUHsVPliRZBVsVeigMa1UDxyyUSvYhEsNA7e6zkInVvV4V1OF4f5XyU1p/zGKnK/Rj3mJpIfdLmNJRmqoo0hiNmjYh5o9uBUeo7UV3Q3myZ04bXc+Ky0eHDMCuocPzt9km6bAUV8dEmBbSCsN0pbeTwL5cuiIgzJRd0JVxRVvaSz8ffhXeN9XyfqI8imXC1St+oxUbBUrhWlDVFlsDeeY3XJUeIjWoBTlJWY7o0a/qz75A0RyOVTL/+hrNVYUmc/n0WUjPfrOFIOHrxMXrmPiIqFWw5ea0FbBPNLCG6Bmz2vYF4DcST1sLSn4jo3s7P84aPsktmvwfjqvRUf4jRTokiOm8Ow9k13J/eioFRYs9txh/xRR3Fxp3R9AOc28aalGTrRRIDbuyp0LAIaqVyut5fIVEGN8D6PJ9GlBFot7Qo2vhB9n15QckA2bkkNE2r8FRl6LFji8EKsWzXiTodFUsur+fHe3CChoS2JQNx9/aquBw+pXJxK9O7mvNHlfV5pctCD6WVSxpYuZ9R8ABmgIzQzb4vavPwh1Dsp9P6BGk6AwLczb27PR2LGKyi/WIAyyvb+wbx9t62v4jgn9vQSRQFR2ii+7gDgn92FMvS8X3wT4hMRAWYlTbfvY/JxPauWfds6a1OW/rn+ezIhUwbvhVd/YJWoFFi8zeNStsDF9RC+jyRHwpiwQK9rWuAsrN6KSrYYt4CrlRVdiP25GC1CpkoVKtqnVExcw1Cr1o2RRuP+rUGOZWa2Iy6ypFE9hVYBihf1LXFqTPRfLrAC7Yk8ghnvKeazu9XsAh0b+5LkF/M3+L+y8ujwjH42s5lvlE49hZ+fWb8POIu2LJISpMbHxGRaYGrHDzQOEdaM7ZyHq5ba5OJpPuxADNH5gaWdftNYKjCxXgZs57BKGo0wCzCv57ZSyY+pcafFZBOU0NrO6HlszdiKPiExo8Wnk5HxWJ8dMtMhBZwVVgNnh7sDN3ebtiO8ngl+pLZi5qlWC29mvKuEXmbyqVYLf1K9LIcLlpVWCnkpe0Yhq5adVgt2wroKPaVSnVYLfqK7Cz6hKq45X4U51FRHkTPKPTCISyd3MRG5V92FiRnWp0yrBNXkqGmEXuFYJdke4CjumGZxFR20GV2GH+8BZ5ItNw+NawGmV4HZZq1g8BfuUaI097RbjmDmH+sn/STXsW+UswISNZ81pu+oTwnvfklFEJSmt+XBJqxOdahOH3hY7BP5JGPYs9I7cfnhDkW+wHCIN7hKuFPqvvopH6Ohghto9nGGGRVQi1YaiVgT677/99OU/3uqXb9XOGsLH/PijNGeiKoEa0Uof+xJwzN1fbZjBbAo3Ko2sy9460cQottlAMBFDl6tfAbOhRXVe7ogdwsYuFDNuXY9alKurO4cQE1ApV12T6Gw6o+c+sUPwuGHWW7n5IHQAWRcsYXJgDZwba91Ljwm37uzcRb6Zsa8XU+VLRV/k0+8iQS8R8JiBE1yXFXEV3cy+hFoEI9xpsufj8uKPZKNL5Myl6rptR2wvOvKeZTqVmeW6LvVjDKi/ELYmQgr4i31Q1PGKwACZTAFFzqF6mU4WleCIJArcr+MKj1SeJdgGfUqYi9hvK0bGNBo08gJ9o9JGw4pTmkcZaTAd449WHMld9mUEcBUyxcZvqHkPoAPhCqNoAhcJGiec6szLDx60jKIiZZgN9majRydVc7q/ZBTmgFrpxBUvdFL9ITJqFCq+qC1lZot9w0PHhkeycfbqb2ASh3iUkHBhkGrtXzMOh+EooS7nGMqvMKUQwDHnhz8Nernhr+HhccagjRz14rh7ZotAxNJEBa8OIGHYEjEC44/AnaTvp2kMC1d7tNSgsHuzPIkGn7q8RkyTlnKoSctpN5Olaz9eFgV/b4vuB1f8Aj1xnx5uY3vi7glwhhlVbTBoCR7igD4bDvhRc0Ah64QGfsSiGLq4eebh+Em7diiBU7FFX66lGj75nUTj0GVgXzgwYiRMju6jrrMNKrulAFVVg1+9k6fHu88JbSmiGVdf2A+F7be0wC2sfACOqK6Mf7jpHmhC/QBrBsscWiefs4k8d4h05H9OBtmN3OUS4Ur+XYtHYOfOHU/ARdlRr/Q9l1yAoivGrYLQCRUVSkQ0Dz2I+hwTNN1iVoyoP0HIaN4yhemjfLbiYkbYPod5RvHA0wn5UynY9xI8QqPjZCCNdCtZsUR2H7ure0VUKZ9tgTnb5rPmI0Fkf7zBw5/ONSTkuRDk0R+cIhRAIfCd06ZqgmrtEzsmnffsJ6L6y8udNikfrqM8fNuSiwSz8Hpb+Y2pgU3Q22dJoK7IFofQWcWiI29CLfwIlbRDdZo8v9yGX3rHv5eUo97IsLhdoUPg6FFLCx4Vs9zuii2nuPPtZU6eb0ez4KjvEJskvpzeJHFHhSwMLZBbZVpG983KmqOi4PvL+8FT2g6zdeOLb924kSeMDtDXHRRsizgyQF/JCxRk6tvn2gF5dj0iPqfyRkuTIRdW+2VUmiy6rNpb7VjDJvCkIebG6Bvqhbn6YsYvvSv18B//FwAA//8G/IQ4" + return "eJzsveuT2ziWL/h9/gpsfdhyddjpLld33Tu1M7ORk2m3cyczrbb8mNjoCAVEHknoJAEaAKVU/fUbeJAiRVBkSgdK193bHzrKKemcH14HB+f5ijzA9jeyEFIzDvpfCNFMZ/Abebf7SwoqkazQTPDfyH/8CyGk/j65E2mZwb8QsmCQpeo3++krwmkOLarmf3pbwG9kKUVZ+L8EKJv/vbO0yEKKfMfJAvow9V9qsmuxZBlcrKhaXSQy+eVN/XnF/QG2GyHTxt97MJj/XX28+uUNeU/VioiFJd3hx0FvhHy4YFyDXNAELszfG1TEGuRGMg2/ES1LGAVoQctMz+wQfyMLmikYh/ee5mCQ6hVUwEgNjGxWIMF+piVdLFhCVlSROQAnYq5AriG96IxPKvqEwTTXdsRQ9hdxx9ai5jRrDa+fex//EIsdk1wtW38/zKF/wTqr8mnFlPkeYYqUClKiBUlooUs//5JuSA5K0aX5N9UkETkoM2hhPt8jTcitWJJrSEQKMjwQR4vtgzp2OBVdWAPXMzM0ZMIecOTZ91Ou7JwngmvgWpnzwbjSlOsKhgpi1Cw/BmBK9f4HXXTMYTIsCNVks2LJilCiQCkmOFkxrQgl96C/Ms1BqWr1Lzpbox6sWokySwmHNUgyh3rfFVQqIHegqYFGnVDdsXpxK5bq9YQmD6DVTx3y10xCorPtS6I9bko+ghMWbofzBsyL4ERmsIbsiJnMBN8/n62ZvIZCQkK1R5LCgnFIieCZhaXpPAOS0yKMKlfLGdqBObDGd/6c31z/TNY0K/2JZylwzRbM7054pIkmmVi69ZKdhbCjY4a83y32e2Y5Cio1S8qMSvt7v7AXvTujQ/qonRLaGR3K/Tuld0nW512TN/97TQ6vieEaZ0FOO75i/s+ZHcj+snw36Nb0GKEXHZoEJUqZRLp7T5+2WOf/NGRKUw05cP09gqNlyvQsyejeGf5O4AHXcvs9AlsZnep7BMb4ccDiakyV5Ph+d1oK9BjpEXfaFgAp5huqR68JvTMbX6zMAgZNRw/pKAmnvSL29JAO9YFXRP8s7plWzjSLvGFVCU6fm67OMJGmjwRm8MnTl5xDrS45+1bCTo2W9fj9n7btR+2V4Im5HKgW3/vLtkfcrFlccdic3SvDhi1YQpvn+VYsyds1cE2mVjiTkqcgzRNEghdUnaEv2COkRIE2RFo/bvNQ/Q+WahE6tE9+sNSL0CH9pEXpWgLx7UvHbczOuJ4wJ0+bg5VQkfTV5r58L5Ruishsf0cq4Cnjy+pDFdo2DRvSH2d+2TEbrPOj3om9maz/QmiaSiMr+477/uR2Rq/FH3Vy17/Gnt5f//87vWa24suGfbngDGlNa1lKKFmyNfDaSPbHVQTMFB1nv4j7Akm/R+Xvj+HR6DVoiGI7k/Atwlo3nYd2ge2451s7y28dazKxB+mlt2ZrSj5tCyAJ7UqQORBgegWSfL7h+udfiZDkXSao/uUNmVNld1HlIFuwZSmt6jcw7mPU3T/wuK0bNN7jE8G+YH69FLHMbIdexxXnP7yBQcgNlWk0pa4h0RrDbs7kzeRLS9+jREJG95eUELVVGnJ/iXrYhtoK3E71gTPm30KyJeM0q37T1lYG5iGW/nUgMOJm8uXXwBR4+J2ZOH0KakTdWca4fXYbtas4Hnv7rICmIM/iu35vWZGb61O8pA5v01lqyRznK/2ujWxZMotuZ6OVonWzU7TsQTFPlyuRZZBoIf+IAtjM3jPE3Jg9xxRJ3NRBapC2FNVbsa+2kAMT/R2++PJk/r2oqrlQNtgtF5zMt51FI0TCtxKUNgQVy4ts69fJfNkIegI0WRHFUiAv/kz0SpbkzV//+hPZUEUUAK+5HJiJ70J5HTETqhBcQbypSP4wuyIRJde1TaHM507omaOsghTICzoXa2hMBuPByMpKvCktgea95yf5w2ybZ54qSFm5r6dhTNQPIc2xNiywBWH6H+WbP//8r8qJ9NeFFaAV6H90RvMP8x68pVuQ5A15yxNaqDJznhXzpHySXA9RP9H5EYitDHH55Q35dzPcl+SXX8i/k0RIoy/bUXimL8n/men/y3yRKdKelB+CS8hFCt/tW5dvYJbQLJvT5CGuBuzAcaHtsaHavSvMJAJPC8G4tk8TDeEAZ7s5ZiCliBSfttMHVQEJo5lFbJEqLaTRrPnWaR3mgzXNWOo2RggUIQtR8tTcMBlY8IwvvXI0GLzYPhEdyhi+QH8cDriNelZhmwmafi/3nIdDFPsdSA5asiTw6vBP4eaX7VvYXfeVEDbXPtU7jVYsqmW7IO/FxixN983JOBHSPMa0IA8AxcCkfRc33h9k0qRIQKnZmqWzNJbX9W0leZbAQVJtD3lqZrDxLlwzqUuamUd7y/bOAyYOljPz7La+cjsZbhT+qN9cE2mktbIGFTtpVC5B118bnAklIwU9PftMuEi4wzMho7iCuoL/5rqyvX6EXGggU7/fEwn2op1v+wSl+V/liPkDOF48p5kqMhYzsuG7fs4r1lH7vwvdzMjciPvdnjpzB/i9Xu266tXir5D/NTyMTry0Ek5RV/qQj95wNY+jydXlxOu+CeVmelheCLmv8RJ7Rf7hwiDK78P88dldVfYhbp/uIVNq+ylf7n6ye7A7Pce+zC/Im7/+SjZ23nOgnNAsC9sKrFHfqkk7+xHZgARHlmqSAVWaCL6XLtKexGdXE//Ykxg4qzHctn7uvgqZ2omzUU2QrLjIxHK774hbMNnRYgn5K0lWVNJEu0k0h3pr8VujOScl9zE9Wctm3ptRi53Q7Rz1MZ0IB3yX9kWRGyVT8MqNIOmmV6ZZybqnVtLEaqzOR8G9zUEkSSkrikpTnlKZEi5kTjP2eyi+V8g8OD+pj3I4eopEOe9cSU+apB3qGszrjC3AjjjwwFeQCJ72KNi75Z4pHdPOcmBAjCciLzLQwQ3Qa0SlVoHXku2JwUa+mdTPtJGnhndwO/dt5fbO7N1+ueB6hbRMu/xUrJiXXZRT+kwT/5anMabdkPxd8NjVFg6IRcO9UjFdeO2n/RnuiKhoJ/qSaHjU/vCRNUjVSKdID8WBBdb31M22BYo1zF2aXiJkCmm8e9AH2fhrStUcKx2jirSpv9j0r3dvKynyC0u1tEn5KgFOJRNOrc/LTLNXmoEktCiyKvtlV8smp5wuQ6m5hGTWvVO9Fx0oh1URpn9URGy484xpmhf7lkGP2HAzELunTyuSrJh53YgU1AW5K5W2z6QmUXMqqe6Jy6UajlykgwJssTC413AOTcgucsXQzZ2EBUjgidsQ1KjWKVuz1Gg2dj+EBdm0EmSf9iYvPMjHgsmzjXC3ns4X9Gh2ItPZ1g1WGaFn9DUDym7Qw7ZRxEXvNeG8NNK4lmcXHZZ1OJkosSVQ3lHkTqVYzz/2UbEa5LcSyrNtJbO73S7ayccNVcSCSHv2jQX3M/akIioFrQmNINOWuY5w+y7zGFiLWQSoxSyG9lxgiqI20TfoVCPoSo1b5HmekHvPx+Ad07kun3TnHCs2h+TaMc6C3QWxVw0B2xBEk44Sj6FYqzKL7XbqeUWJUicih9cOQ/14sVHZYtHZIZT7KWg9IHs2CKxBMh0zdeTAwCruPgmw4dk5ZPKJm7zYqR3obuk608VQs36nAhK2YLuHT1i7dc6cvpoqXleOH80UWIDaxMjSXcJEZaJKvZMliNs/m8+1CF/ar/TmS1BI8mHqQ2OZqgIC9u1qln+1Qn1ZkqoQiiEKjlF7yz6neeoqTNlQ/urs9lbhKTM9i1e66ImiiJc5SJY8VRYFx3aGLLYDA2tmstUnw4kld747Q1sDT4X0AbMHRybm/3yG6jWVa1fM/wlJ+B1tgMXPBe9Mt5Ggh4E5SR+zVt0P3QPps/69mPFWrhWtY4u50ISSla94EQ6gzcRyVgWqPItQrzbik4X6OWqmtGTf32y4la1abcVHWPEXGUu2sU/PAbkwsQB8cW2ebXvkcpnFjJsOT+DHMgMLLCxOBdfwGFtjrQHdcGev29VDpWmqzP/ZS5VmFaBQAZiByzlZUb6EGYdNbFnQ57iETcPVb5UQrSWblxoaEqIbo68cdKOtN6+/sOhQBUUTdvXMZSxa2cpDk2YfgvvxRQ5MU38LPG5tBpiZsKrgoNrFfMk1yAsyBbcopQJ5QZdgS3n7SPeFkBWGDu2KjNPbE/t74n7fqFshJJlLsTGfVX/1uqZ7dvXWk75JJ1RqbDNdTRjbouLPlOhkh57rTIksrdXGWEdKFOAdirHu4ktOaAZS19FFcsfU/825t7z4aBQBsEFIAYU5JVzwVxIKsC+ZQ9EP9tlwzisnKaU0B6Z+r9iVtHrca+Y8bJX7pzOyDdMrryw7WU+uLcO5zTbhRPBXS2H++8BNYJWUWUBxjDhu2nAGvrYADEixIEY6aAbqgkx3MmW/sUEzsyoO4iuXzlcq84hxKaMu2Cb14tdPPCVJVipdbUj/j84y2Z8wZVbS50R7+4ZRfO2n/SrQ2bUfd8LCL3pXlimeUvbj0MPLoLy2KAhVSiTM2kvNagTfk3bBbtkD/EYoKVZbxRKakZSph5ekkLYnyksCOvkxrChTSY/JvXziRe/ybCTNQYNUpKDKVvFStpCDq0WQiDw3Uky0nPbd1BrQyUF1z90Hz6XxNdYwwsXkxHci8qLsnsEIy0bJhvFUbHw8bSJ4AoV+WUdS9E5GZ5iLMsu25FtJM2f8TEVOGfdSgzcYZaLn6mpaPbHUpQNDNyrhLeMPkPpcoCoQnSprnfIPFPPJDzW0C5YeWrisUxUiqqhrdnZyZol9ABW8ukPW2XF9KLzllUy75XpqpzPInO03doptYvU8LVq3/w9r2r8ga9oLlsU/4/WQ31lu9TGWkJYJkMpzBGFzmwLJaDYL3KbRLpGpZVmpzfv3Y+MCNDdMr10Akgd1VMkBDIux524uupXvEmdPqFELA1mGZbJykb9Vjk2dZnhVUdorEWYGUrO5UDIxv6r/3c00JUaec8JszF3JkwyoNH+yhfB20HwCobd2yiqxc9j74IRf2a3z9F3fWInI54zXdbObF5ZPG5VPuL3WTJbq3Ja+pjZiAfRb/M7jIA0ciSvH3dVk7LeUuhdcdNN4PX3OynxzTe6dpHnhCzcQ123PJ/0abD+F9WpngH4OW37D/HxzbafUp7zVYqJrPWh75FwYoBvChdtERhZsmAo/UtdqG7OWfdur6xO0nbpw0I7N3eP7jLvGTP1VzZjcXA9qslj2uQFN1gB7w9OdRntBrlx+pq93mrkPDmuzFqBsf+PnH7w5bl7qOnNT6PoyKnkGys2McBfKRpA1lYzOs04WoCvKwDgpMtojCBRwFbU+SmtBm6qq43xhJJXRMKr8QmbWefr6ZrKvQxNfMtZZFPryso9sKDg6F3LnaXEgyQ3XZMqWnFph0bNFCyFjFq/9sSO/zCadVLqbsFUd7X8aII2zbHdZKgIb5/7DJ8J4kpUpGHHmG9man1+QF28faV5k8BuZOIOII2ul90XYLmI9c2f3bVrj1O5qCSNj6sGo3EfgekIqXsOMee+vho9MPRxwuWrJlkuQ8VrYhafsS9MX4DFY7XQlQa1Elprd497qPZ1GW673M1gWur53L5VffHQ6xk91MY6b63AayWjvfCLyYnbmuCu7Kj72yrZxdfY9Vc5fGTiC2/zUhW03I9Iy6XulebX0maLGmshraSmkrTxg5HqFr6dLHJXphsrnidDrVtU30pX6i8gMoqc08gsjRCm5o0lVTzms3BoRdNZ3jOCvKgVVHpZC7q2J3tRaAlXoscFKU11iKc61PYqy7NmeHYb5XDwSlr7uv7/MzVqeA6FB9LlT+NidBYMifHSreyxy973OJr/u9t075jpjXJRYPs5GHolaop8pI0kxjQ4di+xfkAnHrszY2hKXWWbkHlFlkoBSizIjbw1/kogUlNkSVbHf8MuC8RQekScgY0ofp3meKFssY/sUkxWIOUjr38ypZJmN4AlY8Jz/nS8JtZP4yvw2ODIeYR+KuSsu9EwasedOXtTxnAVIVfikWydhOlPmVYRdQHxV4emnniRDZ+bq3sexA0qc8lUHeXlblfu2+ZAyrkgKmrIsYGSYi1I3ftczNJGdPTazstjSOo7N4ui/SDXkRRYtmueSpLCg3gXkK19WPnwfrWm04jXIjG5tIpcW/nIlLwIn0nxgX93+17CossCdrV5ppktbmJEEB7Z7G3QLNp16XFG9WA37TkKxkUaQVYnIc3Oe4myjK0edsEawbyHFmqXOflZVkctB9QZCpSI53tH4dGvZO5bttMakGZcXVg0eCxv09DyyvuIeV9b/U8yPtDsdPbz/R8y9AyZ8ugoWr3DutQ0odis/ndyQm45C1YQRrWqtzy45jAAxsavOhl2iPqSfYg/zsdVh5d6JiNlcpLEzvjoZd/tKh8dCDJYe9WiFXy3BuQzOkHneMAH71GEXQFv7Q9iSpbUrp8eIl2O/Gjtp4Ag3P56SV4+7KGNeU1V378lnVz2nckTZYI1HSMqmFcGFfs0hlN5aVWE6FLhxBkNI0Cqetg0idXYlXVOW0a4jg9SmcGLzKxcgZU+nBXeGjrH14/nd/GMl9wWgnAO2MyQfbqDY8qJHIrJ8Ni/TdItun2H5DDUPqEG3VHBcofODVip8ipIJxCoHeyl2M1WeIyGBqWb0qqu5SsuU6TqzblcXzSMKNbbbZWw4UbJzLxwepIsSw57B9dle5Vdf3pIXPlfiS5kZXXnOMpvAYePA3j4WQplv/kRedQ0NfN8L88DFhrceQgqS0hazWLep93TaTOgZTHD7YaFXVZb7vU9NuoUlTbbkc+9zLWNzSZ8jKd8zbk0x4ySnjC8kzeFgOEZBpe3aG79OQku5nFi25F6kLjh6VxawEXUWAEUGtC8bKmAmItYLqV037h425H3J7VPyTqSQkReMry/+9JIwkbwkc/N/YP6PcpptFVMXfwr7F3VSzBYZ7XTOx9ah2hr+1YRYptbWZeXktmp+JRYHCzVoERWp++vc46zKICiQZiMHAa1zXLm7h+zL3VcqgXxyAcB/+tOXu6+XH9/+6U8u5nZNJWW9e3Ij5ANmyvLgAftaMWx62HqNYJRjKxE+Zwe3Skl9HdDEXBfbCE+YhZDAFUswBUjDlBQBcY5vBQn4B7CIzjaUdZsTn2wdsLXPsYma44Odoq7KeaRDoeep0hI7893ma0cziDXvUrR7tMr5iGckPTbZZdcYrKPS+GSTXd6Lz3cxJBas19BUDTWaIfbYoQarEQWGuZ/eExbKR9cTfLrhwoD3+v/HLtedyuw6/z3LFksbNnoP5CDIZ9kclR/3ED4hzhC01VrZxrv0ha4j2qsoO1sn8ydrduvs3GHPdFWymp3DH2aTvhaUZWauq2IuEy8zbq6buW22Epd5DmpYBkoY9EcVVjHXM6MiHjGeYwKvbbi1zz66Enle8n1LVAcdP65w06no7uFR/w3COnWNTR2nWZ+KbUp5+p8i7DXbYdNUs2Mkw8nouoxb4FSpCpYwgRYleq4XvEW/oZJ3nQ7fO3TF82ImYgnj6f3dhHxwdtRdUGoYyLezhhJM/35LvpUge2q3lhmfSdiv1Bk3uKFhEN2Sj1XSWTCsq9bSE8SLtElUYLcRMESLowxHQ1R1wDl2Mt0Uv0EDzajMI6yWIRvBvEALxATkmmiZonWlbdHErXbVIp1Sva8Vnkp3DjxZ5VRipZXUdLcF7bQvPtn7RJNOOBUKzdkKfS8ksMBNoKoJL5a21FIEsmL+zwhUC4reCcNVnELfXtbpPmPYF46v3JaDUT3RQfMZTWxjFPz0E0NbccTHe4PwfFms/8If9Qr9fk/4LNFylirUuusN6obycZ6nEYTXGUWXGHwGfMk4YlJkl3SM2Gg+W8zUhukEXX7w2SITG0Vz/NiVJm2u1/GoR/C6JHzGeExxwngBMp9v0QLeO7SL5CEO8TXNYuwVVswKKbSY4bukLPX1X2bW4ohPO4t2NjOxnKUxJtsQxo9/S/gsp48zrbHMBm3CZkdnEOFSyBmPBJrxeKCLTM2yeTbDdou2aP85InH0yuAN2ti1EJu0sbN6m7T/GpH2rxFp/4+ItP9nRNr/Goe2FkVG5xBDpNTU8Z9nfJaXmVW+59sI92RFvHiIoJfkZcaWeRFH+zZaJs2W2EFInjKLoZQo+Jbg20b4TLmAxAgrqGQS5zVpCMd5TaqtKosIvUgTXqdVR3mqaqHN0wMeI4gQLbR5mMWibZ81UYiXnD1yyoWCJMImXP9qZiXSpbD+VRR6BTSNYFYTeTFLsgg2bEM4gpPE0pXzrcY3ixrKKgrlopxF8GkkkmmW0CxCApGa0SXwZIsYddWkzWm2/R3SeQzc65ktAxqFsisHEwe1C6yNQn2+LNa/xrFBq9mc6X+NUmgsUTPcXnF7hKVAF9UqyjG3VCGR+Fluytn40XptNQiDXjk7P75xxBG3al8U4q6aPF4FuQbtBcsgxhtGzRYxFpEtMJOz24Rj6AZqxgobpDiLIupYsf5LqnTRKeaPRFvJJArtjC0gxjNGWUNzDilDSxht02Y8zi7JRVpmoBIRY7Y9cbaMIJtEoTZUo/b8b1APRZCjEJawZEpLim8J2dGOoPFJKGJNtYw218pWIpeR5KuLzHdbPAJ1LYHmERRJlwoUC3Y85XqzEkzNXIdZfOpbKmmUDZ72JMJiUF67/vbYdJnSlKP3OU6VnpcSq1lgRRVcr6AYVEt0rPh6dJWTjE3Wdm5Y4De7PrbSwCGaS5qm2GeApdhu1ap0UIS7iOWzRAqRR6lKZAhHeKaxfBYnONJXPIoxzcUDenmmQuGXLGWFKiRDJppRzXSJHn2WMQ54JXZ2VBVqR52ark2+xTdrZcJVPZ0tMoF+ndfEI4T8mzcvutQxRCNIHPOGjgAVPTYhE8soW5cvoxzgQkhsAZbPy2WMY5YzlcQQC7mKsmFj9IHgoG1xJXS66DLcFYDGjvhzVLHD8fhmg/0CiZJRJlwDaPSXqMDXjIRky1mgH9fJdDccJP6dVcxcU150sqidqXdkXYvXKJssQuKm74mDLQw8WWxpUMycIQkdLlXKfDhLVlh5/h3S8FgwdEdAATJfSsp1p+YuBuVNFML4V6+rRPb5814XUATCUixnVBWIDQOapCXFpiqBZjH0OwmJnQdXdTQScfxJNpRxS7g2KAuZRkCMb8hUEWzDytmGI8QDKMAOBHANjyM8ThR8w98AoQKtaFQjPKUUW0YQvKrAtrIpmcQ4BzJJ0RVpJZNQVVwEwhqvxVaTZqnQq2quE46dKBHsFnsqUVekE3v4eqnxt5Ujiu/Rq3t6YtPdFujVWst0HiUOvZRZhLuwVCBnKcPOeo/StqLyDMWYBp0oTXNsa/B6xrjSdBFBM1gzqWOo4euCRyjdpIUsOaaZNVQWLVBR9LLUgnwsOemwrqNHIjbL+0IzlpIrCSnT5IrK1FczVLb8exiO65wVcZb6OoRaMraJPrH1DRKRkVCqTh0PwXi8mXubF5nYQqex4OD8LUSJVtR75B4zc+hsRrbfmYQlPJKc7hda2Pli+bLcbwYSHWTGlG3OUHH3S28LKBFVFoWQmnQLjxKyWVFNmCaFhEXfVjghLPcpTShCE+9fHTUEwriv7N5TFzpjPHZH/gZUw62JUxEtlqBXIC9231crUXZuNEI4rEHW7Yi0IAWVCsgdaGo7gruzSuspeHErlur1xKW9/kSufYuvl0SvAl2KbDHgj+BbH1vYnNyD/so0BxVe5+6mjjJ5C9uyuz5FlrkbrAIqk9UF4yyIz/bcPUN97T3xaXth2GCI1xktue31uyxtH9eqiHu4gPtevfYDY4pfjrseU12E2/cv7nnsm4WYIeY0jau8atmST/Co7anoMxecoxt1j0DaNa67tx2qedbT8dJWz43YDtzWz1WgiYRvJSh9oGj38dHKT6+V71QG25bHcXUSe98iVcedts0phzA5RNY31vq7rdCufguOHLP3/3B/Q8Ps5roSCpZ3eG/YVwNeEO8Tt7C5XOZUAXHh2jUa0jlV9Sr5XzwPXl63gq+RC+nK1wenkRCqiAKw7c7o4X5VknJFkzO09+1UmHasuVV7d5smKaXtgHYIdAEyZ07dOBfoHUvXmIOtWQZLIBmsISNUKbbkbuF2/frDW9+WZH5G+W35H9jp82fp9GyQlZx9K2G/TSINH74G3uMqJh7XBaXSaFjqDmQiOAcbW0E2TK/6BAUhgcyQWmOXcFR60ZOfFmY6rTypr6hMLFlCM2IQ9Dx9LIrnRWdZ9bRpfL65K1ZbFYbXCGfbiL2oVuwLnmaMqtlKRH8TuEdc/VyzvVR2TY2MVGy24AnXAyDu0Bi09k7zjViSDKi8uMyUMA/x1nm7ts5y8t7/4oJc8m39rw51bd/yimtC04tE5EWpQYbFcBQzvhlYvOfZD/trYXssthaE6X+Ub/7887+at+91YzmqGfshCNvv0xmux2ys4YZuQZL/Udvk1GsPw4ILn3rs/J/4e57vMLd2/cH1ODJ4eUi2/bjfMMXwuSD3Hz69NWMHCc54Yu2lKVOJhILyZGu0Sq+eZfuxIMTO0Evy6e43csP1L29ekpv767f//Rv5fMP1r38hLzarLeHA9AokSVZC+VZpQkpItP3Wz7/+3//HTz8GZwT0KqKM258PK1Mvchpux6Mi774nHvOp24s3FajwEU+/L9BN2TSA/MiCcaMv+BDePcV09zr5wqQuaUZuL++DYH8XHOLZso7bGf+v4HARnlsD9w8jQu1AhoWnXYLv8Q4+sA5LqmFDn6FFut3dE3KZptLaad0uD8Gpr94kL471c57qC7m5upu4W6nXPZZTdUbvR8uo5DRVf3eTm4mB0mP9MnN4ZCcIlDk0vPvnsNLEZq671nkFRAMuTVNmvkyzncO20cs/fM+dcQOYJ6E94MKf8Ov2FuhA2cVaR9Hrxl5plNx7hBMhdS2SO0I3tQ42uwBMb4clrzrz3LvxML6sLpNqWHd9E88h9G48lxXXo7MvX6qUSJhROZ3dqKPjECOXJeVLuKifTongC7YsJaRkvrU0gac2aigsZ4ojSw90kkZ7tOUg00WEegcZou7fTOFCNwBIyIWGmY/sxo8zwp/alKsZnblQ/AikCy3jEF9E2BKLCNnCWYzjEKv+SRFhUmk6qyxx8dTy/Re8GcfFPremMeEZNNi3egWSgyaftgW8JJ+ra+zWGsB+IZPKANa5CT70aWpVq54zKBM9T+MKtLeLvyQ0y4LKRLH7og1wo9IG5q1BmjuQcS2I0vYyZ5x8vukVKIkNkI0mr9BFtiEqight3wxhCQo7oteQjZDi4m5E7FB0a2+PgNa1VphlwJfonSItZqN8RNRCezRQp/LQrOGA4SSx4QQLQsk7ITdUpt0+3YRcLm2wlyTUnPhHG0s3B70B4GHVE7lq4lN93ELTrOmqc2CILRlvIyM6I2Tcx7nasIScaSOWfIuN8BDXGeXn8OOPMFBWASINE2VngG2T5c6TsjYv2KV9wLZvHmxPJSS2CsEarx7cOI89lZolZUYlsfWiSQXixdvH327FUiwW4e7vkMz0CqIvbwvsJ8PQncYG7rcGt4F7WeoVcO2DxXthqxKzcsK4gB7Hsh/6ZwWyF7AodSLOO9OeZT/gaZkkoFQPZlt5/LjiaMcFnlhcxKi4SyG3JJCY0MF2DuHUwgh7GI1Usg4+VQhu7hUjt0LKYf1D0lGU2qNa49Wj67k3KXFVS23OQMYgrcfj7TB7+jDjRDFdBuQnsckF4EW0p7qiitBUFOZ20StgkogN3y2ZmzhNHwUXeU9cre3JoZgrUX9eJcIo94ynRv4IqeoJoOQdy4BcemAXnWkYY+zl9cDcmewNGK/H/yzhCr1TMPVRC7izEBpjYCIw891PmAgXrzf1+RrYM9EfEDoXMbMHAoOfw4qumSitdpmIvJAiZz0RinBucG85nWc2iWxBrg5jY3xdi52IIPcRtrROEgTQQojaXOYIgAH+Nb7Yq9u4ZXfnrXfb7dIsS67309mwNfrUpoHPkmOe9aO0IHsfL4GDZEk1JDshNtBvP7SA6ZW9akO93YgHe5H8fKG07Hd+VmM6puzWs43pzeExefXC8Yo4ruDTtH6Ea5aDMnLdaXsSCuh1IvlVQCsKMbgQtvDgicsgR26tY2p3P9vW+mXcmH6eKbQmp6OH5g3GQyPsjM2OeCcQRgiDP+7o3gyOTp517dxBQxmbHF45tFqq5xEgA3K8FiB/3O34y/CSYbU2OM+SjZOP8qwSBPOMjZAfZ92OmGPrbMZaqbcpaHt2avTMnVKvZjnolXgGLwltWZKJg+G/1rvgtpaSFFGtTge8Oh9F5u21BsiBfRnJEvLfF3/985/Ji9vry8lP5JopzfiyZGoFqU2FD2LJxFJErwt0yBNmo2UXDodfZvvFnogxKSJbFQ/lf5pVDSGoT4y1yKM1fX7KcUls2H+d99sw/FlMIZ8p5aEy6btIMZphVafbG8hHmrJSOQ5ESKJYzjIqnXgyYtOcocTe6+H0KnvOFUvPWWmkGSn/2WyEyoq4Vxdzd8jj5Vlc8kNn3bo1fKZhw/7rjUT2k85e8IYbaKRlpGFTppAxAwM6Lhs71UIuKWe/H4iq5vG2wtjJPmKmm3uqZ7oXTAZzSSNV/Xln2NnbwpX4crWLWlHN74FmepVQCaSQkIqccRpMuGuIpwnVDLhWg+HxGT3naG/psw7WlX6EItLGNUfnRyO4Ciq1LYa0G+phsXrGYkde2IyRqAtIQVIN6QwtqOzA/jDC513FsXaeTaRYs7QuHua/R4si85pqZ2P44j/mWmvrtGEFZzdIlp5plDVLX+tPb3uGGWweaiMn18x5z1f7intPCbha6cRsCv5UzRMerc7U+FEjE3oZGKjTUa3GShVRWkgn8Q21HDS13H6037ow3/oxPPqcpWkG55Nyd5bfWDkXWN6G3DtKzlXtMc4z3Inn1qgwxLeVd/YlKTJqlszcz0IS4IncFn1WfhsKeYb35IgIOlm/Ld8LpckdTVaM9zzpUhpJcvywP9efuY30LyQY8WH0I1fkTF2Q25QW5Iv9h9OPUsFd3uk/upcnWdE1GM0pAyrJtxLkltgahKoQXEGlUYWTU814Z/Y355GXvgZeYihLVlWB5G74ri5fP85qSGeAuttAH31x1LFIbZenuAaz/T1elZZuFTEyb0N/8TJFZMl58B2rXtY3j/M8uzJSPTl2nuLMvzDjLwQlG8ZTsVFEFZCwBUvMJy9DeYI+TrZ7QMzwHN5dzA15YSvCAk9215B1Xf7UmC1ScnuP38KSJlvyWbUL39Ye2Hw/kRY9utZwOMODvee2bz61LBSbq2Y3mbkROzNe1wEIZP+3Mk1tOk93+trDjq9Q91Xndep1YMR2hMGN5n9zxGDPE9fbN1Qf4etN75Wse2uH3l8FtDua8xjsaodBe212AZluGTorFC5IMZz8bNMGMFsC9ma42SGnsGDc2+qtcLJV/XJa9BQdtOiOShSLhG1ngNlT/7AFY22zjT12X0uppzZlbcPWmiar/Mwl8Hdc7YSTzuuouRxRmrzMGcfrIIZ6NsyQbVJh3MszIKSaaTt2WVwZ7V16f6BrZwd13LtvAHVBZbWnzJ9f7oayWbFOKXViTod5y7rg91HD0+g9S1xZCyG38Rb831RB+X8MVoypgLSrqFfqeehqMtPyb68t9YGxPZtK1BlVVW/98Kh6d8EMuJaiOEZ0pKKcd4wLo/a452le2zCQjmAxuuyO857DK5EXlG/r82iPnW2n794ra5DmGpoxvhBhpYCqh9g5QgPyY+8VWSHbQNyq6ItvsWIE3pVZtiV/L2nGFgxScm3znp1xMAhlA/NZIsQDeyan+1eYE8d/936mWZ82j15tducOL0ptVe4jW5gOn/WPNQvfZcebo51N/oJ82hZu6DvLgZkct4L9iydhMUMtJrsH22Bwhgj5owqVrd0Hcw5TXa1cttE5y2IhZGXtty7mj7c9S96olYO8naq5KOL2ITowFYbzoOW+gimFiKSJtEEZPmY9SEF12DSZ8BlVmN7+BmHp0+mRKZcyQ1zmBlXEVakfo7NSYllDGjQVyBld4r0pd6TRr6c2adTwxzZpv+sjCBZ41MCtaoX/ODH00XZzreitJOyFymBrVI7FOXIJWzL3k2Vr1avX/r+vPITX/j98XFPI7E8zkOHoPD+cZ/Seu8E0nefW4tpotdYZTuobopknFeMLkLLH79od91nG1VT8B6c+aJ49A8iqLvGisQyBI2Xd2iLqkQqwONv2e+v89mbbfbIRxLL5p/+CboBWf8NPVqxAnsceYXR2H/H04sq2fvyJXFn+YWgg9ZmKpfTM8xVI3/wTWlGYB4rzQlTXcWMiGwtumP6oGpWiD640+/1Yq+TTS6OEV5tM2e9haw17iCRTbv7rLeGwFJq5BSxWVPV0gFLJucsKNZbSMe9vLmiWOloHqE6Ay94eqwqnV/k34YAUxZbnyKho1zequx5+6m20bKQJU6pEVzotZRssFc9ad5oPxSIEKaPaQDuL0pSebw1zMrXO6UPS6SwREnVlcO9FfjG1oZ2HL6OG9DwO5NOl5wGM/SJUqWy2jnmj77tUvSE7CCadma1HS/QyjSoWYfYA/kUdqbjBD7t2Jc0LycrWvxBl/XVCkpvp5X/dTcjE3FPkA+/pvrJDGymT+hi0nzYijNaKoWQFyYM6yog8TgjHrUEWajpX1+usS4TZMFDfgnAnBQ9ouSBZpyjkMyi5DkddFaT30WAxa6rLs3X4bKJc04ylbiMGQOwLwrNVtT4kCO2MPcBW7YttpJ1fBZAi015pXagZsz1oo5C2SxljQhL6HZwmtuRV5ouQTG8HTlQi8jxqnbiRuB0ObxAKp+BvmIRs/6WJbWLZZJTPlHquhreGs5PhX/1oqxytIFqXajwrBDtHWHUIsENALAILKvwasNOarCjnncIZsctNea4WSI/P9kxlm+uLxfc8/Hp7ee/vvdd77OsLRQu5b/tHr9nG1MNsLbIy1gRcVn2cue9zU3fGrtr5lpxpRV44EOonW63DJvZWHXX3yBMLOjiarIwkzW491s+caR8ucNFOOliDtJECizIjieAJFNo8lKduDXvKK2w2MaWvm3jzYK9aaBughZCaCDO/7//zMhSCG5x27H0n5PL8AZb7CQYtE+ucumInwUIxf3v7YXIzIXf0MWc8rdt6h5fVjO3sYZitJoo9w/LD6Izu0LBq9Smcsogenu2yHGeL8yVsPncSfjXk6GpHy1jmpfLNta/S61EcRJidb1GeuVZANeL8f/m84Toxh6ddTRL7dFt7iXlCP1N0o29XbV/xtVM3d8m9L4kqAyHqVJF/U1oKvvyPeUaTh4wpDem/vfZ/e1l/yvgCkvBHCyZhQ7OgIkPnWeM3hPKUKEF6tqWEJVNabs3L/pzCoqB65Yv11xjIPoYOSGuUOhdMlwjt8rUSIRtVyGt9skYOXDdiUhq1X/ZXKbzHzduMKviNzEE3X/0pLGiZ6Zk9Ab+RBc1aicetAbTj9e9EWmZgj3hBpTJv+HdCasZBE7VVmVg2r+SDVeSSxJ2wY2f2Pzqb9NJlwtrGmvbcvPh4eX3zebprhdGD5EGzjvA8BUdGZU4ukwcuNhmkSyCfmvR7QKBOREt29jHsxuKcwHNq7Y117sSeOaAXQqCrzgkg3l/WREkOqpXUHIbQbXLo2B9uJdrlHAgx6GUYcgKfsto+RbTl4O1lvpT7I0Ng/beW4Onh3b2BT+N97di2axj28M47kdonjTpnrtjbANtOOKTfW8E6MgNMjQixTVsgETxV5JWtS25rqEBKFOMJ2CpZ7S5hfbg6hrgTpsPWaLI0ySsCywv33//+w534nWUZff3Xiz//MADICMzOq+KEyXISuFEvqodtN5zwJLHfJBfmyGm21SxRIUffCaw/WQuicx+2EjNVOfct4ezjqWI/EqX7NS7MRUaXbTAOpCvxNQAMU3w4k/Ck9ZTo4Vq8ejaJXRSomsEnezcnpfW5OBXAV0QoClszQIpsEBHqSd2VSBs+r+a7HVPcKevQYH7lBt+p49qHRO6bdtGQfGTqgdzCGgZXQiWd9usn7o1mqPPl5KXLhiaGD4fUvvlS0Pb16KtPLUvzxUGgmLfvEw5u0BOPxHvfw94DAVlyNAHoYfHhvRgoKu5l5RIZrevaH3TYnIt7X8EKrAvMF2ixbKDFpx8Ppsiw9MZov/aL4V5UJ86Flmy5BEkKqjVIrqyEcHaY5AF0SjV1Ne3nVMGvfyHAE9Hq0zsMuOeyOWXK6to4KXntWu6OwYN66zkggxdembK+CRhyNgeYGmrjeKpEdCy3J24Vx33aItwPoNcg8/Rh233KGhk8hv4QBL3CfSe7OBfv6RrzWi71CnXnt9smDG8CvQo16D9xD9S99F0Vcs40o5Uq0a4POwwvWHQWb4b2yAdhzClPNyztRNqegOI/OyT7OHNIZ7LsVA44gff95RX5VlJJuWYcDBRz3X4sva9nFKKuNxkdkM+cuRlQOueUBzietjSGfeuHYc5Cc9DB8gCnsLdUm3U5xqBAUr4887Gq1zwQmnaKadnXtZzC8PWV0CzrOqhPYH5FswzkCL5SMpAzQLw1jMi03pUPU3Ll6BPg6SsXxlbFyowRmN3I7xOUl+v76S6ee3hegonVeIK6wyAMA1EsXV354pGjzkKSSqtvYj5Drro0w7yBa0kzTvuUyKPW/8pRJfeXn4aXH9XCehXIGOhli2yza4YBDz+8DYAVVYiaQZN/i3KY/2JJdae52SnsBV+wZSndoTO02bwcXIbFUsz/GQvEXpOiPgSdkjGIEFq0+wCgPmHb/G15VG/GHTyKi6V+LMSmR2k+ThS00Hz6b9KmH8YRjK8+AUQdg361R/kQe1zhMJ2+ryO4RwiHFVWK9alIxy2EIzm8CcI5Zsiup8pePGxIT1bLFdB0v+H3aUEAnz5NyPs9qmHuWSrm/0Q+ntxWkfTSaXhBbP7/rDcO4SgUX9mCecpVAekhFKJMsSNCrgzRUbEoln2pMJ/zjvmwjz4RWZmHB33UQfzy4WZCrtpEexjnOeWYW+/2hlztEe3lXHLUuJvp/d3EMm/T7WFv7gwbqYX5LGhfRfvk+5CYw8rCjS5PwGIfba6yRyURqoo0g4is4QkRSuWtqEiTXKQjUGhJu9lap4iky3c2sXFnA5SgtGR2Zoakk3vrpExRmfc4s44C5Z5x1W017knlvoT8tnBEXcki6463d5i7GYfw2BKoeFi+TO7JVbtwXg/jbpOUkzTJkmvlOnw61XbEYSm5pkWPhesYELvyqpdFQa60zEgmlopQpUTiTNV1d+1REY4O4joKwi8Y2BK2CO+dE9Fd3bybYuBLsyjLe307QUHHo0ze9T3K3IU6mKDgc45vBISL/dKGKPAWCwxsrIiytjcTlLVVPaalE9GZdywKuij7bjq9xUC3oVG2ndFwMNDtlZDHQgdz8xzXIE8FWZSIt/7k817rsTBPeeBtehxjp5w3SquPeqdKpllCM2TdZ7dKFQNinjF8OaQXd0oyn/Rg3p+RESGIicxaX3ouFP3xKkctyFTk0PzOAPs1oJqQvrwdtBqlFLr1UE7geW3pET7oVU6pppLynsSGI3lrSixN+06VUAipB3Z+2k3MPA3B0LBTrg4EnDzVnX5tNLwxESZpt47zKeMcu6NdjC8TPFjm/CQEnjDZo9wDY43vPr4GG0swzm2cwppxHUrxPy1JLXUgbrgGuaDJmACbFNa4Rgc/EcPv7HSVFLNc7YfdncL6/dWE3I3Jz0vN9KOegLqmBqsmfwgBapy/UkJ5vatFuZd3JpayT9o9PRjymqkHowAuGV8SOSz3sgIetdyvGHbKCtxOiCUZzPIPgxBJsKj6iSgWjC9BFpJxbViUtsngHqMePDllPNEys3GIgSIBpyimN++mnoMNcyRt+iMA9UoJHDwj5EUNBzsGrgNmj8EAHKRgOIvCx+ENRSHumOPeIU0MI7S2GkVlfY+wSTyanVOlNvWPBddTqhFpmjrUD6BxL2WWPuLNkUfh3+CDCn4DBm7OWxvHiAlB9C1c20YfZmtYm0PKlAsjsgHXtnnrQAJoqvQM1S11jEJgfqEXUmDGXgdxkBaPPjDontTrVhvpEX7UVOlIqvoOSPoktd0CwlaXO2BGXIVKL2jOOrWekHB8mJI98n0oVptgp08kHO+/kj3yh3B0awHjApHDRkx7hkGrNe7rOnCElYtdH4QjFO7Nt7dNxsh5LVTUxfkwHb04h2wtR12+DRij7C5K46YwNAFMp4O3v9Iq7kFRYqE3VHZLc/fhKblRuI0Ohf4Wa8ByXHx0P6TjnmNKlyXmWn3+vCvt3wR3MxkXTJeiorG2ks9DOwZoIbIE0ynx9nLy4dbn8To1YEA3sxBw79wWhuHbFlxTHrw5+LoCWwJ5l9FMmKrYQEqEJFwMzkvdKghxYnbth8YYUqEQnYKBp2wNQ25X69G27mZ8OSLcF1QR6ExyykRMJ3sJQYMAbMz8QkjEGGiD4lOHbBjAY89KHMX4jrKMvH1MVpQvQbnQsev7KZGgCsEVEMrVBiRRMMK7CZ7OdwuvsIVHVNXRCnH9PGkbYdCl3weHYT52bMzo30oqU1t6UrIUPA+bva40zYsBSbOguZoVtFSIpp26uuMlp9lWMVfi4Y5yurQ1L+rkzEmLbw++33Gt2RacBfY7SHLrzdofBw2mi0RDrjCL0jQjft/6ArVkOr0fxIGqKzRRDKoMtjgnHu/7TxNfEWePcg/zDJwJCg/BJ1f0TIOsS+r6HNmtqzCwcHVvR9xT5hsrqlao6ezvPNFRWq0bSF/e7glODzs/48woMaygOwzD+9N8DflVfDshssxgxHvYsUe2Ie1GP6zNLsxhXpoLwVyXeCAuuWaqoLnVWtqVj/twbKhMIV1gmo9c6L1/T+14DED5lmLK7L9fD8lnSXPA3QJ1smKXdg8EgJSph1CLldMudglgHcydn/fgEIgK8zujCUJzCwxzn62TrFR9N8aRcV62lMiaSV3SjHj6vtnNACJF1yBThlmc8d30kuwTDTPfOCNWqB3QKXsT5qSQ4nHrbWQjpOSSatjQsBr8VL/q3xwtwoqmXCCTyUS8rVQLFx02gEk2K+CePCt3kAu5HVXtz1Y4xkzrtaV1XZXjoetyRV8VkoULNh3F+/0lmUhmu7MNcZ4hl3Z+fzmmRtaKznCdcO8vycdBj9uK8lStaKcd9ynZk9Nb8r5Dtoc7Zk2J90YbrTtypmLDM0HTURryap7ymQSqMM1a74FKPQeqLRayRz6Mgy1XyOHY7yuSZEHnkiVElXlOh5TllcD00r/3jVMP82QU29K8/pWwASWMJXmRNHNIT2fcMLJPbNMvZ3y/ubqbjCvjbzChVpxyikFxNBhcpdGWMNwW9pQ+AUfVTA1RY7oHvRHygWhJFwuWhHiEsfCZKhjejNxMpm+vCONzUfKUTCc3Q+wTi9R18eWIt+SNp9xuEDyExhkiMFF408bd3XQcbyPh+3M3jn7bV+Rd9flsOHejEQWK7Vi82ZEeZXJhHLPWfbVDmS0UPXhWXS1MzBf2B8mWjFObqOnD3ywz10quNi7U1uYhgPvBUScD/AiZdfKOjLvCjQR/MnPbjzmniPZAI9XvLq/qx46NifOMyIfPQyINJ5i1moehQFaGfKXt+I4whYU5nMD9v9yPdj5MBVQmA6W8HhhmuRZbKKZFMsg0o7wngvrp7pLby3tzE4qc8eXuBudkvtUw8LLNKBdlWDoeh0OU2t3dT8QBFNO7ZYMr2jTDbFkCXMEsY6j9UO7oI8vLvJEA2vDgOOuHUT1vHfchiH3Qjqtj5G1iPlz4I/iWrbctNj1IOKKgsOekRbKHaU/VHIxmSwOsRbf183HC+NZQMiLRdTqdTCbXjfpBQygQE7RuxXLcG8PqFnh8ff2BoZSOTGyQ3/zv3Eu/QzjIHlULsCIop8k4Q3hOM6PUzlKqw0lZxxct86TBdVceCQM1PzUAY3wWdk55iagf3hlyNNGlHGUHz6nSIFOlUffGnaXa3B1eMqyE0k5fzMtMsyIDwv3LvFZoB3eSoa1kgq7TOsot1baB2pb+X1F1AnJIWZnHEQCONhkjBADRH+Z9DKURuFUmjNJUMzXcrS0HtcpR7XG1j9KQHlEvzt8UyEX0nDRwpEe8EbBT1W0FtjHBlfky16iRt7YPV60RupBoIdnvkFY1PReZsG10jNCzcVjauZOHdgrqLnEGjhG7w7YMxuM7ubp5dT2d7tPt4c2ZFvIVrp/UNTcnd474iNz9CgbuAdmDMVxdMi8wU9lrKXE3mf7XAGO1RO4m44sHkElVTfJ+hN0114ili+7oo4v5rVpXfuZMky/D8TS4e3F483HMGDJb839kFxAO2JXPfWnle9BD3nAOmxl287972FRhCMLbU/cCpnuhhBrMn4hk74E+Yh/ABr30ugHiq66POoEOA3bxc49iVAF0DhuVCcziXbAh00zokeN/1L0970+xVGiQa5o1+0NXxiPDsqFLXgwAXCBrcfdi16NmxBXFBcO079lC6PctmkG2IkvRxUXtf5mOiBwyAJCFRM1/T1IMP2ZFlqJLihrNPuUDCLDlRI2hEhZjjqzIUlyBsdsXY6WGgYBoZPuQpWQ63lstsnRTSIFoWzEAvsKcvHOh0JMxHZcF3zDMlJ9L18dVC8J46rrqsKrtMWHK8/MZfgPQCpDoRRg+FOBqQLrK2EPRRwYDeneXHYZxnV2wc9h3/KfOJDJCdOGnsHdQjEqZFqXGjXj5UOrhOBdRalw3ueE60kVeUKUgjWOWc7THmOXMNzeYrw6r4adO3bfEhUzH1y7DbT41oXpFxIJkQhSuYUGj5YVzY/vW/i5ycQAbYGZffb28J6LQLK+63LbI9wKYcaMg4sH4Mrm3dAkXY5sjFiuq4A1yLL3FYQmPkFrFSqC7TCctmmG2mMrVRArbmn7oAVaIjCVb3EfGxNIc8bwohEAuxGZmWohszCKLnlaIR033rViSssgETQlIKSQZzosw35hDn7/2uLhDP3obKOtt1lqQNpdeMNATT4MJBYYCbAop5oBsnbxl/KG2y04Mg9pQOQgmadrVTkby+eNtpWbv0z4EoLf9+kmiwXZhH13judh7Fpw8F/6dMcJU5lnP1pjxXk+113kQyKk11SS4pKLRKJDltQcxLLC/GS7rvvCaY7sXfytB6arJ0Jgc2G8lleqhJ+TyqCn4+66vuSFM4LHIKB+hrXwrhabwmACkmK2wbhaOsnXNzwE46fDoh5PTcIr400MDq4g4h4VmmdhASl41DZvmmc5yeDWnqvrIBg7aD1wwoftsBHDcbf13C3rYVW1Zl6pn+Z4+aY5vqY6YKfvRT4fhSpoyMUftVfjRkCTzwVaFljWmluoYD+monm2SCQU9WV0ncSdG9DhTk+dh/ynFsjR/HAXO1ejHTCIJoNusWLIiFasngcRs0FC7mh1zQ3yM1JZ00xsnd+S23biotPHMMT2gNfvB/Zus0xQy1KFDAmwNqZcgbephEMjJoZcZSD0qJ1R6rHhHY+ry4R9gW1fJ6nI5iCVC1apDoMZWsZKYOoSPYmsYx8yVI4enaAFS0qzEbGfU6HcVot8DJBd9tfyfnFZjSJHJZDK6bKTjvtFF7+PryINrkVhPqJHwpSK0VTCPtPj1QDPvNewEIPtSH9aWJHzD5mz1/3GszTexTYMfbiYV6RF2IwmqzBBDeGrL5D7lMHfUCguG98TyfjOiuLlUKuxAOU69aYnGjCgtgS9typ11AA5Vr5ZKidkDIPr4Pl5e33yekun0A6HaVcIfp9eUGSArNmUGI8L+DWPks2gYDx9E36IZbzM0mkr67s93d9MBAW1A9Mrmp7/aKsbD4lclAr07uas0+aGqNDltsQij8L6laGp9h0EPDK6YZmvc/vU7otZAWfcDajQJGoaFmb19f3llUY2KL1bANbK+PzWjH63rK/iGyfpbCTyBUdEpruwC4p6s3ZiqLhffZHAARE9ZiWN1+7HxOQdq5R/3zrquyn+9+/v1PRFyMDfc942doVZgcTQHn7qeN6aN6Ovl9RPY67JArGhb8Z0auiMq2SpYA65Qnu5TDPNd0QJkKkUhk3Vq5EQERc2LHymKwv7Lcx2LzEhFXGRNoXgMqgIkK8wvcWFd11gMsgLMiT0CGO4r55PP63cMLDfywmEbsDe7X5h9FR+R80b6/eZt4mPQmb11HnSGU10kYRga40sXYYEpEfewOQbDstG+sxDlcltdvJzc7LPogfE7lnR2RWsNwZHlKnAjh23A8CiVADMlvx1S9pQ6V4of8qAch+a+qsfW9J2IJ3gmFD/oOTkd1dE+E8VzUKuCSsDscLfDZrN598iHgeBXahuMXFUywe3s50v4jQxeVTLBb+q3D2GEyUvJBD2U3MMY1cpPyQS7YZ1nP6ZRnZIJfqM6z39FZeo7Xg13qvNAkCPJu0hGBJLbnYncqq6zMUd1qVMywVV5PIxhE7iSCXZHOM97TDM4wx21GZznPdwHznCOtg2f1gJOyQS3y5pH8XmwT4lS2NtuejVmz6Eu+X9SBXWrnCnoYeVZZbRd9Qlh3LfkckQlKaWy/pJWRxrVri33Ntk+5gfcsCdx36MbZq8pcgbLztNgk3AFV69dFY+hp4Pua/dwgho2ohKp0hS1ItD//PObi58fq8G3amf18cdc/Ms0Z9yXQB3RSh87CXhM7q/STGM2hbsstajK3lrSREu2XMJgIIYq5/8EzIYW/r28R7aPN3ahmKtWetS0nL+6sxzGOFTK+b5KdDKcyy8hsn3scd2st2LZIdrDWRUsYaLnDJzqa62pj3G3bszeRc7MqOvF+Hip0Yl8assT9BIBn1ZgCVdlRWxFN12XUBuBCHeb1HhsXPwT0agSOXLJp9vukQ1yR76z9F5lZrGoSv1oDfIlYQvCBYeX5ou88lcMTJBeSaDIMVRfb66nnvCIIArc1bGFR7xlCdaDNiXMQ+yuFS3GNBrUIkLfqLTRsOKY5lFaaEzD+CdDjuQ2+nIEY+8yxebfEPOOgRpwV2hJE4jiNE4yqlaO/uBDS0vKU4bZYO/+8pOlqjJaJxkNY0CtdGKLF1qq7hE5ahY8XtSWMvfTuuGhRZONRGP11TOoxEM4SkgyrpFq7b9jGeymo4SqnONQfIUuOYcMc3+416CjO7wajj3OHLQ5jxo47p3ZAjDiaKIy9w+QYbYlogfGPYH3gr4/34xBYWuPlgokdm+Wz7yBpyqvMaZJS9nXpOW4zGRh24+XRZFt26TDzGUWoSfu54+3Y3vi1gAyhulVbSBoEe7DgL4bdvxH7QGJLBMa/Eccir7EzRMfx5+VbYcy8Co23GcLIftffkfB2HUZqAsHjpgJnaPbqKtoA6+3FCB9Nfj5lnz+dHcY0JoiqnFVwv6Q235NC9zCyjvGI6or4z9u9h80Q/0AKwSzHFovn5OBfNkDskf/MBhkM/I+lhGm5GctHoEdO/d0ANbLjprS96XMOEg6Z5kRECqh3HMZ4c1Dd6J+GeM0XWNWjKiWYEhpXjOJaaP8YsiNmWHzPcw3imN8c01elJx9K8FxaHScHAgjXQtWzJDNxzZ1rxhVymddYO62yX3zK4Oc3fMGj//NREFCvhScfHIPpxECoOD4xmntm6Aa/cTMyd44w0BkuLzccZvy47tRFr51mfEEs/B6W/hdUQ3LQWufAYF6IlsYht4qhjvyJdTiP0IkbVCNJl++3g4PepN9K2mGmpFh+O4T7WOO7rU0zEf5LNebYp1R3P32dUK+3F7eD876BrFJ4tfjmyRuKBeFpgVyq0yD6EOzsuZlUWR18v7gK22D2brxq2vduBRHzA7Qhw0UbI04M0AfyFcoyI1rn2sm5IvtEXEYyiMt9Qq5sNp/X5Z6Nbqs2mNlWMMG8FnBmIzRR9SEuSox47+DJ3X3H/9fAAAA///IryL4" } diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md new file mode 100644 index 00000000000..b19deeb6e09 --- /dev/null +++ b/x-pack/filebeat/module/imperva/README.md @@ -0,0 +1,7 @@ +# imperva module + +This is a module for Imperva SecureSphere logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 +at 2020-07-13 17:55:36.873349 +0000 UTC. + diff --git a/x-pack/filebeat/module/imperva/_meta/config.yml b/x-pack/filebeat/module/imperva/_meta/config.yml new file mode 100644 index 00000000000..2b5660cd4c2 --- /dev/null +++ b/x-pack/filebeat/module/imperva/_meta/config.yml @@ -0,0 +1,19 @@ +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc new file mode 100644 index 00000000000..bb1c301cd4c --- /dev/null +++ b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: imperva +:has-dashboards: false + +== Imperva module + +experimental[] + +This is a module for receiving Imperva SecureSphere logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: securesphere + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `securesphere` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device revision 117. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9511` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/imperva/_meta/fields.yml b/x-pack/filebeat/module/imperva/_meta/fields.yml new file mode 100644 index 00000000000..ff50b302fab --- /dev/null +++ b/x-pack/filebeat/module/imperva/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: imperva + title: Imperva SecureSphere + description: > + imperva fields. + fields: diff --git a/x-pack/filebeat/module/imperva/fields.go b/x-pack/filebeat/module/imperva/fields.go new file mode 100644 index 00000000000..75f3191df80 --- /dev/null +++ b/x-pack/filebeat/module/imperva/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package imperva + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "imperva", asset.ModuleFieldsPri, AssetImperva); err != nil { + panic(err) + } +} + +// AssetImperva returns asset data. +// This is the base64 encoded gzipped contents of module/imperva. +func AssetImperva() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8Jr2rQS/oXQiy3Al6Tc/8Hcgms0XBZL0DDXwgpwTDNa8uVfE3+7S+EkPanZMZBlGbyFxL+6zV+6v73HZG0gtdEgl0pfTXh0oKeUQYT9/fua4SoJeiV5hZeE6ub/id2XcNrh+pK6bL39xJmtBG2wCVfkxkVBrY+HqDb/u89rYCoGbELaBEjHWJk5ejFz6ymsxlnZEENmQJIoqYG9BLKyYA+begdiJlr1dS3J2WXqZtlEWtJxRZ546uPrR9bYrNIZeZbf9+/wviGDXbl44Ib9z3CDWkMlMQqwmhtm8B/TVekAmPo3P2bWsJUBcYRrdznO6AJeavm5BSYKkHHCfGw+C5Sh5LTwoUlSFs40hIDDghn5n5guUGeMyUtSGvc/eDSWCpti4aJ4mh5dQiCJbW7Hwyx4x4ntwShlqwWnC0IJQaM4UqSBbeGUPIe7O/cSjCm3f3J4Gh0xJqFakRJJCxBkyl0566m2gB5B5Y61CiZaVX1lnr6Vs3NiwvKrsCaZwPwp1wDs2L9nNiANyUfwAsLf8JlD81JlJECliAO4KRQcvd+bnHyFGoNjNqASQkzLqEkSgpEy9KpAFLROo5VZeZFsguzZ4/fhXt+fvoDWVLRhBvPS5CWz3g4nXBNmSVCzf1+6cFGIHXcgQ+nBb/ntqOm2nLWCKrx92FjJ6MnYwD6oJMSOxkDyOMnZXRLlsfdk5f/f0/274lbNc+G3O/6qukfBRKyuy2PBrslPUToZUdNg1GNZpne3vuzLdf9vx9mxlILFUj7GJGjTcltwQTducOPBD2QVq8fI2ILp1M9RsS4PAyxvBpTKzke70krgR4iPfKybQZQprShRvSamJ3Z+2LrFnDYDPSQgZJwPytiRw8ZQL/Bihjn4o5r5UhclD2vSpR9nl0DMhOxj0Q4eGf2sWOo1Y3kXxrYqNG6oz/8ab1t1J4oydzjQK167JbtiLhZ8rzisM/dE7cMn3FG+/f5rZqTsyVISy5ROJNGlqCdCaIhCKoB6TN+DSUxYB2QrR9vr2HGDZZ2Ewaw722wdJswAH2nTRl6AtP7lw47mAO67sCTu/FgoUwmfbV/Ln9VxvZFpNg9kQZkyeW8/dDEjk3Ph/T18JcfcsAGPxpl7PnF8idCy1I7WTl23XeZO6Deqq+VuctXudn76v9d9jpu5ZcNu3LBO9L63rKSUDLnS5Cdk+zrVQQciw7zX+S1QMrHqPx9HRGNUYeGqteFhi8Z9rofPMQNRrqna+TymV+aXOBFeh682ZaSj+saCKNDCTIFAtwuQJNP59L+8IooTX4RitofX5IpNXiK2gDZjM8bjarfDXQfou5+xXRjGDSf8ZnAv+B+PVe53Gz7rON25a/ewaD0iuoym1LXk2g9svucPL/4vKXvUaJB0N0tJcSsjYUqPKIBbQdtAf6kGs8892+l+ZxLKtrfbGsrN/Ahl/61JzHi/OLzqwgLAvoDTtyfBR1GQy6neH02B3WoOB76+iyAlqCPErv+FZci56f3iZJ6fPvBUgRzWKz0UTvZBCuy+9loq2idbxQtvCjOdDlRQgCzSn+NAthx7wFybtyZ44YwzzooHaZbiupbtau2kD2MfoQWX8Wmj0VVrZTBZLdKSTJdDzaNEA1fGjDWATS8qsU67JP7shP0BChbEMNLIE+/J3ahG/Ly55+fkRU1xADIbpU9nHgUyustOGFqJQ3kYwX7ak4FU420nU+hqaZe6LmrbKIQyFM6VUvoMYPLaGZlK96M1UCr0fvDvppj88CsgpI3u3paCkZ9E9McO8cCnxFu/9m8/P6Hvxov0l/UKEBbpP85oOafzh58S9egyUtyJhmtTSN8ZMWZlHeS6zHo9wx+RHIrY6v8+JL8qyP3OfnxR/KvhCnt9GWkIiz6nPx3Yf+n+yI3ZJsp30S3UKoSHq2tK1dQMCrElLKrvBqwR04qi9eGWm9XOCaCLGvFpUXTxEI8wRkPRwFaq0z5aRt90NTAOBWIMWJqrNJOs5Zrr3W4D5ZU8NIfjBhShMxUI0v3wghA5LmcB+XoxuTF7RsxgJwiFhiuw56w0cgurIWi5WN55wI6xPA/gVRgNWcRqyOYwv0voy3sn/tWCLtnn9qNRqtm7bZNyK9q5bZmaHNySZR2xphV5AqgvoFpj+LF+0qYphUDY4olL4syV9T1rJU8c5CgqcVLXjoO9uzCJde2ocIZ7Vu+dxlxcfCKO7MbY+XIDE9FuOrnp0Q7aW3QoYJMo3oOtvvajZwwOlPS04NzwmfC7eeEzhIKGgr+89PW9/oBKmWBXIbzzjTgQztdjwlK9782EPMVBF7CSoWpBc+Z2fCozXnDB2r/o9DNnMzNeN7x1rk3IJz19tS1Vkt4Qv5rRBi9eJlx8QAxereqM44uTt5cBN2XUenYw6ta6V2Nl+AT+dWlQTSPw/3xyT9VaIij6R5zpW6b8s3mJxuD3es5aJlPyMufX5EV8r0CKgkVIu4rQKc+qkkb/xFZgQYPlloigBpLlNwpF9lm4oOriV83EyN3NUfYNvDud6VLZBxmNQFbSCXUfL0biJtxPdBiCfmZsAXVlFnPRHep14g/Os0laWTI6RFbPvPRitrUBd0+UJ8ziLAndokWReWUTCXbMIKmq1GZhpJ1R62kDDVWH6OQweegGGt0C9FYKkuqSyKVrqjgf8bye5WuovwpQ5bDwSxSzXTwJN2JSRusO2ReCD4DpDhi4BtgSpYjCvZmuwtjc/pZ9hDEJVNVLcBGD8CoE5WiAm813xGDvXozbR/oIF+6taPHeewob5/M0eNXKWkXibZpU5+aKudlk+VUPhDjz2SZg+0O5J9K5u62sEcsutVbFdOn137c5fBARGW70W+IhWsbLh9Zgja9copyXx5YZH/ve9jWQFORuSnTY0qXUOZ7B0OSTXimTLdiq2O0mTbdF/vx9eFrpVU1QagNFuUbBpJqrrxaXzXC8u8sB01oXYu2+mXTy6aiks5jpbmECAzvtPaiR8rjagi3TwxRK+kjY5ZW9a5nMGDsVnMoDm+fNYQtuLNuVAlmQt41xqKZ1AfqbiW1I3m51MKBm7RXgM1mDu8lHEMTwk1uF/S80zADDZL5A0Gdal3yJS+dZoPnIS7ILltB9nGHeXEir2uuj0bhZj99LOjanURuxdoTa5zQc/qaQwoP6H7faMJNH3XhPHfSuJNnk8GSXTqZalJLoGqgyN0XYsf/1FcFNcgvDTRHO0rudPtTtJGPK2oIIlGOnBtE7ofUTE2oFGwxNINMm1c2w+s7r3LgWhcZUK2LHNpznVIUbQN9mRxqBl2p94o8jAm5Yz5G35jBc3mnN+dQsXmTXDskWLB5IHa6IaR2BFE2UOJTKNamEbnDTiNWlGosUxW88Dh0xgtmZavZ4IRQGViwZUCOHBBYguY2Z+nIHsLa1UMRYC+ys8/lk7d4cdA70L/SXaWLg4ZxpxoYn/GN4RPXbn0wZ6ynStCV82czRTagczHyclMw0bqoyhBkieIdzOZjbcLnbSu9bwkqTX67DKmx3LQJAbt+NVy/3aGxKklTK8MTCo5bnS00p2XpO0xhKn97d0e78DTCFvlaF91RFMmmAs3ZXWVRlLYjVLHtIaxfydbdDC+W/P0ekLYEWSodEmb3UqamfzxA95o2tKumfwCL29EOsfy14AN2Owm6HzEv6XP2qvtmeCFD1X8QM8HLtaBdbrFUllCyCB0v4gm0Qs2LNlHlQYR6exDvLNSP0TNlS/b9HdOtsGs1io+44q8EZ+vct2ePXLhABEJzbSnWI3K5ETnzpuMM/NAIQMTi4lRJC9e5NdYOoXPp/XWbfqi0LI37P3xUqWgRijWAueFxZgsq51BIWOWWBWOBS1j1Qv2ohFir+bSx0JMQwxx941F32nr/+YuLDlPTZMKu45zg2dpW7mMaGoK7+UUemb7+FjFusQLMMaxtOGg2OV96CXpCLsFvSmNAT+gcsJV3yHSfKd3iMIDdgvF6O8PfE//7Xt8KpclUq5X7rP1r0DW92TXaT/q8vKDapnbTdYBTe1TCnVKD6tBj3Sklyk5tzHWlVA0hoJjrLX4jCRWgbZddpDeLhr/58FYQH70mAJiEFFGYSyKV/E5DDWjJ7Mt+QLPhmE8Oa7R2F6azV3AnUY97wX2ErQ3/DChbcbsIyrKX9eQUF5xitYkkSn43V+6/97wEqKQUEcUxI920Fwx8gQg4JNWMOOlgOZgJudzIlN3BBv3KqjwYn/hyvsY4I8aXjPpkmzKI38B4SphojG0PZPjHYJvwJ9y4nQw10cG/4RRf/HRcBTq69uNvWNyi922Z8illT24yvByWp4gFocYoxtFf6nYjak/ihr3lV/CaUFIv1oYzKkjJzdVzUmucifKcgGVP4ooy1fSQ2ss7PvS+zkbTCixoQ2pqsIuXwUYOvhcBU1XlpJjaCtoPS2vAsr3qnn8PHkrj6+1hhofJi2+mqroZ3sEM20bJistSrUI+LVOSQW2fd5kUo8wYkDlrhFiTLw0V3vlZqopyGaSG7C0k1MjT1fd6plKX9pDuVMK3XF5BGWqB2kR0atA7FQwU98k3HWoTXu7bODHoCpFV1PUnO3m3xC4CLXq/XT4UXr/VwfNKLofterqgM+iK7w52yu1iDWsitv7879e0f0ysac+4yH/HO5J/wdW6a6yhbBiQNnIEcXebAc2pKCKvabZH5BKXbNXm3fex9wC6F2bULwDsyhzUciCFxzis7h66BTWL7oY6tTBSZdiwhc/8bWtsujLDkxbSToswR0i3zMRo5n7V/XtYaUqcPJeEY85dI5kAqt2fsBHeBrVQQBi8nbot7Lw5+uCFXzPs8/SoXyymqimXXd/s/oMVykb1HV6vJdeNObanr6+NIALjHr/jBEgjV+LEr+57Mo57Sr0Fl9013rHPe5nPT8l7L2mehsYNxE/bC0W/Drdncb3aO6Afwpffcz+fnyJLQ8lbJyaG3oPtiJxPA/QkTPwhcrJgxU3cSF2adc5e9ttR3VCg7dWFvX5s6Y3vI54ax/qTbmFyfnqjJpvKP3eDJusQeynLjUY7ISe+PjP0OxX+g/3aLCKot7/xwzfBHTdtbFe5qWz3GDVSgPGcUf5BWSmypJrTqRhUAfqmDFySWtARQWBAmqz9UbY2tK+q+pUnTlI5DaOtL+Runy9fnF/s6tAktIz1HoWxuuwDBwreuhZyE2nxSJJzackln0uKwmLkiNZK52xe+2Qgv9whvWh1N4VdHfE/HSK9u4ynrFSRg/P+t4+ESyaaEpw4C4Ns3c8n5OnZNa1qAa/JhXeIeLAovSdxvwhG5o4e20Tn1OZpiWPGzZVTuQ/A6w6leD035vvwNHzg5mpPyNVqPp+DzjfCLs6yz/1YQMABtdOFBrNQonSnx9vqI5NGt0LvR/AsDGPvQSo//eB1jGddM47z03gZya2j80xVdXHkvCvclZB7hWNcvX/PNNPvHDpKYn3qDMfNqLJhY1ZaUEsfKGusj3knLZXGzgNOrrf4jUyJo7pcUf0wGXrDrvpOutLwEDkiRlojP3VClJJ3lLX9lOPKrRNBR7VjlPyuVVD1finkbc3kQ601UJM8N9hYaptUinPnj6JcPJjZ4RafqmvCyxfj75d7WZtjYOgw+jRofOzvgsMifnXbdyzz9L3BIT8dzt075DnjUjWpYpy9OhIzT36nnCRN6XQYeGR/Sgw4d2fGrSPxRggn94hpGANjZo0gZ259wlQJxh2Jttlv3LLgsoTrxAwQ3NjDNM97yhZcGE0x3SIxBY3xzYpqLjCDJ+LB8/F3OScUmfid+22UMpnhHKqpby70QBpxWJ087fI5a9CmDkW3XsIMWBZUhE1CfNvh6dlIkaF3cw3f49wJJV756pK8gq/Kf9t9SLk0pARLuYg4Gaaqsb3fjZCmxNFzM1uPLe3y2BCP8YfUQlWLbNk8b0gJMxpCQKHzZRvDD9maTiteghZ0jYVcVoXHlTyN3Ej3AVrd4dcwa6vAva/eWG4bbMxIooRtbINhw6b7XtekUayef4fR1JhmkFVMVZW7T3mO0YmHTngv2bfWaslL7z9ru8hVYEYToUrFDg803t1b9gsXG62R9fPy4qrBdY1JTw8j69vV88r6P9T0QL/TweT9bzUNAZj47ap5vsa5p5hQ7Hf+8uKcnA8Uqj4a2brWhuqS/RgkLOzqqmHnSQ3pu/jDQm51XLn3IqKYqjJ3xdeg4m5X6Qi4EIfLiHq0SN8twYcMjlB53nMBh9Jhn0DbxUP4nJddKGfEiVelthoHZeAJXv50Sl5Hd93kfKba6d4Xn3z3nDYQhcka18CavhfBp35NIVbe2nZh2pe4cQRHSNQrXm47RLrqSrqkXNBhIIN0rnCC9ZUz0Hpk0oK/Q4f4+tPF3YKxUoUGUD4AOyAppBsYPp+MSEReFdOmLNfJ/TO8KpLWAfXgNgYOa3S+10uVHqLmKmGXg50Su8I0xyhI4Kafvep7rtKm5LarrNv0RQsYxQbbbSo2vCjZhBf2E+mzxFJzcHk0q/zk8xl5GmolPjfC6cpTLrCAA/PAzq5rZdw3n5Hvho4GuRuFuZJqJbcMIQOswWYWy23oI5M2GT2CC243LfSkrXJ/H0qT3sKcsjX5NGquCT7V9CGK8sPCWyzmklSUy5mmFexNx6ipxqm9+fskbCmXF7gsea9Knxy9aQvYyzqLIEVu0L4wVcAxIpeFtN037j2syK+NRFPynSpBkKdcLiffPidcsedk6v4P3P9RScXacDP5Nh5ftKwuZoIOJuen1qG2NfyTC4KLoq8L5eS6HX6lZnsbNViVFVP/12nAs22DYEC7gxxFaFmllbs7mH1+9zvVQD76BOBvv/387vc3H86+/dbn3C6ppnz0TK6UvkpZsnzjBfu9XbAfYRt1glGZWokINTtpu5R0zwFl7rlYZzBhZkqDNJylFCA9V1IGjKv0XpBIfCAV0GJF+XA48b29A9j7PDVQd31Sl6ibZprpUthpaaxOXfmO9drZHGL9tzTZO9rWfORzkh5a7LIZDDZQaUKxyabuJdS7OBAzPupoaknN5og9lNRoN6IImbvlPXGhfHA/wbs7LhzyQf//MFx1ozL7yX8PcsTKno8+ILIXyQc5HG0cdx9+Sh0haWtrZ3t26VPbZbS3WXbYJ/MZut0GJ/fmyHTbspofIx6GRV8zyoXjddvM5SLIjPPTfm0bduJy5qCFeaSFwXhWYZtzXTgV8QB6Dkm8xnTrUH10oqqqkbueqAF28rDGTffF7j1c279DXKfucDOHadb3xe2SyvLfVTxqtsHNUssPkQz3xm648BZypjE1Z1wlyxI9lgWP2K+olsOgw2NH3ciqLlQuYXz5/t0F+c37UTdJqXFEvhw1leDyP96SLw3okd6tjZCFht1OnXmTG3oO0TX50BadRdO6Oi2dJXxI+0BV6jECDmh9kOPoJqg2Ehy7N9wy/YAGKqiuMuyWA5vBvUDrhAXIHdCmTDaVdgtm2m5XW6BLane1wvvCnYJki4rqVGUlHdx1TQfji+8dfaJskE6VBGaxSH4WGMzSFlB1gGdzbLWUAaya/pEBak2TT8LwHaeSHy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOc4Kr4taK6uK9CEphL78qUCPY3rYItvdFGpelDmY7QCnz39jsqjodWFtKrfBNmB3ogVkeBQqLjMhzWU+pGthCjEVReqw6Bbs7zMCT94ZvAc7dS/EPuzUVb192D9nhP0qI+x/yQj7f2SE/dc8sK2qBZ1CDpHSQU9vnsmiagQq39N1hneyBV5fZdBLqkbweVXn0b6dlknFPHUSUoDMcyglBr6w9L4RWRifkJhhB41meaxJBziPNWnWpqkzzCJlsiurzmKqWmWd6QHXGUSIVdYZZrlgo1mTBXgj+bWkUhlgGQ7h8pXjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8J5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvXLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjl2EQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZ55RUqmwEGKZycDsA5/MMsknVZkVt0pn/PeixDPIkgDXMubGapveEbGBn0Pg01LlYrbPx2mAncp1JvvrMfH/EM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc1ywMuRQtgUkJd+vn1quNxYKpPPOS6NnTY61bDAFir4WUE5oDbJcU2vR7c1yanB4uSGWfph14d2GtgHc07LMvUd4GXqsGrbOijDW8SrgmmlqixdiRzgDGYar4o8yZGh41EONtdXydsz1SZ9y1Jem1rzxEAFtdw2ybPPBJeQrsXOBqpJOlGng4vFt+ndWkL5rqfFTKjkz3kHPEPKv7N5k0sdBzSDxHE2dAZUk+cmCDXPcnTlPMsFrpVOLcCqaTPPcc0qblgOsVCZLAc2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMcsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQz54LuOZgKenskOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJfwBiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U5Nv5zb9sfJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKwwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KyKWxCaEIBofoE+xvwJQgsVKdLh+Cy3ycO6tqodYwGCx4I/9mqknW1PuWZ8zx0PuMcN6Zhjlck4ruNlrYxGLlvNkdBpIdScENDmdoVw9bjw2UiGnqWmlLho1HCVktqCXcklrDbOwo3CMt9y5DKGKMD1ZHhwLhMnR2H+kLLbjMPZG/h6pbrY+nIVbNwS5ATzbfNwvVDF40QiQsQXfjiKwiNdUGyDuwFCeC+7tKOxY8favm5sWFL3t9Rk7DiK/nxC4iU4qwGfAHCKOPEW1J3oP9nVsJJr7Pw0OdhXkzHNnd3SJc3BNrgGq2mHDJo/jhzN0j9NfeEZ84CwOTIV4I2kic9TtvcI5r28Q93sB9p1/7Hpryt+PuaOqacIf5xSPGvtuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nWU8pSz/2+eb+gWOz9thQKuHT8baDWkS+K94xF2j8uUGiA+XbvDhgxuVbdL4RcPg6/sRsF3mCvt29dH2UgINcQA4Lgzun9elabSUHaE8b6DDtN+aYlq7+bQsEbjBLR9SNegK+7VjWMhvVnSD+bgSy5gDkTAEgShxvC59Bu3mdcfP/rYkvkB5Teuv+ekTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw7UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND8e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+EsbnxHWD7z7JvdvcAZi1sbwu0/m5ff//BXZ/ue9raj5dg3UbTDOS3SRsxu67iha9DkXzqfnHkR0EDk4rc+df1P/jMvNzhvnfq9+3Fg8vJNsu3J7sAUt86EvP/t45mjHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBDj0nH9+9JufS/vjyOTl/f3r2n6/Jp3NpX/1Enq4WayKB2wVowhbKhFFpSmtgFr/1w6v/9d+ePYlyBOwio4zb5QfK1ElF4+N4TObTd8drfunP4nmLVPyKl48L6b5sugHzAxvG3fqBj+G7o5hurJPPXNuGCvL2zfsosn8qCfl8WYedjP+jJEzivHXofjUiFAm5WXjiFjzGN3jPPsyphRV9gBHpeLovyJuy1Oin9ac8hk739LKqPjTOed9YyPnJuwv/Ko2Gxypqjhj92HIqeU01vN3k/MKhMuL9cjw8cBJEEh66tcd52GpihZ+udVwB0UOXliV3X6ZiE7DtzfKPv3NHPADOJMQLrsINP90+AgNUNrnWWfS62z5plLwPGF4obTuRPBC6JQbYcAO4Xd8sec2Ree/p4XLePiYtWe/GGC8hZjcey4sbsEPLlxqjGHcqp/cbDXQc4uSypnIOk850YkrO+LzRUJLpGmGCLDFrKC5n6gNbDwyKRke05eiiswz9DkRC3b9fwpXcAaChUhaKkNmdPs8oPWtLaQpa+FT8DKBrq/MAn2U4ErMM1cIix3XI1f+kzsBUWhatJy6fWr5rwTs6Jrur9Z0JD6DBntkFaAmWfFzX8Jx8ap+xt+gA+5FctA6wwUvw25im1o7qOYIyMWIat0gHv/hzQoWIKhP15ouY4EY1JuYtQbs3kEuriLH4mHNJPp2PChSGCbLZ5FVyke2AqjrD2DcHWINJndHrwGYocfEvYupUdPS3Z8DWj1YoBMh58kmRiLNTPjJqoSMaqFd5qOgFYCRhmE4wI5T8ovSK6nI4p5uQN3NM9tKEuht/jbl0U7ArABlXPRN3TbxrjFtZKvqhOo8MwZbxmBkxoJDLkOeKaQkVt04shREbcRKXgspjxPFv4aBsE0R6LsoBgdsuy00kZeks2DkasNsvT+pIJTDsQrBM1w/udhF7qi1njaCaYL9o0iLx9Oz69Vs1V7NZfPo7sMIuIPv2biH70S3ob2MP7zOHt0P3TWMXIG1IFh9F2zQpOyfcLqHHLzmO+icDehRh1VimjsvpsOQ4wpcNY2DMCM7Yefyw5miHJZ4gXsSpuHOl1yRSmDDA7RjCaQtH2MHRSSUM8JlaSfeuOLkVUw67H5KBorRN1TJdP7qRd5MS37UUawYEh7KjJ/hhdvRhLonhtonIT4LFBRBEdIC6oIbQUtXudbEL4JqoldxsmWecpddKqmokrxZnchjuW9QfV4lwyj2XpZM/SpuOAZT8wgWQNwGxyYANt3H2yo4wfydHE8Y7+h8kXWGUBZchayEtF2I0RhiRst79Hozw+XqXoV4jNSfGE0KnKmf1QIT4KSzokqsGtUumqlqrio9kKMKxkTuTdCqwiGxGTvbjxuWyEzsZkdzFcEvrJFEEtjBMOlzmAAQj63f45d7d3iu7uW+jx25TZtlIu1vOllqjL7EMvGCHmPW30oLwPZ6DBM1ZSxIyBBP9dlMLuF3gUxub7UYCshP2w8RYPR78bGk6pO3Wg9H0cj9NQb3wa2WkK2qadka45RUYJ9e9tqehhtEgUtiFZE0hbtwIbDx4z23Qtzxah/TufrCj9ePtaPqhMMmGnN6atOAwvonCAW1I8UYg3EIYfL3UvbyROn3UvfMXLQlt+uadS9ZL9TgC5AY53gmQr/c4/njzlqUabXCcLbudfNRHlSAp79gt5MdRj2NK2gaHsVPqsQRtx0+dvHKnsYuiArtQDxAloVueZOLRCF8b3XDspaRVVq/TnqjOByWCv9YhsudcZvKE/Ofk5++/J0/fnr65eEZOubFczhtuFlBiKXwUF6HmKntfoH2RMMyWnXk8wjbjF0cyxrTK7FXcV//pdjWGQXdj0COfbOjzXa4Lw7T/ru635/hDnGIxUypjbdI3mWJUpOpOt0PIB1ryxvgViNLE8IoLqr14cmLT3SGG73q8vArvueHlMTuN9DPlP7mD0HoRd/pibi55vjqLN3LfXcewRqg07Pl/g5MIPxmcheC4gV5ZRhl3ZSqdMzFgELJBVis9p5L/uSerWuY7Crdl9gGc7p+pEXbPuI7Wkmbq+vOLWw5fC9/iy/cu2spq/hWosAtGNZBaQ6kqLmm04K4nni6o5SCtuTE9XtBjUvuWPiixvvUj1JkOrrs6T5zgqqm22AxpQ+p+sXrEZkdB2NxGos6gBE0tlEWypLI958MJn1/aFbvg2YVWS152zcPC92hdi6CpDg5GaP7jnrVtnTau4GyI5OWRqOyWDL3+7HqEzOjwUMycXHIfPV/sKu4jLeA6pTPlUPC7ap5wjTpT70e9Suh5hFCvo6LGSg0xVmkv8R20CizF1Z7gtybuW0/i1Fe8LAUcT8q9w/VuK+ci29uTewfJuXY8xnHIvQir9ToMyXUbnX1OakHdlrn3WWkCkul1Peblx1TII9iTt8ig051t+asylryjbMHliElX0kyS45tdXn+SmOlfa3Diw+lHvsmZmZC3Ja3JZ/yH149KJX3d6T+HjydZ0CU4zUkA1eRLA3pNsAehqZU00GpU8eJUR2+BvzmOvAw98JiDrHnbBVJ68n1fvnE8W5KOgOrmAH0IzVFviylOecrrMNs9421r6a0mRs42DA8vN0Q3UkbtWPO8e3l85Nm3kRqpsQsQi2Bh5t8ISlZclmpliKmB8Rln7pPnsTrBkCc7vCCOPI/vJueGPMWOsCDZ5hnC0OWzHrdII/Edfwtzytbkk9lufNtFYKvdQtrk2bVuhSMY7COvfd/UQlSwVg0PmXsRBxzv+gBEqv+3Kk2xnGfIvm2y8yvUY915vXodoRgpjB608JsDiD1OXu8YqSHDN7jeW1l3hqSPdwEdUnMch10XMNjem01Cpt+GwQ7FG1LcXPyMZQMpRwKOVrghySXMuAy+ehRO2NWvovVI00HE7qBCsUy4bRwwO+pfasHY+Wxz0x56KY30pux82NZStqiO3AJ/syoynAyso/52ZBnyMuUy3QSxpHfDkYxFhXkfz4iQ6pft4Lb4Ntqb8v7I1M4B1nnfvhuwrqluz5T78/MNKasFH7RSJ+52OFvWJ7/fijybfGaJb2uh9Drfhv/N1FT+240dY1pEtruot+p57GlybPnbC4R+A20PphINqGr7re+navQUFCCtVvUhoqNUzXTgXLjVGQ9rOmsbbihHQBx9dcdx7+GJqmoq1919xGuH4/S9vbIE7Z6hgsuZiisF1FzlrhG6QX7sWJEtZivI2xV99iVXjsAvjRBr8h8NFXzGoSSnWPfsnYNRVFYwLZhSV/yBgu6/w5T49Tf2MxVj2nzybrObcHjdWFS5DxxhevNd/9AtEabsBHe098lPyMd17UnfeA4cc/wOjm+ehlmRtJnsDtoOB++I0E9MrG3tLjLHcNV1yuU2dt6zWCvdevsxxPzh7ciW93rlJD5OLS/qvHOI9rDCrXyj575FUyuVSRPZRsqt4/aD1NTGXZNMFtSkjPb3AOtQTp8YcqNFwm3uQU24K50xWjQ6lTekB9OALug8nU25AZ38edoGnTT9cRt0OPUZBAtcW5CoWqU3Thz8ZKe5U/QWGnZSZVJrVH6JY9QSbsncj7gsqlcvwn+fBBRehP8IeU0xtz8VoOPZeYGcB4yee2L6wXP0uPZGrQ3IKcNANGdScTkDrUfirkO6j0JXX/G/kfVR9+wRkGz7Es962xC5UhjWVlmvVGSJox2/Mx+3d8fuI2YQ6/6f/gHDBK3xgZ+8XoA+jj/C6ewh4+npCY5+fEZOcP04aqDtkZqljPD5BHQY/glbWZh7mvNC1tBxj5G9DXeLPjG9TtF7d5r/eahX8u6tUeK7TS75n3FvDb/KJFPO/3FGJMyV5X4D6wU1IxOgDDt2W6HeVvrFx4cLuq3ONgFqkOCyc8baxult/U08IcXw+TEqKrb7G3VTDz+ODlp20oQb0yRXOhEyJkvl89bdL4aCGILWWX2gg03pS88ztzi5xOD0Pul0lAyJrjN4iCI/vcTUzv2PUU96Hobk3aXnHhzHRagxoljmfNF3Q6rBkR1Fpizc0aNN8jaNJhdgfgXBos7U3OCbzbiS/oOEsvUnYjBepzQ5v3zzj3cX5MK9U+Q3OTJ9ZYNtpkrqQ7D9uFJxbFEMsQWwK3OQE/l2QjhvD7LY0LmuX2fXIgzTQMMIwo0U3KPlguaDppAPoOR6PLquIKNGA+JsqW2ONuGzj+WSCl76gxhBYlcQHq2r9T5BiBy7grXZFduJTn6bQJoY9sLa2hQcZ9BmAY1bmYMhjD6C28Tnsq18UZrb9Q03iqmqyton7pZ4ezyCQyhegr/iGsSupZnaxbISVBbGPNTAW7eyl+G/B2rbGq0otr7UuKgVP0ZadQxhjwFBDBCpuDWAbGULKuWgcUbudlNhVURkJGZ7pLbN3cMSZh7+/vbN+/DuvdhZvntQrNK7vv/kPdu4uSqWSjS5GPCmneMsw5ybbjJ2O863kdwa8tQjYZ5htw4s7G0n6u6AJ4h0lBrRZJJmbwOunyS3IV1gsl10sASNmQKzRhCmJIPaOkP50u/hSHuF1Sqn9PWMdwZ7O0LbIVorbYly/P3139/EUnCjbE997pSeHz/BcrfAYMvFOqW+2Um0Uczfz367OL8g7+h1xWXZjfWOb6uj7ehpmFtDFEfICmQMqNtHVqc+xUsWk6dn+yrHYna8gs2HLsJvSc6udmw5y4JUPj8NXXoDFnsxFMfblAfuFdBSXP2XrxvuCnNkOdQkU99u9Jc4E/qBshvDuGq04rugbuWLe58T00RS1KkhfzNWKzn/t6mg7EpwY6H824vwt+fdp1zOgMU/mnENKyqiigydit5vCJUlMYqMHEsNc26sXjvL/pjCoqZ2EZr1dziQXRwGSKJT6lho+kJoX6/FlO51Ie/0yQ5zkFav//J/AwAA//9QNbzs" +} diff --git a/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml b/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml new file mode 100644 index 00000000000..68b88a27df5 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Imperva" + product: "Secure" + type: "WAF" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/imperva/securesphere/config/liblogparser.js + - ${path.home}/module/imperva/securesphere/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ + dup1, + dup2, + dup3, +])); + +var msg1 = msg("IMPERVA_ALERT:02", part1); + +var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ + dup1, + dup4, + dup3, +])); + +var msg2 = msg("IMPERVA_ALERT", part2); + +var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ + dup1, + dup2, + dup3, +])); + +var msg3 = msg("IMPERVA_ALERT:03", part3); + +var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ + dup1, + dup4, + dup3, +])); + +var msg4 = msg("IMPERVA_ALERT:01", part4); + +var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ + dup5, + dup2, + dup3, +])); + +var msg5 = msg("IMPERVA_EVENT:01", part5); + +var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ + dup5, + dup4, + dup3, +])); + +var msg6 = msg("IMPERVA_EVENT", part6); + +var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup3, + dup13, +])); + +var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7); + +var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup14, + dup7, + dup8, + dup9, + dup15, + dup11, + dup12, + dup3, + dup13, +])); + +var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8); + +var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup16, + dup3, + dup13, +])); + +var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9); + +var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup14, + dup7, + dup8, + dup9, + dup15, + dup11, + dup16, + dup3, + dup13, +])); + +var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10); + +var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup10, + dup19, + dup12, + dup3, + dup13, +])); + +var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11); + +var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup15, + dup19, + dup12, + dup3, + dup13, +])); + +var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12); + +var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup10, + dup19, + dup4, + dup3, + dup13, +])); + +var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13); + +var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup15, + dup19, + dup4, + dup3, + dup13, +])); + +var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14); + +var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ + dup17, + dup20, + dup12, + dup3, + dup13, +])); + +var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15); + +var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ + dup17, + dup20, + dup12, + dup3, + dup13, +])); + +var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16); + +var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([ + setc("eventcategory","1401050200"), + dup20, + dup12, + dup3, + dup13, +])); + +var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17); + +var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + setc("eventcategory","1206000000"), + dup4, + dup3, + dup13, +])); + +var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18); + +var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "Imperva": select2, + }), +]); diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml new file mode 100644 index 00000000000..4a84f2a8bc8 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Imperva SecureSphere + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/imperva/securesphere/manifest.yml b/x-pack/filebeat/module/imperva/securesphere/manifest.yml new file mode 100644 index 00000000000..011afe2d747 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["imperva.securesphere", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9511 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log b/x-pack/filebeat/module/imperva/securesphere/test/generated.log new file mode 100644 index 00000000000..fe6e7cfdfcc --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log @@ -0,0 +1,100 @@ +%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application="scivel",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action="cancel",rawQuery="sit" +%IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message="eacomm" +%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application="taliqu",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action="accept",rawQuery="ehenderi" +%IMPERVA-Imperva,dstIP=10.232.27.250,dstPort=7838,dbUsername=mquidol,srcIP=10.18.124.28,srcPort=7668,creatTime=12 March 2016 03:17:42,srvGroup=rsitamet,service=lupt,appName=xea,event#=qua,eventType=Login,usrGroup=luptatev,usrAuth=False,application="admi",osUsername=modocons,srcHost=elaudant5931.internal.invalid,dbName=lores,schemaName=lapariat,bindVar=eddoei,sqlError=failure,respSize=6564,respTime=87.496000,affRows=nimadmin,action="cancel",rawQuery="xercitat" +%IMPERVA-Imperva,alert#=ationemu,event#=ice,createTime=2016-03-26 10:20:16,updateTime=estiae,alertSev=high,group=laborum,ruleName="tionof",evntDesc="snostrud",category=nama,disposition=quisnos,eventType=ite,proto=icmp,srcPort=2707,srcIP=10.6.137.200,dstPort=5697,dstIP=10.197.250.10,policyName="bor",occurrences=7243,httpHost=hitect,webMethod=dol,url="https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug",webQuery="lit",soapAction=asun,resultCode=estia,sessionID=eaq,username=occae,addUsername=ctetura,responseTime=labore,responseSize=texp,direction=external,dbUsername=adeseru,queryGroup=emoe,application="eaq",srcHost=amest4147.mail.host,osUsername=intoc,schemaName=oluptas,dbName=tNequepo,hdrName=lup,action=cancel +%IMPERVA-Imperva,alert#=sperna,event#=eabilloi,createTime=2016-04-09 17:22:51,updateTime=estia,alertSev=medium,group=tlab,ruleName="volupt",evntDesc="osqui",category=xerc,disposition=iutali,eventType=fdeFi,proto=igmp,srcPort=1696,srcIP=10.179.124.125,dstPort=5473,dstIP=10.36.194.106,policyName="eprehend",occurrences=2462,httpHost=dutper,webMethod=lamcolab,url="https://example.net/tlabo/uames.gif?mpo=offi#giatnu",webQuery="ulapa",soapAction=liqui,resultCode=quioffi,sessionID=uptate,username=ncidid,addUsername=quaturve,responseTime=sequa,responseSize=aera,direction=outbound,dbUsername=rvel,queryGroup=uid,application="onsecte",srcHost=eratv6205.internal.lan,osUsername=reme,schemaName=acommod,dbName=uaUteni,hdrName=udantium,action=accept +%IMPERVA-Imperva,dstIP=10.129.149.43,dstPort=3304,dbUsername=eveli,srcIP=10.211.105.204,srcPort=2742,creatTime=2016-04-24 00:25:25,srvGroup=aliquide,service=ofde,appName=equat,event#=derit,eventType=Logout,usrGroup=dexea,usrAuth=True,application="atcu",osUsername=labor,srcHost=didunt1355.corp,dbName=udan,schemaName=orema,bindVar=invento,sqlError=failure,respSize=6855,respTime=74.098000,affRows=nofdeFin,action="accept",rawQuery="rau" +%IMPERVA-Imperva,dstIP=10.214.191.180,dstPort=5848,dbUsername=ipsumdol,srcIP=10.112.250.193,srcPort=5705,creatTime=2016-05-08 07:27:59,srvGroup=urerepr,service=ese,appName=isaute,event#=ptatemq,eventType=Logout,usrGroup=luptatev,usrAuth=False,application="tlabore",osUsername=Exc,srcHost=pora6854.www5.home,dbName=nevo,schemaName=ide,bindVar=aali,sqlError=success,respSize=6852,respTime=49.573000,affRows=etcons,action="cancel",rawQuery="tenbyCi" +%IMPERVA-Imperva,dstIP=10.251.20.13,dstPort=264,dbUsername=iquipe,srcIP=10.192.34.76,srcPort=1450,creatTime=2016-05-22 14:30:33,srvGroup=upida,service=tvolupt,appName=eufugi,event#=pici,eventType=abor,usrGroup=utpe,usrAuth=onsequ,application="temqu",osUsername=ovol,srcHost=ptasn6599.www.localhost,dbName=lore,schemaName=tnonpro,bindVar=ionemu,sqlError=success,respSize=3645,respTime=20.909000,affRows=tanimid,action="deny",rawQuery="uamni" +%IMPERVA-Imperva,dstIP=10.74.105.218,dstPort=2438,dbUsername=archite,srcIP=10.59.138.212,srcPort=7829,creatTime=2016-06-05 21:33:08,srvGroup=asi,service=datatno,appName=siutali,event#=amnih,eventType=Logout,usrGroup=ium,usrAuth=True,application="esciuntN",osUsername=idunt,srcHost=ptasnu6684.mail.lan,dbName=orumSe,schemaName=boree,bindVar=intoc,sqlError=success,respSize=248,respTime=158.450000,affRows=eeufugia,action="block",rawQuery="ofdeFini" +%IMPERVA-Imperva,dstIP=10.168.159.13,dstPort=3319,dbUsername=inci,srcIP=10.230.173.4,srcPort=2631,creatTime=2016-06-20 04:35:42,srvGroup=avol,service=icero,appName=xer,event#=emipsumd,eventType=Logout,usrGroup=isisten,usrAuth=False,application="cusant",osUsername=atemq,srcHost=rinre2977.api.corp,dbName=totamre,schemaName=isnostr,bindVar=umqu,sqlError=success,respSize=6135,respTime=86.668000,affRows=inesci,action="accept",rawQuery="uia" +%IMPERVA-Imperva,dstIP=10.49.167.57,dstPort=2119,dbUsername=tali,srcIP=10.41.21.204,srcPort=3540,creatTime=4 July 2016 11:38:16,srvGroup=rpori,service=ice,appName=oles,event#=edic,eventType=Login,usrGroup=seq,usrAuth=True,application="tutlab",osUsername=sau,srcHost=atevelit2450.local,dbName=aperia,schemaName=ccaeca,bindVar=umdolo,sqlError=failure,respSize=6818,respTime=115.224000,affRows=stenatu,action="block",rawQuery="orumSe" +%IMPERVA-Imperva,alert#=dutp,event#=psaquaea,createTime=2016-07-18 18:40:50,updateTime=taevita,alertSev=high,group=siut,ruleName="tconsect",evntDesc="aquae",category=boreetdo,disposition=aturve,eventType=ditemp,proto=ipv6,srcPort=3406,srcIP=10.216.125.252,dstPort=5592,dstIP=10.62.147.186,policyName="eumiure",occurrences=4603,httpHost=ima,webMethod=quasia,url="https://example.org/umwrit/uptate.html?ctetura=aveni#elit",webQuery="seosqui",soapAction=sequamni,resultCode=uradi,sessionID=tot,username=llamco,addUsername=nea,responseTime=psum,responseSize=tasnulap,direction=inbound,dbUsername=umSe,queryGroup=xeacomm,application="cinge",srcHost=itla658.api.localhost,osUsername=lorsita,schemaName=dolore,dbName=uptate,hdrName=quidexea,action="accept",errormsg="unknown" +%IMPERVA-Imperva,alert#=ate,event#=odoconse,createTime=2016-08-02 01:43:25,updateTime=emp,alertSev=very-high,group=veli,ruleName="tenim",evntDesc="rumet",category=verita,disposition=sectet,eventType=etdo,proto=tcp,srcPort=3689,srcIP=10.52.125.9,dstPort=2538,dstIP=10.204.128.215,policyName="ama",occurrences=332,httpHost=runtmol,webMethod=texpli,url="https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele",webQuery="isis",soapAction=uasiar,resultCode=utlab,sessionID=emUteni,username=rum,addUsername=gnaaliqu,responseTime=teirured,responseSize=onemulla,direction=external,dbUsername=bor,queryGroup=rauto,application="ationev",srcHost=umdolor4389.api.home,osUsername=paquioff,schemaName=nci,dbName=isau,hdrName=rautodi,action=deny +%IMPERVA-Imperva,dstIP=10.200.68.129,dstPort=2558,dbUsername=icabo,srcIP=10.34.148.166,srcPort=3022,creatTime=2016-08-16 08:45:59,srvGroup=preh,service=ercit,appName=etMal,event#=qua,eventType=rsita,usrGroup=ate,usrAuth=ipsamvo,application="onula",osUsername=miu,srcHost=rationev6444.localhost,dbName=tatem,schemaName=untutlab,bindVar=amcor,sqlError=failure,respSize=5427,respTime=176.685000,affRows=oremq,action="block",rawQuery="uisaute" +%IMPERVA-Imperva,dstIP=10.226.101.180,dstPort=1000,dbUsername=siu,srcIP=10.134.5.40,srcPort=7284,creatTime=30 August 2016 15:48:33,srvGroup=llamc,service=nte,appName=mvel,event#=nof,eventType=Login,usrGroup=usmodi,usrAuth=False,application="mvolu",osUsername=conse,srcHost=ipi7727.www5.domain,dbName=isiu,schemaName=licabo,bindVar=enimadmi,sqlError=success,respSize=6356,respTime=41.238000,affRows=xeaco,action="deny",rawQuery="amcor" +%IMPERVA-Imperva,dstIP=10.126.26.131,dstPort=2595,dbUsername=velite,srcIP=10.30.98.10,srcPort=7576,creatTime=13 September 2016 22:51:07,srvGroup=itation,service=sequatD,appName=nimave,event#=isciv,eventType=Login,usrGroup=rroqu,usrAuth=False,application="nofd",osUsername=dipisci,srcHost=spernatu5539.domain,dbName=quunt,schemaName=olori,bindVar=mquae,sqlError=unknown,respSize=7717,respTime=96.729000,affRows=cidunt,action="accept",rawQuery="borisnis" +%IMPERVA-Imperva,dstIP=10.190.10.219,dstPort=5530,dbUsername=accusant,srcIP=10.233.120.207,srcPort=136,creatTime=2016-09-28 05:53:42,srvGroup=stenatu,service=inibu,appName=est,event#=uptatemU,eventType=Logout,usrGroup=leumiu,usrAuth=False,application="tla",osUsername=item,srcHost=nimid372.api.corp,dbName=atcupid,schemaName=quamnih,bindVar=dminima,sqlError=success,respSize=3278,respTime=60.949000,affRows=tame,action="cancel",rawQuery="reetd" +%IMPERVA-Imperva,event#=sitam,createTime=2016-10-12 12:56:16,eventType=rad,eventSev=low,username=sequa,subsystem=iosamnis,message="volupt" +%IMPERVA-Imperva,dstIP=10.100.98.56,dstPort=1089,dbUsername=boru,srcIP=10.248.184.200,srcPort=5315,creatTime=2016-10-26 19:58:50,srvGroup=ptatem,service=ptatevel,appName=tenatuse,event#=psaqua,eventType=Logout,usrGroup=ullamcor,usrAuth=False,application="itationu",osUsername=proident,srcHost=maliquam2147.internal.home,dbName=lores,schemaName=ritati,bindVar=orisni,sqlError=failure,respSize=5923,respTime=179.541000,affRows=sitam,action="deny",rawQuery="mmodoc" +%IMPERVA-Imperva,dstIP=10.197.6.245,dstPort=27,dbUsername=dtempo,srcIP=10.82.28.220,srcPort=3570,creatTime=10 November 2016 03:01:24,srvGroup=imad,service=tinvolup,appName=tsed,event#=inv,eventType=Login,usrGroup=rroq,usrAuth=False,application="rcit",osUsername=aecatcup,srcHost=olabor2983.internal.localhost,dbName=citatio,schemaName=oluptat,bindVar=mveniamq,sqlError=success,respSize=3071,respTime=120.142000,affRows=eaqueips,action="allow",rawQuery="aturve" +%IMPERVA-Imperva,dstIP=10.6.27.103,dstPort=3179,dbUsername=redol,srcIP=10.167.252.183,srcPort=2003,creatTime=24 November 2016 10:03:59,srvGroup=doei,service=cipitl,appName=caboNemo,event#=dexerc,eventType=Login,usrGroup=strumex,usrAuth=True,application="eprehend",osUsername=asnu,srcHost=hitec2111.mail.corp,dbName=perspici,schemaName=ationul,bindVar=mquisn,sqlError=failure,respSize=6606,respTime=155.907000,affRows=emUte,action="cancel",rawQuery="ccae" +%IMPERVA-Imperva,alert#=ntNe,event#=itanim,createTime=2016-12-08 17:06:33,updateTime=nesciun,alertSev=medium,group=mollita,ruleName="tatem",evntDesc="iae",category=quido,disposition=emip,eventType=inBC,proto=tcp,srcPort=6165,srcIP=10.88.45.111,dstPort=6735,dstIP=10.81.184.7,policyName="saquaea",occurrences=6344,httpHost=eetd,webMethod=illu,url="https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur",webQuery="tionula",soapAction=ritqu,resultCode=ecatcupi,sessionID=uamei,username=undeomni,addUsername=tas,responseTime=autfugi,responseSize=tasun,direction=external,dbUsername=eratv,queryGroup=ipsa,application="asuntexp",srcHost=adminim2559.www5.invalid,osUsername=lmole,schemaName=iameaque,dbName=nderi,hdrName=ssusci,action="deny",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.214.3.140,dstPort=6127,dbUsername=scipitl,srcIP=10.29.119.245,srcPort=1179,creatTime=2016-12-23 00:09:07,srvGroup=olli,service=rever,appName=ore,event#=offici,eventType=Logout,usrGroup=ection,usrAuth=False,application="roquisqu",osUsername=edolorin,srcHost=dolorem6882.api.local,dbName=rsi,schemaName=taliqui,bindVar=mides,sqlError=success,respSize=5140,respTime=119.229000,affRows=tcu,action="cancel",rawQuery="inrepreh" +%IMPERVA-Imperva,alert#=dipiscin,event#=olup,createTime=2017-01-06 07:11:41,updateTime=aco,alertSev=medium,group=accusa,ruleName="natu",evntDesc="liquid",category=enim,disposition=Finibus,eventType=radi,proto=rdp,srcPort=2064,srcIP=10.218.123.234,dstPort=57,dstIP=10.110.133.7,policyName="radipisc",occurrences=5347,httpHost=nibus,webMethod=vitaed,url="https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo",webQuery="atemUte",soapAction=docon,resultCode=mdolore,sessionID=eosquira,username=pta,addUsername=snos,responseTime=orsi,responseSize=tetura,direction=external,dbUsername=lorsita,queryGroup=eavol,application="osamnis",srcHost=temaccu5302.test,osUsername=etconsec,schemaName=caboNem,dbName=urExcept,hdrName=rumetMal,action="allow",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.105.190.170,dstPort=2519,dbUsername=doeiu,srcIP=10.182.152.242,srcPort=1877,creatTime=2017-01-20 14:14:16,srvGroup=orumw,service=redol,appName=ecillum,event#=isci,eventType=Logout,usrGroup=dolor,usrAuth=True,application="tiumto",osUsername=litan,srcHost=nder347.www.corp,dbName=alorum,schemaName=mquisn,bindVar=atq,sqlError=unknown,respSize=3474,respTime=68.556000,affRows=ugiatquo,action="block",rawQuery="equamnih" +%IMPERVA-Imperva,alert#=citati,event#=uamei,createTime=2017-02-03 21:16:50,updateTime=eursinto,alertSev=low,group=tutla,ruleName="licaboNe",evntDesc="tautfug",category=giatquov,disposition=olu,eventType=rmagnido,proto=ipv6-icmp,srcPort=7647,srcIP=10.59.188.188,dstPort=7082,dstIP=10.123.166.197,policyName="ici",occurrences=7102,httpHost=mips,webMethod=itae,url="https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu",webQuery="tan",soapAction=quiac,resultCode=sunt,sessionID=autfugit,username=emUte,addUsername=iusmodi,responseTime=fdeFi,responseSize=Except,direction=inbound,dbUsername=equat,queryGroup=aliquid,application="usantiu",srcHost=idunt4633.internal.host,osUsername=liquam,schemaName=min,dbName=oluptat,hdrName=odt,action=block +%IMPERVA-Imperva,dstIP=10.72.75.207,dstPort=6336,dbUsername=urau,srcIP=10.201.168.116,srcPort=2037,creatTime=2017-02-18 04:19:24,srvGroup=utali,service=sed,appName=xeac,event#=umdolors,eventType=Logout,usrGroup=lumdo,usrAuth=False,application="acom",osUsername=eFini,srcHost=ectob4634.mail.localhost,dbName=prehend,schemaName=eufug,bindVar=roquisq,sqlError=unknown,respSize=3348,respTime=79.765000,affRows=civelits,action="accept",rawQuery="reet" +%IMPERVA-Imperva,dstIP=10.9.46.123,dstPort=586,dbUsername=mfu,srcIP=10.58.133.175,srcPort=1634,creatTime=4 March 2017 11:21:59,srvGroup=llumq,service=tenim,appName=eiusmo,event#=ainc,eventType=Login,usrGroup=miurerep,usrAuth=True,application="lestia",osUsername=nde,srcHost=snu6436.www.local,dbName=texplica,schemaName=oco,bindVar=aboree,sqlError=unknown,respSize=3795,respTime=14.713000,affRows=edquian,action="block",rawQuery="uames" +%IMPERVA-Imperva,dstIP=10.169.50.59,dstPort=7693,dbUsername=pta,srcIP=10.70.29.203,srcPort=5994,creatTime=18 March 2017 18:24:33,srvGroup=piciatis,service=destla,appName=fugitse,event#=minimve,eventType=Login,usrGroup=serrorsi,usrAuth=False,application="tametco",osUsername=mquisnos,srcHost=lore7099.www.host,dbName=isn,schemaName=veniamq,bindVar=lup,sqlError=unknown,respSize=2358,respTime=94.460000,affRows=ipitlabo,action="block",rawQuery="prehen" +%IMPERVA-Imperva,dstIP=10.165.182.111,dstPort=5525,dbUsername=ames,srcIP=10.137.85.123,srcPort=218,creatTime=2017-04-02 01:27:07,srvGroup=amquisno,service=modoc,appName=magnam,event#=uinesc,eventType=Logout,usrGroup=cid,usrAuth=True,application="emi",osUsername=Bonorum,srcHost=lesti6939.api.local,dbName=idu,schemaName=sis,bindVar=idolo,sqlError=success,respSize=6401,respTime=171.434000,affRows=its,action="block",rawQuery="edutp" +%IMPERVA-Imperva,event#=enimadmi,createTime=2017-04-16 08:29:41,eventType=tateveli,eventSev=high,username=sumdolo,subsystem=idolorem,message="temvele" +%IMPERVA-Imperva,alert#=inimve,event#=uio,createTime=2017-04-30 15:32:16,updateTime=mexercit,alertSev=high,group=onofdeF,ruleName="ibusBo",evntDesc="orin",category=enia,disposition=iavol,eventType=natuserr,proto=rdp,srcPort=3327,srcIP=10.64.184.196,dstPort=6659,dstIP=10.173.178.109,policyName="tatemse",occurrences=4493,httpHost=amqui,webMethod=lamco,url="https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi",webQuery="tlabore",soapAction=idunt,resultCode=expl,sessionID=olore,username=uian,addUsername=atuserro,responseTime=madminim,responseSize=tobeata,direction=inbound,dbUsername=ioff,queryGroup=oinBCS,application="itsedd",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action="block",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-05-14 22:34:50,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application="dat",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action="block",rawQuery="iav" +%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=29 May 2017 05:37:24,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application="tis",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action="allow",rawQuery="tconse" +%IMPERVA-Imperva,event#=rem,createTime=2017-06-12 12:39:58,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message="nturmag" +%IMPERVA-Imperva,dstIP=10.228.229.144,dstPort=3236,dbUsername=ametcons,srcIP=10.151.240.35,srcPort=3197,creatTime=2017-06-26 19:42:33,srvGroup=roquisq,service=uasi,appName=maveniam,event#=uis,eventType=lill,usrGroup=remeum,usrAuth=mmod,application="taevit",osUsername=ama,srcHost=tatnonp1371.www.invalid,dbName=xercit,schemaName=lam,bindVar=asnu,sqlError=failure,respSize=4325,respTime=168.492000,affRows=eriam,action="cancel",rawQuery="aquae" +%IMPERVA-Imperva,dstIP=10.242.48.203,dstPort=1102,dbUsername=ese,srcIP=10.147.142.242,srcPort=2586,creatTime=2017-07-11 02:45:07,srvGroup=eca,service=ctionofd,appName=mpori,event#=olupt,eventType=Logout,usrGroup=ola,usrAuth=False,application="ptat",osUsername=quasi,srcHost=tium3542.internal.invalid,dbName=squamest,schemaName=quisn,bindVar=pteu,sqlError=success,respSize=3970,respTime=11.548000,affRows=antium,action="block",rawQuery="velillum" +%IMPERVA-Imperva,alert#=lapari,event#=Mal,createTime=2017-07-25 09:47:41,updateTime=itinvo,alertSev=very-high,group=paq,ruleName="emipsumq",evntDesc="culpaq",category=quamq,disposition=usan,eventType=tdolo,proto=ipv6,srcPort=4723,srcIP=10.213.165.165,dstPort=3787,dstIP=10.254.10.98,policyName="adipisc",occurrences=7365,httpHost=tasnul,webMethod=uptasn,url="https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui",webQuery="lup",soapAction=aeca,resultCode=isau,sessionID=giat,username=ttenb,addUsername=eirure,responseTime=boreetd,responseSize=tNe,direction=outbound,dbUsername=eeufug,queryGroup=ntin,application="iades",srcHost=radipis3991.mail.invalid,osUsername=civeli,schemaName=eufugia,dbName=utlabore,hdrName=tamr,action="cancel",errormsg="success" +%IMPERVA-Imperva,event#=onemul,createTime=2017-08-08 16:50:15,eventType=trudexe,eventSev=very-high,username=ura,subsystem=oreeufug,message="Quisa" +%IMPERVA-Imperva,alert#=llitani,event#=uscipit,createTime=2017-08-22 23:52:50,updateTime=luptat,alertSev=very-high,group=etco,ruleName="iuntN",evntDesc="utfugi",category=ursintoc,disposition=tio,eventType=mmodicon,proto=ipv6,srcPort=5439,srcIP=10.116.1.130,dstPort=3402,dstIP=10.169.28.157,policyName="exeacomm",occurrences=1295,httpHost=ionula,webMethod=pexeaco,url="https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs",webQuery="ercitati",soapAction=atem,resultCode=serro,sessionID=lumquid,username=eturadip,addUsername=amquaera,responseTime=rsitamet,responseSize=leumiur,direction=internal,dbUsername=utod,queryGroup=olesti,application="edquia",srcHost=ihi7294.www5.localhost,osUsername=reseo,schemaName=amco,dbName=ons,hdrName=onsecte,action="accept",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.29.138.31,dstPort=5871,dbUsername=volupta,srcIP=10.45.69.152,srcPort=4083,creatTime=6 September 2017 06:55:24,srvGroup=emi,service=uaerat,appName=iduntu,event#=samvol,eventType=Login,usrGroup=equa,usrAuth=False,application="apari",osUsername=tsunt,srcHost=caecat4920.api.host,dbName=enim,schemaName=umq,bindVar=sistena,sqlError=failure,respSize=744,respTime=33.416000,affRows=temquia,action="deny",rawQuery="eumiu" +%IMPERVA-Imperva,dstIP=10.152.213.228,dstPort=3387,dbUsername=ptatev,srcIP=10.100.113.11,srcPort=6971,creatTime=2017-09-20 13:57:58,srvGroup=aliqu,service=sequine,appName=utaliqui,event#=isciv,eventType=Logout,usrGroup=osqu,usrAuth=False,application="ptatemse",osUsername=itationu,srcHost=setquas6188.internal.local,dbName=magnaali,schemaName=velillum,bindVar=ionev,sqlError=success,respSize=7245,respTime=131.118000,affRows=ameaq,action="cancel",rawQuery="Except" +%IMPERVA-Imperva,event#=uiac,createTime=2017-10-04 21:00:32,eventType=tquii,eventSev=low,username=reme,subsystem=emeumfu,message="inBCSedu" +%IMPERVA-Imperva,dstIP=10.208.33.55,dstPort=1849,dbUsername=ulapari,srcIP=10.248.102.129,srcPort=3510,creatTime=2017-10-19 04:03:07,srvGroup=iatn,service=saquaeab,appName=eli,event#=rissusci,eventType=Logout,usrGroup=ectetur,usrAuth=True,application="dictasun",osUsername=inimv,srcHost=nibusBo3674.www5.localhost,dbName=ntut,schemaName=mremaper,bindVar=uteirur,sqlError=unknown,respSize=6433,respTime=111.360000,affRows=isni,action="accept",rawQuery="quovo" +%IMPERVA-Imperva,dstIP=10.203.164.132,dstPort=6213,dbUsername=mporin,srcIP=10.109.230.216,srcPort=4447,creatTime=2017-11-02 11:05:41,srvGroup=uov,service=pariat,appName=icaboNe,event#=boreetd,eventType=Logout,usrGroup=uir,usrAuth=True,application="rumex",osUsername=ectobea,srcHost=totamr7676.www5.home,dbName=imadm,schemaName=ibus,bindVar=lumdol,sqlError=success,respSize=547,respTime=166.971000,affRows=reprehe,action="block",rawQuery="ihil" +%IMPERVA-Imperva,dstIP=10.151.203.60,dstPort=482,dbUsername=dol,srcIP=10.117.81.75,srcPort=3365,creatTime=16 November 2017 18:08:15,srvGroup=iciatis,service=agn,appName=cul,event#=tate,eventType=Login,usrGroup=psam,usrAuth=True,application="itaedi",osUsername=exeac,srcHost=idents7231.mail.home,dbName=veniamqu,schemaName=iconsequ,bindVar=ueporr,sqlError=unknown,respSize=484,respTime=27.563000,affRows=tur,action="block",rawQuery="onorumet" +%IMPERVA-Imperva,dstIP=10.224.217.153,dstPort=6339,dbUsername=eriti,srcIP=10.45.152.205,srcPort=6907,creatTime=1 December 2017 01:10:49,srvGroup=riame,service=datatn,appName=seq,event#=mquis,eventType=Login,usrGroup=tur,usrAuth=True,application="itation",osUsername=utlabo,srcHost=tat50.mail.host,dbName=essequam,schemaName=imav,bindVar=mtot,sqlError=success,respSize=922,respTime=17.709000,affRows=prehend,action="allow",rawQuery="liquid" +%IMPERVA-Imperva,alert#=umq,event#=ipsu,createTime=2017-12-15 08:13:24,updateTime=oremip,alertSev=low,group=odit,ruleName="vol",evntDesc="epteurs",category=itse,disposition=rever,eventType=sBonoru,proto=udp,srcPort=2652,srcIP=10.60.164.100,dstPort=5119,dstIP=10.1.193.187,policyName="yCice",occurrences=508,httpHost=ionem,webMethod=taevitae,url="https://api.example.net/quam/saute.htm?nostru=docons#emipsumq",webQuery="orinr",soapAction=ineavol,resultCode=umdo,sessionID=tass,username=ugi,addUsername=riat,responseTime=atvol,responseSize=emipsum,direction=internal,dbUsername=uameiu,queryGroup=quiado,application="conse",srcHost=mips3283.corp,osUsername=hite,schemaName=adipis,dbName=abo,hdrName=suntex,action="allow",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.248.244.203,dstPort=806,dbUsername=mquamei,srcIP=10.146.228.234,srcPort=4346,creatTime=2017-12-29 15:15:58,srvGroup=rissusci,service=uaturQ,appName=iusmod,event#=susc,eventType=taed,usrGroup=eatae,usrAuth=siutali,application="oloremq",osUsername=sum,srcHost=aliquip7229.mail.domain,dbName=doe,schemaName=eiusm,bindVar=oremipsu,sqlError=failure,respSize=3058,respTime=133.358000,affRows=llum,action="allow",rawQuery="mto" +%IMPERVA-Imperva,dstIP=10.122.127.237,dstPort=1138,dbUsername=consecte,srcIP=10.86.121.152,srcPort=3971,creatTime=2018-01-12 22:18:32,srvGroup=mquamei,service=litesse,appName=fug,event#=liquid,eventType=Logout,usrGroup=uidex,usrAuth=False,application="umdolo",osUsername=nimv,srcHost=fde7756.mail.corp,dbName=usmod,schemaName=ine,bindVar=qui,sqlError=success,respSize=2771,respTime=136.167000,affRows=orsitame,action="block",rawQuery="ipex" +%IMPERVA-Imperva,dstIP=10.201.223.119,dstPort=3614,dbUsername=rcit,srcIP=10.204.223.184,srcPort=6092,creatTime=2018-01-27 05:21:06,srvGroup=giat,service=nculpa,appName=olupt,event#=tvol,eventType=Logout,usrGroup=ostru,usrAuth=True,application="mea",osUsername=tuserror,srcHost=agnama5013.internal.example,dbName=boreetdo,schemaName=teni,bindVar=iin,sqlError=unknown,respSize=4113,respTime=161.837000,affRows=tNeq,action="block",rawQuery="liq" +%IMPERVA-Imperva,dstIP=10.200.12.126,dstPort=2347,dbUsername=magnido,srcIP=10.223.56.33,srcPort=5899,creatTime=10 February 2018 12:23:41,srvGroup=ing,service=amal,appName=aliq,event#=utem,eventType=Login,usrGroup=oreetd,usrAuth=True,application="itatis",osUsername=Nequepo,srcHost=edictas4693.home,dbName=borisnis,schemaName=elitsedd,bindVar=hitecto,sqlError=failure,respSize=3243,respTime=75.415000,affRows=imven,action="block",rawQuery="hende" +%IMPERVA-Imperva,alert#=deseru,event#=aquioff,createTime=2018-02-24 19:26:15,updateTime=cip,alertSev=very-high,group=onsequat,ruleName="tiumd",evntDesc="atuse",category=imad,disposition=tura,eventType=equuntur,proto=ipv6,srcPort=428,srcIP=10.94.89.177,dstPort=1752,dstIP=10.65.225.101,policyName="nulapari",occurrences=2513,httpHost=ostrumex,webMethod=eruntmol,url="https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia",webQuery="edquiac",soapAction=psamvolu,resultCode=teturad,sessionID=ritq,username=tuserror,addUsername=tla,responseTime=orroq,responseSize=modtempo,direction=outbound,dbUsername=uptate,queryGroup=sumqui,application="eritin",srcHost=nibu2565.api.local,osUsername=citation,schemaName=emquel,dbName=rspiciat,hdrName=iavol,action="cancel",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.65.174.196,dstPort=472,dbUsername=iin,srcIP=10.191.184.105,srcPort=6821,creatTime=2018-03-11 02:28:49,srvGroup=iat,service=orain,appName=equaturQ,event#=llu,eventType=quaUt,usrGroup=labor,usrAuth=oris,application="tatemse",osUsername=uta,srcHost=tsun7120.home,dbName=per,schemaName=tione,bindVar=nibus,sqlError=unknown,respSize=5836,respTime=61.864000,affRows=olo,action="deny",rawQuery="BCSedutp" +%IMPERVA-Imperva,alert#=tdolor,event#=Ute,createTime=2018-03-25 09:31:24,updateTime=tura,alertSev=very-high,group=umSecti,ruleName="eabil",evntDesc="ibusB",category=rporis,disposition=etco,eventType=mip,proto=rdp,srcPort=6078,srcIP=10.224.148.48,dstPort=2803,dstIP=10.41.181.179,policyName="siarch",occurrences=7468,httpHost=setq,webMethod=rumwr,url="https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd",webQuery="ntore",soapAction=tect,resultCode=ion,sessionID=tutl,username=niam,addUsername=oru,responseTime=mcorp,responseSize=uelaud,direction=outbound,dbUsername=ameiu,queryGroup=utei,application="caecat",srcHost=lumquid6940.mail.localdomain,osUsername=equepor,schemaName=iosamn,dbName=erspicia,hdrName=neavolup,action="deny",errormsg="success" +%IMPERVA-Imperva,dstIP=10.21.208.103,dstPort=5543,dbUsername=imidest,srcIP=10.21.61.134,srcPort=6124,creatTime=2018-04-08 16:33:58,srvGroup=iacon,service=ncu,appName=quaturve,event#=ciad,eventType=Logout,usrGroup=diconseq,usrAuth=False,application="utod",osUsername=ostr,srcHost=amcorp7299.api.example,dbName=uptatem,schemaName=mipsa,bindVar=nproide,sqlError=success,respSize=7766,respTime=91.186000,affRows=siutali,action="deny",rawQuery="nemullam" +%IMPERVA-Imperva,dstIP=10.23.6.216,dstPort=4578,dbUsername=iarchit,srcIP=10.221.192.116,srcPort=4688,creatTime=2018-04-22 23:36:32,srvGroup=usBonor,service=mide,appName=sten,event#=enderi,eventType=Logout,usrGroup=labore,usrAuth=False,application="uasiarch",osUsername=iamquisn,srcHost=magnama868.api.local,dbName=Section,schemaName=tevelite,bindVar=esciunt,sqlError=success,respSize=639,respTime=6.388000,affRows=borisnis,action="accept",rawQuery="oremagn" +%IMPERVA-Imperva,alert#=rcita,event#=ataev,createTime=2018-05-07 06:39:06,updateTime=oris,alertSev=very-high,group=tate,ruleName="tutlabo",evntDesc="nto",category=sciv,disposition=tlabo,eventType=nsequun,proto=ipv6,srcPort=2976,srcIP=10.191.142.143,dstPort=5850,dstIP=10.240.62.238,policyName="sintoc",occurrences=7580,httpHost=laboris,webMethod=ali,url="https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa",webQuery="sunt",soapAction=orumSe,resultCode=olupta,sessionID=emveleum,username=modtempo,addUsername=mfugi,responseTime=roqui,responseSize=ntutlabo,direction=external,dbUsername=isq,queryGroup=eacommo,application="amqua",srcHost=tionevol3157.mail.invalid,osUsername=nofde,schemaName=animide,dbName=Lore,hdrName=oin,action=cancel +%IMPERVA-Imperva,alert#=ecatcu,event#=entoreve,createTime=2018-05-21 13:41:41,updateTime=ion,alertSev=very-high,group=onev,ruleName="atu",evntDesc="adeseru",category=sitas,disposition=eni,eventType=cte,proto=igmp,srcPort=3124,srcIP=10.178.79.217,dstPort=7499,dstIP=10.111.22.134,policyName="datatno",occurrences=3538,httpHost=siar,webMethod=orisnis,url="https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco",webQuery="ommodoco",soapAction=ritinv,resultCode=rita,sessionID=oidents,username=ccusan,addUsername=inimav,responseTime=quel,responseSize=ugitsed,direction=external,dbUsername=idolor,queryGroup=xplic,application="stenat",srcHost=mquis319.api.local,osUsername=inibusBo,schemaName=tqui,dbName=sequun,hdrName=nimadm,action=deny +%IMPERVA-Imperva,dstIP=10.161.225.172,dstPort=3708,dbUsername=meaqu,srcIP=10.77.86.215,srcPort=6390,creatTime=4 June 2018 20:44:15,srvGroup=con,service=aeabil,appName=iumtot,event#=edicta,eventType=Login,usrGroup=itaspern,usrAuth=False,application="tau",osUsername=rcit,srcHost=urad5712.api.host,dbName=sitamet,schemaName=xerc,bindVar=mcolabor,sqlError=success,respSize=7286,respTime=143.926000,affRows=evita,action="block",rawQuery="ant" +%IMPERVA-Imperva,dstIP=10.186.133.184,dstPort=7864,dbUsername=boriosa,srcIP=10.211.161.187,srcPort=843,creatTime=2018-06-19 03:46:49,srvGroup=laud,service=uido,appName=uis,event#=msequin,eventType=autem,usrGroup=mporai,usrAuth=ipi,application="qua",osUsername=acons,srcHost=enbyCic4659.www5.example,dbName=orroqui,schemaName=sci,bindVar=psamvolu,sqlError=unknown,respSize=1578,respTime=66.164000,affRows=temse,action="deny",rawQuery="onevol" +%IMPERVA-Imperva,dstIP=10.160.147.230,dstPort=2126,dbUsername=nimvenia,srcIP=10.254.198.47,srcPort=3925,creatTime=2018-07-03 10:49:23,srvGroup=lit,service=quin,appName=adipisc,event#=sedqui,eventType=ueporroq,usrGroup=dolo,usrAuth=adm,application="dolor",osUsername=ndeomnis,srcHost=inBCSed5308.api.corp,dbName=modicons,schemaName=illoin,bindVar=rinre,sqlError=unknown,respSize=5988,respTime=34.664000,affRows=olorem,action="cancel",rawQuery="dquiaco" +%IMPERVA-Imperva,dstIP=10.40.24.93,dstPort=7487,dbUsername=mSecti,srcIP=10.182.197.243,srcPort=3687,creatTime=2018-07-17 17:51:58,srvGroup=xerci,service=qua,appName=iaecons,event#=pteurs,eventType=Logout,usrGroup=intocc,usrAuth=True,application="abo",osUsername=orisnis,srcHost=reseo2067.api.localdomain,dbName=nsectetu,schemaName=exerci,bindVar=lit,sqlError=success,respSize=4129,respTime=171.277000,affRows=ono,action="cancel",rawQuery="equuntu" +%IMPERVA-Imperva,dstIP=10.249.13.159,dstPort=3023,dbUsername=uisautei,srcIP=10.108.130.106,srcPort=7601,creatTime=1 August 2018 00:54:32,srvGroup=scinge,service=lum,appName=iinea,event#=xercit,eventType=Login,usrGroup=reh,usrAuth=False,application="velitess",osUsername=colab,srcHost=itte6905.mail.invalid,dbName=tesseq,schemaName=exeacomm,bindVar=uptat,sqlError=success,respSize=1044,respTime=112.679000,affRows=ptatema,action="cancel",rawQuery="cepteurs" +%IMPERVA-Imperva,alert#=ioffic,event#=rumetMal,createTime=2018-08-15 07:57:06,updateTime=tiumtot,alertSev=very-high,group=caboNe,ruleName="ptate",evntDesc="enimips",category=Nequepor,disposition=nisiu,eventType=ptat,proto=ggp,srcPort=4082,srcIP=10.64.94.174,dstPort=3852,dstIP=10.39.244.49,policyName="ctas",occurrences=7128,httpHost=sequ,webMethod=gna,url="https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod",webQuery="tur",soapAction=minimav,resultCode=uovo,sessionID=aven,username=Sedut,addUsername=stiaec,responseTime=rveli,responseSize=serr,direction=internal,dbUsername=uid,queryGroup=lamcor,application="rorsitv",srcHost=caboNemo274.www.host,osUsername=estiae,schemaName=iunt,dbName=eFinibu,hdrName=uisaut,action=cancel +%IMPERVA-Imperva,event#=odit,createTime=2018-08-29 14:59:40,eventType=ercitati,eventSev=very-high,username=imad,subsystem=olo,message="deserun" +%IMPERVA-Imperva,event#=scingeli,createTime=2018-09-12 22:02:15,eventType=uatDuis,eventSev=medium,username=apari,subsystem=itesseci,message="utali" +%IMPERVA-Imperva,dstIP=10.115.203.143,dstPort=6889,dbUsername=utoditau,srcIP=10.134.135.22,srcPort=1809,creatTime=27 September 2018 05:04:49,srvGroup=serror,service=itl,appName=Bonoru,event#=rumetMa,eventType=Login,usrGroup=entor,usrAuth=False,application="urere",osUsername=involu,srcHost=qui5978.api.test,dbName=amre,schemaName=orpori,bindVar=sistena,sqlError=failure,respSize=7868,respTime=5.277000,affRows=borisn,action="cancel",rawQuery="quatu" +%IMPERVA-Imperva,dstIP=10.43.244.252,dstPort=1752,dbUsername=inculp,srcIP=10.251.212.166,srcPort=3925,creatTime=11 October 2018 12:07:23,srvGroup=iur,service=aboNemo,appName=tsedquia,event#=ididun,eventType=Login,usrGroup=tatiset,usrAuth=False,application="enim",osUsername=gnido,srcHost=iamq2577.internal.corp,dbName=uisa,schemaName=uptat,bindVar=siutal,sqlError=unknown,respSize=6947,respTime=144.976000,affRows=tempori,action="accept",rawQuery="lamco" +%IMPERVA-Imperva,event#=nimve,createTime=2018-10-25 19:09:57,eventType=edutpe,eventSev=medium,username=isunde,subsystem=nimadm,message="cepte" +%IMPERVA-Imperva,dstIP=10.20.231.188,dstPort=1200,dbUsername=tesseq,srcIP=10.88.189.164,srcPort=1373,creatTime=2018-11-09 02:12:32,srvGroup=iusmod,service=aincid,appName=giatq,event#=tion,eventType=Logout,usrGroup=tNeque,usrAuth=False,application="uidolore",osUsername=uatDuisa,srcHost=usB4127.localhost,dbName=ufugia,schemaName=mqu,bindVar=remagna,sqlError=failure,respSize=1623,respTime=33.468000,affRows=Uteni,action="cancel",rawQuery="porinci" +%IMPERVA-Imperva,event#=edd,createTime=2018-11-23 09:15:06,eventType=uianon,eventSev=low,username=quamquae,subsystem=aaliq,message="nos" +%IMPERVA-Imperva,dstIP=10.231.77.26,dstPort=7082,dbUsername=rehe,srcIP=10.225.11.197,srcPort=3513,creatTime=7 December 2018 16:17:40,srvGroup=siarchi,service=seddoeiu,appName=lorinrep,event#=isq,eventType=Login,usrGroup=quines,usrAuth=False,application="entsu",osUsername=ineavol,srcHost=abor3266.mail.home,dbName=voluptat,schemaName=volu,bindVar=iutaliqu,sqlError=failure,respSize=3064,respTime=61.960000,affRows=iusmo,action="allow",rawQuery="uovo" +%IMPERVA-Imperva,dstIP=10.148.3.197,dstPort=979,dbUsername=usa,srcIP=10.106.166.105,srcPort=4567,creatTime=2018-12-21 23:20:14,srvGroup=oremagna,service=siuta,appName=amnihil,event#=nderit,eventType=ficia,usrGroup=tru,usrAuth=tionu,application="natuser",osUsername=olupt,srcHost=eprehe2455.www.home,dbName=smo,schemaName=avolup,bindVar=litse,sqlError=failure,respSize=2658,respTime=84.894000,affRows=untutlab,action="allow",rawQuery="byCicer" +%IMPERVA-Imperva,dstIP=10.172.121.239,dstPort=5339,dbUsername=iuta,srcIP=10.57.169.205,srcPort=3093,creatTime=2019-01-05 06:22:49,srvGroup=reeufugi,service=oloree,appName=xeaco,event#=urm,eventType=Logout,usrGroup=mpo,usrAuth=False,application="cept",osUsername=ctas,srcHost=destla2110.www5.localdomain,dbName=inea,schemaName=ipsu,bindVar=iden,sqlError=failure,respSize=392,respTime=19.061000,affRows=reetd,action="cancel",rawQuery="maven" +%IMPERVA-Imperva,dstIP=10.129.234.200,dstPort=3833,dbUsername=tisundeo,srcIP=10.42.218.103,srcPort=3315,creatTime=19 January 2019 13:25:23,srvGroup=mnis,service=tametco,appName=snisiut,event#=lit,eventType=Login,usrGroup=laborio,usrAuth=False,application="aaliqu",osUsername=tevelit,srcHost=exerc3694.api.home,dbName=consec,schemaName=dquia,bindVar=cep,sqlError=success,respSize=6709,respTime=34.273000,affRows=volupta,action="allow",rawQuery="ipex" +%IMPERVA-Imperva,dstIP=10.111.132.221,dstPort=2262,dbUsername=ali,srcIP=10.76.121.224,srcPort=4305,creatTime=2019-02-02 20:27:57,srvGroup=xcep,service=ehen,appName=remap,event#=mUt,eventType=Logout,usrGroup=admi,usrAuth=True,application="siarch",osUsername=oloremi,srcHost=ididu5928.www5.local,dbName=tNe,schemaName=scive,bindVar=tcupi,sqlError=unknown,respSize=6155,respTime=139.491000,affRows=Sed,action="cancel",rawQuery="ita" +%IMPERVA-Imperva,dstIP=10.195.8.141,dstPort=4342,dbUsername=enimip,srcIP=10.17.214.21,srcPort=4821,creatTime=17 February 2019 03:30:32,srvGroup=umquiado,service=taspe,appName=empori,event#=mipsum,eventType=Login,usrGroup=tium,usrAuth=True,application="riaturE",osUsername=ota,srcHost=boriosa7066.www.corp,dbName=Nequep,schemaName=dolo,bindVar=exeacom,sqlError=success,respSize=469,respTime=146.775000,affRows=eufugiat,action="accept",rawQuery="non" +%IMPERVA-Imperva,dstIP=10.173.13.179,dstPort=1211,dbUsername=ptasn,srcIP=10.179.60.167,srcPort=1124,creatTime=2019-03-03 10:33:06,srvGroup=amqui,service=itatise,appName=utlab,event#=ostr,eventType=Logout,usrGroup=liqu,usrAuth=True,application="cons",osUsername=apar,srcHost=ssusc1892.internal.host,dbName=xplic,schemaName=isn,bindVar=quepor,sqlError=failure,respSize=758,respTime=58.800000,affRows=etur,action="block",rawQuery="cusan" +%IMPERVA-Imperva,dstIP=10.42.135.34,dstPort=4361,dbUsername=tiset,srcIP=10.178.190.123,srcPort=3288,creatTime=2019-03-17 17:35:40,srvGroup=xercitat,service=ueporr,appName=utlab,event#=entoreve,eventType=Logout,usrGroup=lmolest,usrAuth=False,application="ser",osUsername=ore,srcHost=iatisund424.mail.localdomain,dbName=tametcon,schemaName=orsi,bindVar=ull,sqlError=success,respSize=2290,respTime=1.468000,affRows=etdolore,action="cancel",rawQuery="ore" +%IMPERVA-Imperva,event#=ectetur,createTime=2019-04-01 00:38:14,eventType=cons,eventSev=medium,username=fugit,subsystem=dantiu,message="ntutla" +%IMPERVA-Imperva,dstIP=10.207.198.239,dstPort=4735,dbUsername=Loremips,srcIP=10.8.147.176,srcPort=5920,creatTime=15 April 2019 07:40:49,srvGroup=odtem,service=ite,appName=tseddo,event#=ptatems,eventType=Login,usrGroup=ori,usrAuth=False,application="exerc",osUsername=aUteni,srcHost=uidolo7626.local,dbName=rchite,schemaName=incididu,bindVar=idolor,sqlError=failure,respSize=3043,respTime=36.712000,affRows=oinB,action="accept",rawQuery="econsequ" +%IMPERVA-Imperva,dstIP=10.116.26.185,dstPort=595,dbUsername=oNe,srcIP=10.206.221.180,srcPort=6818,creatTime=2019-04-29 14:43:23,srvGroup=repr,service=idu,appName=otam,event#=amquaera,eventType=rumS,usrGroup=uelau,usrAuth=quidolor,application="cca",osUsername=litesseq,srcHost=dmini3435.internal.domain,dbName=rumexerc,schemaName=nseq,bindVar=quisnost,sqlError=unknown,respSize=3218,respTime=26.485000,affRows=orisnisi,action="block",rawQuery="nul" +%IMPERVA-Imperva,dstIP=10.86.180.150,dstPort=5495,dbUsername=mnisis,srcIP=10.253.127.130,srcPort=5339,creatTime=2019-05-13 21:45:57,srvGroup=isciveli,service=urve,appName=sundeomn,event#=tasu,eventType=Logout,usrGroup=equunt,usrAuth=True,application="uat",osUsername=itasper,srcHost=nibusBo1864.domain,dbName=ent,schemaName=etconsec,bindVar=docons,sqlError=failure,respSize=4564,respTime=4.592000,affRows=mremap,action="allow",rawQuery="sperna" +%IMPERVA-Imperva,alert#=mexe,event#=sequatDu,createTime=2019-05-28 04:48:31,updateTime=ssuscip,alertSev=high,group=ciade,ruleName="busBonor",evntDesc="enima",category=emseq,disposition=osamni,eventType=umetMa,proto=ipv6-icmp,srcPort=4469,srcIP=10.220.175.201,dstPort=579,dstIP=10.158.161.5,policyName="eab",occurrences=4098,httpHost=ciduntut,webMethod=atisu,url="https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu",webQuery="suntincu",soapAction=lore,resultCode=equatu,sessionID=enbyCi,username=dolo,addUsername=adipi,responseTime=beata,responseSize=evelites,direction=inbound,dbUsername=tNeq,queryGroup=umtot,application="eumiurer",srcHost=inv6528.www5.example,osUsername=rrors,schemaName=dolo,dbName=tsed,hdrName=corpori,action=allow +%IMPERVA-Imperva,event#=uioff,createTime=2019-06-11 11:51:06,eventType=ema,eventSev=low,username=mpo,subsystem=deritinv,message="ten" +%IMPERVA-Imperva,dstIP=10.150.27.144,dstPort=5627,dbUsername=res,srcIP=10.248.16.82,srcPort=6834,creatTime=25 June 2019 18:53:40,srvGroup=loinv,service=umd,appName=madmi,event#=xercit,eventType=Login,usrGroup=avolup,usrAuth=True,application="etdo",osUsername=tuserror,srcHost=nisiutal4437.www.example,dbName=uipex,schemaName=ditautf,bindVar=orr,sqlError=failure,respSize=4367,respTime=25.972000,affRows=uptas,action="cancel",rawQuery="osquira" +%IMPERVA-Imperva,dstIP=10.146.131.76,dstPort=2281,dbUsername=orsi,srcIP=10.173.19.140,srcPort=7780,creatTime=2019-07-10 01:56:14,srvGroup=atu,service=ddo,appName=veli,event#=ata,eventType=Logout,usrGroup=untmoll,usrAuth=False,application="ididun",osUsername=olo,srcHost=tqui5172.www.local,dbName=untex,schemaName=Except,bindVar=elitsedd,sqlError=failure,respSize=5844,respTime=52.550000,affRows=cingel,action="allow",rawQuery="seos" +%IMPERVA-Imperva,dstIP=10.69.5.227,dstPort=5845,dbUsername=doloreme,srcIP=10.171.175.165,srcPort=5776,creatTime=2019-07-24 08:58:48,srvGroup=taspe,service=litess,appName=enimadm,event#=corpori,eventType=onemull,usrGroup=emeu,usrAuth=uisaute,application="tvol",osUsername=ntocc,srcHost=intocca6708.mail.corp,dbName=dquiaco,schemaName=rumw,bindVar=ula,sqlError=failure,respSize=5201,respTime=46.690000,affRows=quam,action="deny",rawQuery="edquian" +%IMPERVA-Imperva,dstIP=10.213.214.118,dstPort=7851,dbUsername=ate,srcIP=10.253.175.129,srcPort=5547,creatTime=7 August 2019 16:01:23,srvGroup=rsi,service=tuser,appName=equinesc,event#=ectet,eventType=Login,usrGroup=emull,usrAuth=False,application="enatuser",osUsername=epteurs,srcHost=isetqu2843.www.invalid,dbName=niamqu,schemaName=nrep,bindVar=lauda,sqlError=failure,respSize=6260,respTime=9.295000,affRows=aincidu,action="deny",rawQuery="ipsamvol" +%IMPERVA-Imperva,alert#=estquido,event#=eufugiat,createTime=2019-08-21 23:03:57,updateTime=minima,alertSev=high,group=bor,ruleName="uisnos",evntDesc="loi",category=tation,disposition=seddoe,eventType=adol,proto=rdp,srcPort=7756,srcIP=10.149.91.130,dstPort=3548,dstIP=10.89.26.170,policyName="aqueipsa",occurrences=5863,httpHost=ide,webMethod=atcupi,url="https://www.example.com/sit/ugi.gif?sitametc=rur#edut",webQuery="sitametc",soapAction=iarchite,resultCode=uide,sessionID=iono,username=aboris,addUsername=eturad,responseTime=ipiscive,responseSize=sequu,direction=internal,dbUsername=epteur,queryGroup=iqu,application="uptateve",srcHost=commodo6041.mail.localhost,osUsername=atus,schemaName=orumetMa,dbName=inventor,hdrName=dolo,action=block +%IMPERVA-Imperva,alert#=tmolli,event#=orumSe,createTime=2019-09-05 06:06:31,updateTime=mSe,alertSev=high,group=teturad,ruleName="alorumwr",evntDesc="pis",category=idol,disposition=mmodico,eventType=emaccu,proto=rdp,srcPort=5818,srcIP=10.52.106.68,dstPort=856,dstIP=10.81.108.232,policyName="atemq",occurrences=5098,httpHost=volupta,webMethod=Quisaut,url="https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem",webQuery="plicab",soapAction=isisten,resultCode=eiusmodt,sessionID=naaliq,username=aco,addUsername=psamvolu,responseTime=inculp,responseSize=eni,direction=inbound,dbUsername=sedqu,queryGroup=ipitlabo,application="olorinr",srcHost=gitse6744.api.local,osUsername=neavolup,schemaName=uaturve,dbName=lapa,hdrName=uepor,action="allow",errormsg="failure" +%IMPERVA-Imperva,alert#=umquamei,event#=nih,createTime=2019-09-19 13:09:05,updateTime=tionev,alertSev=high,group=quia,ruleName="eabill",evntDesc="itatiset",category=uaerat,disposition=met,eventType=isno,proto=icmp,srcPort=2572,srcIP=10.230.48.97,dstPort=1991,dstIP=10.223.10.28,policyName="emveleu",occurrences=4029,httpHost=norumet,webMethod=tconse,url="https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo",webQuery="lestia",soapAction=anti,resultCode=eavo,sessionID=enderi,username=erit,addUsername=uptatem,responseTime=reeufug,responseSize=temveleu,direction=unknown,dbUsername=repre,queryGroup=consec,application="untmoll",srcHost=par3605.internal.localdomain,osUsername=usmodte,schemaName=untex,dbName=ommodi,hdrName=ntiu,action="deny",errormsg="success" +%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application="ameiusm",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action="deny",rawQuery="natus" +%IMPERVA-Imperva,alert#=emp,event#=suscipit,createTime=2019-10-18 03:14:14,updateTime=iaconseq,alertSev=medium,group=sciuntNe,ruleName="nevo",evntDesc="stiaec",category=officia,disposition=ametcon,eventType=gnid,proto=ipv6,srcPort=5677,srcIP=10.226.75.20,dstPort=3896,dstIP=10.247.108.144,policyName="iutaliqu",occurrences=3711,httpHost=onsectet,webMethod=iat,url="https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip",webQuery="iquaUte",soapAction=aborumSe,resultCode=writt,sessionID=dent,username=tema,addUsername=saquaeab,responseTime=rpo,responseSize=inr,direction=internal,dbUsername=edquiac,queryGroup=olore,application="urEx",srcHost=labo3477.www5.domain,osUsername=maccusan,schemaName=fugia,dbName=psa,hdrName=iset,action="block",errormsg="success" +%IMPERVA-Imperva,dstIP=10.192.15.65,dstPort=3328,dbUsername=nimides,srcIP=10.97.22.61,srcPort=6420,creatTime=2019-11-01 10:16:48,srvGroup=labor,service=quelaud,appName=ira,event#=gna,eventType=aparia,usrGroup=ntoreve,usrAuth=remips,application="uptatemU",osUsername=illumd,srcHost=itseddo2209.mail.domain,dbName=olu,schemaName=rExcep,bindVar=turExcep,sqlError=success,respSize=4173,respTime=166.270000,affRows=duntutla,action="block",rawQuery="tmollit" +%IMPERVA-Imperva,alert#=venia,event#=Loremi,createTime=2019-11-15 17:19:22,updateTime=uisnostr,alertSev=medium,group=vol,ruleName="ommodi",evntDesc="ritat",category=dipi,disposition=asnulapa,eventType=atev,proto=tcp,srcPort=7469,srcIP=10.197.254.133,dstPort=2009,dstIP=10.116.76.161,policyName="tla",occurrences=2608,httpHost=ender,webMethod=quid,url="https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema",webQuery="ioffici",soapAction=agni,resultCode=tat,sessionID=metconse,username=ide,addUsername=equu,responseTime=pernatur,responseSize=orem,direction=outbound,dbUsername=caecatc,queryGroup=iarc,application="emquia",srcHost=duntutl3396.api.host,osUsername=idu,schemaName=trudex,dbName=ncul,hdrName=mcorpor,action=cancel +%IMPERVA-Imperva,dstIP=10.28.77.79,dstPort=3615,dbUsername=upta,srcIP=10.144.14.15,srcPort=1150,creatTime=30 November 2019 00:21:57,srvGroup=consequ,service=min,appName=riame,event#=gnaal,eventType=Login,usrGroup=nti,usrAuth=True,application="tetura",osUsername=utlab,srcHost=colabo6686.internal.invalid,dbName=uptass,schemaName=rspic,bindVar=itsedq,sqlError=success,respSize=4810,respTime=22.348000,affRows=iut,action="deny",rawQuery="nemu" +%IMPERVA-Imperva,dstIP=10.248.177.182,dstPort=317,dbUsername=quei,srcIP=10.18.15.43,srcPort=2224,creatTime=2019-12-14 07:24:31,srvGroup=reetdol,service=umtotam,appName=itaedi,event#=ant,eventType=tiumt,usrGroup=taedicta,usrAuth=mveniamq,application="exerci",osUsername=quaturve,srcHost=tsunti1164.www.example,dbName=equatur,schemaName=caecat,bindVar=oreetd,sqlError=unknown,respSize=983,respTime=113.318000,affRows=nderit,action="accept",rawQuery="icer" diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json new file mode 100644 index 00000000000..4ab905ff64f --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -0,0 +1,5628 @@ +[ + { + "destination.ip": [ + "10.70.155.35" + ], + "destination.port": 892, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application=\"scivel\",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action=\"cancel\",rawQuery=\"sit\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ommod", + "host.hostname": "radipis5408.mail.local", + "input.type": "log", + "log.offset": 0, + "network.application": "scivel", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.81.122.126", + "10.70.155.35" + ], + "related.user": [ + "magn", + "aqui", + "tatno" + ], + "rsa.counters.dclass_c1": 5910, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "enatuse", + "rsa.db.index": "sit", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "ommod", + "rsa.misc.group_object": "uam", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 10.347, + "rsa.time.starttime": "2016-01-29T08:09:59.000Z", + "service.type": "imperva", + "source.address": "radipis5408.mail.local", + "source.ip": [ + "10.81.122.126" + ], + "source.port": 4141, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tatno" + }, + { + "event.action": "erep", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message=\"eacomm\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 439, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "temq" + ], + "rsa.internal.event_desc": "eacomm", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "erep", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2016-02-12T15:12:33.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "temq" + }, + { + "destination.ip": [ + "10.58.116.231" + ], + "destination.port": 996, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application=\"taliqu\",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action=\"accept\",rawQuery=\"ehenderi\"", + "fileset.name": "securesphere", + "group.name": "oll", + "host.hostname": "ccusan7572.api.home", + "input.type": "log", + "log.offset": 580, + "network.application": "taliqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.58.116.231", + "10.159.182.171" + ], + "related.user": [ + "qua", + "temUten", + "uradi" + ], + "rsa.counters.dclass_c1": 3626, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "aveniam", + "rsa.db.index": "ehenderi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "rumet", + "rsa.misc.group": "oll", + "rsa.misc.group_object": "apariat", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 79.328, + "rsa.time.starttime": "2016-02-26T22:15:08.000Z", + "service.type": "imperva", + "source.address": "ccusan7572.api.home", + "source.ip": [ + "10.159.182.171" + ], + "source.port": 3947, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "qua" + }, + { + "destination.ip": [ + "10.232.27.250" + ], + "destination.port": 7838, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.232.27.250,dstPort=7838,dbUsername=mquidol,srcIP=10.18.124.28,srcPort=7668,creatTime=12 March 2016 03:17:42,srvGroup=rsitamet,service=lupt,appName=xea,event#=qua,eventType=Login,usrGroup=luptatev,usrAuth=False,application=\"admi\",osUsername=modocons,srcHost=elaudant5931.internal.invalid,dbName=lores,schemaName=lapariat,bindVar=eddoei,sqlError=failure,respSize=6564,respTime=87.496000,affRows=nimadmin,action=\"cancel\",rawQuery=\"xercitat\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "luptatev", + "host.hostname": "elaudant5931.internal.invalid", + "input.type": "log", + "log.offset": 1023, + "network.application": "admi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.232.27.250", + "10.18.124.28" + ], + "related.user": [ + "mquidol", + "modocons", + "lapariat" + ], + "rsa.counters.dclass_c1": 6564, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lores", + "rsa.db.index": "xercitat", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "luptatev", + "rsa.misc.group_object": "rsitamet", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 87.496, + "rsa.time.starttime": "2016-03-12T05:17:42.000Z", + "service.type": "imperva", + "source.address": "elaudant5931.internal.invalid", + "source.ip": [ + "10.18.124.28" + ], + "source.port": 7668, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mquidol" + }, + { + "destination.ip": [ + "10.197.250.10" + ], + "destination.port": 5697, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ationemu,event#=ice,createTime=2016-03-26 10:20:16,updateTime=estiae,alertSev=high,group=laborum,ruleName=\"tionof\",evntDesc=\"snostrud\",category=nama,disposition=quisnos,eventType=ite,proto=icmp,srcPort=2707,srcIP=10.6.137.200,dstPort=5697,dstIP=10.197.250.10,policyName=\"bor\",occurrences=7243,httpHost=hitect,webMethod=dol,url=\"https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug\",webQuery=\"lit\",soapAction=asun,resultCode=estia,sessionID=eaq,username=occae,addUsername=ctetura,responseTime=labore,responseSize=texp,direction=external,dbUsername=adeseru,queryGroup=emoe,application=\"eaq\",srcHost=amest4147.mail.host,osUsername=intoc,schemaName=oluptas,dbName=tNequepo,hdrName=lup,action=cancel", + "fileset.name": "securesphere", + "group.name": "laborum", + "host.hostname": "amest4147.mail.host", + "input.type": "log", + "log.level": "high", + "log.offset": 1487, + "network.application": "eaq", + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.197.250.10", + "10.6.137.200" + ], + "related.user": [ + "oluptas", + "occae", + "intoc" + ], + "rsa.counters.event_counter": 7243, + "rsa.db.database": "tNequepo", + "rsa.internal.event_desc": "snostrud", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "dol", + "cancel" + ], + "rsa.misc.category": "nama", + "rsa.misc.disposition": "quisnos", + "rsa.misc.event_type": "ite", + "rsa.misc.group": "laborum", + "rsa.misc.log_session_id": "eaq", + "rsa.misc.operation_id": "ationemu", + "rsa.misc.policy_name": "bor", + "rsa.misc.result_code": "estia", + "rsa.misc.rule_name": "tionof", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2016-03-26T12:20:16.000Z", + "rsa.web.alias_host": "hitect", + "rule.name": "tionof", + "service.type": "imperva", + "source.address": "amest4147.mail.host", + "source.ip": [ + "10.6.137.200" + ], + "source.port": 2707, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug", + "url.query": "lit", + "user.name": "occae" + }, + { + "destination.ip": [ + "10.36.194.106" + ], + "destination.port": 5473, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=sperna,event#=eabilloi,createTime=2016-04-09 17:22:51,updateTime=estia,alertSev=medium,group=tlab,ruleName=\"volupt\",evntDesc=\"osqui\",category=xerc,disposition=iutali,eventType=fdeFi,proto=igmp,srcPort=1696,srcIP=10.179.124.125,dstPort=5473,dstIP=10.36.194.106,policyName=\"eprehend\",occurrences=2462,httpHost=dutper,webMethod=lamcolab,url=\"https://example.net/tlabo/uames.gif?mpo=offi#giatnu\",webQuery=\"ulapa\",soapAction=liqui,resultCode=quioffi,sessionID=uptate,username=ncidid,addUsername=quaturve,responseTime=sequa,responseSize=aera,direction=outbound,dbUsername=rvel,queryGroup=uid,application=\"onsecte\",srcHost=eratv6205.internal.lan,osUsername=reme,schemaName=acommod,dbName=uaUteni,hdrName=udantium,action=accept", + "fileset.name": "securesphere", + "group.name": "tlab", + "host.hostname": "eratv6205.internal.lan", + "input.type": "log", + "log.level": "medium", + "log.offset": 2221, + "network.application": "onsecte", + "network.direction": "outbound", + "network.protocol": "igmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.179.124.125", + "10.36.194.106" + ], + "related.user": [ + "acommod", + "reme", + "ncidid" + ], + "rsa.counters.event_counter": 2462, + "rsa.db.database": "uaUteni", + "rsa.internal.event_desc": "osqui", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "lamcolab", + "accept" + ], + "rsa.misc.category": "xerc", + "rsa.misc.disposition": "iutali", + "rsa.misc.event_type": "fdeFi", + "rsa.misc.group": "tlab", + "rsa.misc.log_session_id": "uptate", + "rsa.misc.operation_id": "sperna", + "rsa.misc.policy_name": "eprehend", + "rsa.misc.result_code": "quioffi", + "rsa.misc.rule_name": "volupt", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2016-04-09T19:22:51.000Z", + "rsa.web.alias_host": "dutper", + "rule.name": "volupt", + "service.type": "imperva", + "source.address": "eratv6205.internal.lan", + "source.ip": [ + "10.179.124.125" + ], + "source.port": 1696, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", + "url.query": "ulapa", + "user.name": "ncidid" + }, + { + "destination.ip": [ + "10.129.149.43" + ], + "destination.port": 3304, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.129.149.43,dstPort=3304,dbUsername=eveli,srcIP=10.211.105.204,srcPort=2742,creatTime=2016-04-24 00:25:25,srvGroup=aliquide,service=ofde,appName=equat,event#=derit,eventType=Logout,usrGroup=dexea,usrAuth=True,application=\"atcu\",osUsername=labor,srcHost=didunt1355.corp,dbName=udan,schemaName=orema,bindVar=invento,sqlError=failure,respSize=6855,respTime=74.098000,affRows=nofdeFin,action=\"accept\",rawQuery=\"rau\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "dexea", + "host.hostname": "didunt1355.corp", + "input.type": "log", + "log.offset": 2965, + "network.application": "atcu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.129.149.43", + "10.211.105.204" + ], + "related.user": [ + "labor", + "orema", + "eveli" + ], + "rsa.counters.dclass_c1": 6855, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "udan", + "rsa.db.index": "rau", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "dexea", + "rsa.misc.group_object": "aliquide", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 74.098, + "rsa.time.starttime": "2016-04-24T02:25:25.000Z", + "service.type": "imperva", + "source.address": "didunt1355.corp", + "source.ip": [ + "10.211.105.204" + ], + "source.port": 2742, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "eveli" + }, + { + "destination.ip": [ + "10.214.191.180" + ], + "destination.port": 5848, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.214.191.180,dstPort=5848,dbUsername=ipsumdol,srcIP=10.112.250.193,srcPort=5705,creatTime=2016-05-08 07:27:59,srvGroup=urerepr,service=ese,appName=isaute,event#=ptatemq,eventType=Logout,usrGroup=luptatev,usrAuth=False,application=\"tlabore\",osUsername=Exc,srcHost=pora6854.www5.home,dbName=nevo,schemaName=ide,bindVar=aali,sqlError=success,respSize=6852,respTime=49.573000,affRows=etcons,action=\"cancel\",rawQuery=\"tenbyCi\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "luptatev", + "host.hostname": "pora6854.www5.home", + "input.type": "log", + "log.offset": 3402, + "network.application": "tlabore", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.214.191.180", + "10.112.250.193" + ], + "related.user": [ + "ipsumdol", + "ide", + "Exc" + ], + "rsa.counters.dclass_c1": 6852, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "nevo", + "rsa.db.index": "tenbyCi", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "luptatev", + "rsa.misc.group_object": "urerepr", + "rsa.misc.result": "success", + "rsa.time.duration_time": 49.573, + "rsa.time.starttime": "2016-05-08T09:27:59.000Z", + "service.type": "imperva", + "source.address": "pora6854.www5.home", + "source.ip": [ + "10.112.250.193" + ], + "source.port": 5705, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ipsumdol" + }, + { + "destination.ip": [ + "10.251.20.13" + ], + "destination.port": 264, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.251.20.13,dstPort=264,dbUsername=iquipe,srcIP=10.192.34.76,srcPort=1450,creatTime=2016-05-22 14:30:33,srvGroup=upida,service=tvolupt,appName=eufugi,event#=pici,eventType=abor,usrGroup=utpe,usrAuth=onsequ,application=\"temqu\",osUsername=ovol,srcHost=ptasn6599.www.localhost,dbName=lore,schemaName=tnonpro,bindVar=ionemu,sqlError=success,respSize=3645,respTime=20.909000,affRows=tanimid,action=\"deny\",rawQuery=\"uamni\"", + "fileset.name": "securesphere", + "group.name": "utpe", + "host.hostname": "ptasn6599.www.localhost", + "input.type": "log", + "log.offset": 3849, + "network.application": "temqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.192.34.76", + "10.251.20.13" + ], + "related.user": [ + "iquipe", + "tnonpro", + "ovol" + ], + "rsa.counters.dclass_c1": 3645, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lore", + "rsa.db.index": "uamni", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "abor", + "rsa.misc.group": "utpe", + "rsa.misc.group_object": "upida", + "rsa.misc.result": "success", + "rsa.time.duration_time": 20.909, + "rsa.time.starttime": "2016-05-22T16:30:33.000Z", + "service.type": "imperva", + "source.address": "ptasn6599.www.localhost", + "source.ip": [ + "10.192.34.76" + ], + "source.port": 1450, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "iquipe" + }, + { + "destination.ip": [ + "10.74.105.218" + ], + "destination.port": 2438, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.74.105.218,dstPort=2438,dbUsername=archite,srcIP=10.59.138.212,srcPort=7829,creatTime=2016-06-05 21:33:08,srvGroup=asi,service=datatno,appName=siutali,event#=amnih,eventType=Logout,usrGroup=ium,usrAuth=True,application=\"esciuntN\",osUsername=idunt,srcHost=ptasnu6684.mail.lan,dbName=orumSe,schemaName=boree,bindVar=intoc,sqlError=success,respSize=248,respTime=158.450000,affRows=eeufugia,action=\"block\",rawQuery=\"ofdeFini\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ium", + "host.hostname": "ptasnu6684.mail.lan", + "input.type": "log", + "log.offset": 4290, + "network.application": "esciuntN", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.74.105.218", + "10.59.138.212" + ], + "related.user": [ + "archite", + "idunt", + "boree" + ], + "rsa.counters.dclass_c1": 248, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "orumSe", + "rsa.db.index": "ofdeFini", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ium", + "rsa.misc.group_object": "asi", + "rsa.misc.result": "success", + "rsa.time.duration_time": 158.45, + "rsa.time.starttime": "2016-06-05T23:33:08.000Z", + "service.type": "imperva", + "source.address": "ptasnu6684.mail.lan", + "source.ip": [ + "10.59.138.212" + ], + "source.port": 7829, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "archite" + }, + { + "destination.ip": [ + "10.168.159.13" + ], + "destination.port": 3319, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.168.159.13,dstPort=3319,dbUsername=inci,srcIP=10.230.173.4,srcPort=2631,creatTime=2016-06-20 04:35:42,srvGroup=avol,service=icero,appName=xer,event#=emipsumd,eventType=Logout,usrGroup=isisten,usrAuth=False,application=\"cusant\",osUsername=atemq,srcHost=rinre2977.api.corp,dbName=totamre,schemaName=isnostr,bindVar=umqu,sqlError=success,respSize=6135,respTime=86.668000,affRows=inesci,action=\"accept\",rawQuery=\"uia\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "isisten", + "host.hostname": "rinre2977.api.corp", + "input.type": "log", + "log.offset": 4738, + "network.application": "cusant", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.168.159.13", + "10.230.173.4" + ], + "related.user": [ + "isnostr", + "inci", + "atemq" + ], + "rsa.counters.dclass_c1": 6135, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "totamre", + "rsa.db.index": "uia", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "isisten", + "rsa.misc.group_object": "avol", + "rsa.misc.result": "success", + "rsa.time.duration_time": 86.668, + "rsa.time.starttime": "2016-06-20T06:35:42.000Z", + "service.type": "imperva", + "source.address": "rinre2977.api.corp", + "source.ip": [ + "10.230.173.4" + ], + "source.port": 2631, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "inci" + }, + { + "destination.ip": [ + "10.49.167.57" + ], + "destination.port": 2119, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.49.167.57,dstPort=2119,dbUsername=tali,srcIP=10.41.21.204,srcPort=3540,creatTime=4 July 2016 11:38:16,srvGroup=rpori,service=ice,appName=oles,event#=edic,eventType=Login,usrGroup=seq,usrAuth=True,application=\"tutlab\",osUsername=sau,srcHost=atevelit2450.local,dbName=aperia,schemaName=ccaeca,bindVar=umdolo,sqlError=failure,respSize=6818,respTime=115.224000,affRows=stenatu,action=\"block\",rawQuery=\"orumSe\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "seq", + "host.hostname": "atevelit2450.local", + "input.type": "log", + "log.offset": 5178, + "network.application": "tutlab", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.41.21.204", + "10.49.167.57" + ], + "related.user": [ + "ccaeca", + "sau", + "tali" + ], + "rsa.counters.dclass_c1": 6818, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "aperia", + "rsa.db.index": "orumSe", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "seq", + "rsa.misc.group_object": "rpori", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 115.224, + "rsa.time.starttime": "2016-07-04T13:38:16.000Z", + "service.type": "imperva", + "source.address": "atevelit2450.local", + "source.ip": [ + "10.41.21.204" + ], + "source.port": 3540, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tali" + }, + { + "destination.ip": [ + "10.62.147.186" + ], + "destination.port": 5592, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=dutp,event#=psaquaea,createTime=2016-07-18 18:40:50,updateTime=taevita,alertSev=high,group=siut,ruleName=\"tconsect\",evntDesc=\"aquae\",category=boreetdo,disposition=aturve,eventType=ditemp,proto=ipv6,srcPort=3406,srcIP=10.216.125.252,dstPort=5592,dstIP=10.62.147.186,policyName=\"eumiure\",occurrences=4603,httpHost=ima,webMethod=quasia,url=\"https://example.org/umwrit/uptate.html?ctetura=aveni#elit\",webQuery=\"seosqui\",soapAction=sequamni,resultCode=uradi,sessionID=tot,username=llamco,addUsername=nea,responseTime=psum,responseSize=tasnulap,direction=inbound,dbUsername=umSe,queryGroup=xeacomm,application=\"cinge\",srcHost=itla658.api.localhost,osUsername=lorsita,schemaName=dolore,dbName=uptate,hdrName=quidexea,action=\"accept\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "group.name": "siut", + "host.hostname": "itla658.api.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 5610, + "network.application": "cinge", + "network.direction": "inbound", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.62.147.186", + "10.216.125.252" + ], + "related.user": [ + "lorsita", + "llamco", + "dolore" + ], + "rsa.counters.event_counter": 4603, + "rsa.db.database": "uptate", + "rsa.internal.event_desc": "aquae", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept", + "quasia" + ], + "rsa.misc.category": "boreetdo", + "rsa.misc.disposition": "aturve", + "rsa.misc.event_type": "ditemp", + "rsa.misc.group": "siut", + "rsa.misc.log_session_id": "tot", + "rsa.misc.operation_id": "dutp", + "rsa.misc.policy_name": "eumiure", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "uradi", + "rsa.misc.rule_name": "tconsect", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2016-07-18T20:40:50.000Z", + "rsa.web.alias_host": "ima", + "rule.name": "tconsect", + "service.type": "imperva", + "source.address": "itla658.api.localhost", + "source.ip": [ + "10.216.125.252" + ], + "source.port": 3406, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.org/umwrit/uptate.html?ctetura=aveni#elit", + "url.query": "seosqui", + "user.name": "llamco" + }, + { + "destination.ip": [ + "10.204.128.215" + ], + "destination.port": 2538, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ate,event#=odoconse,createTime=2016-08-02 01:43:25,updateTime=emp,alertSev=very-high,group=veli,ruleName=\"tenim\",evntDesc=\"rumet\",category=verita,disposition=sectet,eventType=etdo,proto=tcp,srcPort=3689,srcIP=10.52.125.9,dstPort=2538,dstIP=10.204.128.215,policyName=\"ama\",occurrences=332,httpHost=runtmol,webMethod=texpli,url=\"https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele\",webQuery=\"isis\",soapAction=uasiar,resultCode=utlab,sessionID=emUteni,username=rum,addUsername=gnaaliqu,responseTime=teirured,responseSize=onemulla,direction=external,dbUsername=bor,queryGroup=rauto,application=\"ationev\",srcHost=umdolor4389.api.home,osUsername=paquioff,schemaName=nci,dbName=isau,hdrName=rautodi,action=deny", + "fileset.name": "securesphere", + "group.name": "veli", + "host.hostname": "umdolor4389.api.home", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6379, + "network.application": "ationev", + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.52.125.9", + "10.204.128.215" + ], + "related.user": [ + "paquioff", + "nci", + "rum" + ], + "rsa.counters.event_counter": 332, + "rsa.db.database": "isau", + "rsa.internal.event_desc": "rumet", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny", + "texpli" + ], + "rsa.misc.category": "verita", + "rsa.misc.disposition": "sectet", + "rsa.misc.event_type": "etdo", + "rsa.misc.group": "veli", + "rsa.misc.log_session_id": "emUteni", + "rsa.misc.operation_id": "ate", + "rsa.misc.policy_name": "ama", + "rsa.misc.result_code": "utlab", + "rsa.misc.rule_name": "tenim", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2016-08-02T03:43:25.000Z", + "rsa.web.alias_host": "runtmol", + "rule.name": "tenim", + "service.type": "imperva", + "source.address": "umdolor4389.api.home", + "source.ip": [ + "10.52.125.9" + ], + "source.port": 3689, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele", + "url.query": "isis", + "user.name": "rum" + }, + { + "destination.ip": [ + "10.200.68.129" + ], + "destination.port": 2558, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.200.68.129,dstPort=2558,dbUsername=icabo,srcIP=10.34.148.166,srcPort=3022,creatTime=2016-08-16 08:45:59,srvGroup=preh,service=ercit,appName=etMal,event#=qua,eventType=rsita,usrGroup=ate,usrAuth=ipsamvo,application=\"onula\",osUsername=miu,srcHost=rationev6444.localhost,dbName=tatem,schemaName=untutlab,bindVar=amcor,sqlError=failure,respSize=5427,respTime=176.685000,affRows=oremq,action=\"block\",rawQuery=\"uisaute\"", + "fileset.name": "securesphere", + "group.name": "ate", + "host.hostname": "rationev6444.localhost", + "input.type": "log", + "log.offset": 7117, + "network.application": "onula", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.200.68.129", + "10.34.148.166" + ], + "related.user": [ + "miu", + "icabo", + "untutlab" + ], + "rsa.counters.dclass_c1": 5427, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tatem", + "rsa.db.index": "uisaute", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "rsita", + "rsa.misc.group": "ate", + "rsa.misc.group_object": "preh", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 176.685, + "rsa.time.starttime": "2016-08-16T10:45:59.000Z", + "service.type": "imperva", + "source.address": "rationev6444.localhost", + "source.ip": [ + "10.34.148.166" + ], + "source.port": 3022, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "icabo" + }, + { + "destination.ip": [ + "10.226.101.180" + ], + "destination.port": 1000, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.226.101.180,dstPort=1000,dbUsername=siu,srcIP=10.134.5.40,srcPort=7284,creatTime=30 August 2016 15:48:33,srvGroup=llamc,service=nte,appName=mvel,event#=nof,eventType=Login,usrGroup=usmodi,usrAuth=False,application=\"mvolu\",osUsername=conse,srcHost=ipi7727.www5.domain,dbName=isiu,schemaName=licabo,bindVar=enimadmi,sqlError=success,respSize=6356,respTime=41.238000,affRows=xeaco,action=\"deny\",rawQuery=\"amcor\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "usmodi", + "host.hostname": "ipi7727.www5.domain", + "input.type": "log", + "log.offset": 7557, + "network.application": "mvolu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.134.5.40", + "10.226.101.180" + ], + "related.user": [ + "siu", + "conse", + "licabo" + ], + "rsa.counters.dclass_c1": 6356, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "isiu", + "rsa.db.index": "amcor", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "usmodi", + "rsa.misc.group_object": "llamc", + "rsa.misc.result": "success", + "rsa.time.duration_time": 41.238, + "rsa.time.starttime": "2016-08-30T17:48:33.000Z", + "service.type": "imperva", + "source.address": "ipi7727.www5.domain", + "source.ip": [ + "10.134.5.40" + ], + "source.port": 7284, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "siu" + }, + { + "destination.ip": [ + "10.126.26.131" + ], + "destination.port": 2595, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.126.26.131,dstPort=2595,dbUsername=velite,srcIP=10.30.98.10,srcPort=7576,creatTime=13 September 2016 22:51:07,srvGroup=itation,service=sequatD,appName=nimave,event#=isciv,eventType=Login,usrGroup=rroqu,usrAuth=False,application=\"nofd\",osUsername=dipisci,srcHost=spernatu5539.domain,dbName=quunt,schemaName=olori,bindVar=mquae,sqlError=unknown,respSize=7717,respTime=96.729000,affRows=cidunt,action=\"accept\",rawQuery=\"borisnis\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "rroqu", + "host.hostname": "spernatu5539.domain", + "input.type": "log", + "log.offset": 7992, + "network.application": "nofd", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.126.26.131", + "10.30.98.10" + ], + "related.user": [ + "dipisci", + "olori", + "velite" + ], + "rsa.counters.dclass_c1": 7717, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "quunt", + "rsa.db.index": "borisnis", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "rroqu", + "rsa.misc.group_object": "itation", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 96.729, + "rsa.time.starttime": "2016-09-14T00:51:07.000Z", + "service.type": "imperva", + "source.address": "spernatu5539.domain", + "source.ip": [ + "10.30.98.10" + ], + "source.port": 7576, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "velite" + }, + { + "destination.ip": [ + "10.190.10.219" + ], + "destination.port": 5530, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.190.10.219,dstPort=5530,dbUsername=accusant,srcIP=10.233.120.207,srcPort=136,creatTime=2016-09-28 05:53:42,srvGroup=stenatu,service=inibu,appName=est,event#=uptatemU,eventType=Logout,usrGroup=leumiu,usrAuth=False,application=\"tla\",osUsername=item,srcHost=nimid372.api.corp,dbName=atcupid,schemaName=quamnih,bindVar=dminima,sqlError=success,respSize=3278,respTime=60.949000,affRows=tame,action=\"cancel\",rawQuery=\"reetd\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "leumiu", + "host.hostname": "nimid372.api.corp", + "input.type": "log", + "log.offset": 8445, + "network.application": "tla", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.233.120.207", + "10.190.10.219" + ], + "related.user": [ + "item", + "accusant", + "quamnih" + ], + "rsa.counters.dclass_c1": 3278, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "atcupid", + "rsa.db.index": "reetd", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "leumiu", + "rsa.misc.group_object": "stenatu", + "rsa.misc.result": "success", + "rsa.time.duration_time": 60.949, + "rsa.time.starttime": "2016-09-28T07:53:42.000Z", + "service.type": "imperva", + "source.address": "nimid372.api.corp", + "source.ip": [ + "10.233.120.207" + ], + "source.port": 136, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "accusant" + }, + { + "event.action": "rad", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=sitam,createTime=2016-10-12 12:56:16,eventType=rad,eventSev=low,username=sequa,subsystem=iosamnis,message=\"volupt\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 8890, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "sequa" + ], + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "rad", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2016-10-12T14:56:16.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "sequa" + }, + { + "destination.ip": [ + "10.100.98.56" + ], + "destination.port": 1089, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.100.98.56,dstPort=1089,dbUsername=boru,srcIP=10.248.184.200,srcPort=5315,creatTime=2016-10-26 19:58:50,srvGroup=ptatem,service=ptatevel,appName=tenatuse,event#=psaqua,eventType=Logout,usrGroup=ullamcor,usrAuth=False,application=\"itationu\",osUsername=proident,srcHost=maliquam2147.internal.home,dbName=lores,schemaName=ritati,bindVar=orisni,sqlError=failure,respSize=5923,respTime=179.541000,affRows=sitam,action=\"deny\",rawQuery=\"mmodoc\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "ullamcor", + "host.hostname": "maliquam2147.internal.home", + "input.type": "log", + "log.offset": 9029, + "network.application": "itationu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.248.184.200", + "10.100.98.56" + ], + "related.user": [ + "proident", + "ritati", + "boru" + ], + "rsa.counters.dclass_c1": 5923, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lores", + "rsa.db.index": "mmodoc", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ullamcor", + "rsa.misc.group_object": "ptatem", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 179.541, + "rsa.time.starttime": "2016-10-26T21:58:50.000Z", + "service.type": "imperva", + "source.address": "maliquam2147.internal.home", + "source.ip": [ + "10.248.184.200" + ], + "source.port": 5315, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "boru" + }, + { + "destination.ip": [ + "10.197.6.245" + ], + "destination.port": 27, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.197.6.245,dstPort=27,dbUsername=dtempo,srcIP=10.82.28.220,srcPort=3570,creatTime=10 November 2016 03:01:24,srvGroup=imad,service=tinvolup,appName=tsed,event#=inv,eventType=Login,usrGroup=rroq,usrAuth=False,application=\"rcit\",osUsername=aecatcup,srcHost=olabor2983.internal.localhost,dbName=citatio,schemaName=oluptat,bindVar=mveniamq,sqlError=success,respSize=3071,respTime=120.142000,affRows=eaqueips,action=\"allow\",rawQuery=\"aturve\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "rroq", + "host.hostname": "olabor2983.internal.localhost", + "input.type": "log", + "log.offset": 9492, + "network.application": "rcit", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.197.6.245", + "10.82.28.220" + ], + "related.user": [ + "aecatcup", + "oluptat", + "dtempo" + ], + "rsa.counters.dclass_c1": 3071, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "citatio", + "rsa.db.index": "aturve", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "rroq", + "rsa.misc.group_object": "imad", + "rsa.misc.result": "success", + "rsa.time.duration_time": 120.142, + "rsa.time.starttime": "2016-11-10T05:01:24.000Z", + "service.type": "imperva", + "source.address": "olabor2983.internal.localhost", + "source.ip": [ + "10.82.28.220" + ], + "source.port": 3570, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "dtempo" + }, + { + "destination.ip": [ + "10.6.27.103" + ], + "destination.port": 3179, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.6.27.103,dstPort=3179,dbUsername=redol,srcIP=10.167.252.183,srcPort=2003,creatTime=24 November 2016 10:03:59,srvGroup=doei,service=cipitl,appName=caboNemo,event#=dexerc,eventType=Login,usrGroup=strumex,usrAuth=True,application=\"eprehend\",osUsername=asnu,srcHost=hitec2111.mail.corp,dbName=perspici,schemaName=ationul,bindVar=mquisn,sqlError=failure,respSize=6606,respTime=155.907000,affRows=emUte,action=\"cancel\",rawQuery=\"ccae\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "strumex", + "host.hostname": "hitec2111.mail.corp", + "input.type": "log", + "log.offset": 9953, + "network.application": "eprehend", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.167.252.183", + "10.6.27.103" + ], + "related.user": [ + "redol", + "asnu", + "ationul" + ], + "rsa.counters.dclass_c1": 6606, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "perspici", + "rsa.db.index": "ccae", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "strumex", + "rsa.misc.group_object": "doei", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 155.907, + "rsa.time.starttime": "2016-11-24T12:03:59.000Z", + "service.type": "imperva", + "source.address": "hitec2111.mail.corp", + "source.ip": [ + "10.167.252.183" + ], + "source.port": 2003, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "redol" + }, + { + "destination.ip": [ + "10.81.184.7" + ], + "destination.port": 6735, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ntNe,event#=itanim,createTime=2016-12-08 17:06:33,updateTime=nesciun,alertSev=medium,group=mollita,ruleName=\"tatem\",evntDesc=\"iae\",category=quido,disposition=emip,eventType=inBC,proto=tcp,srcPort=6165,srcIP=10.88.45.111,dstPort=6735,dstIP=10.81.184.7,policyName=\"saquaea\",occurrences=6344,httpHost=eetd,webMethod=illu,url=\"https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur\",webQuery=\"tionula\",soapAction=ritqu,resultCode=ecatcupi,sessionID=uamei,username=undeomni,addUsername=tas,responseTime=autfugi,responseSize=tasun,direction=external,dbUsername=eratv,queryGroup=ipsa,application=\"asuntexp\",srcHost=adminim2559.www5.invalid,osUsername=lmole,schemaName=iameaque,dbName=nderi,hdrName=ssusci,action=\"deny\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "group.name": "mollita", + "host.hostname": "adminim2559.www5.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 10408, + "network.application": "asuntexp", + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.81.184.7", + "10.88.45.111" + ], + "related.user": [ + "iameaque", + "undeomni", + "lmole" + ], + "rsa.counters.event_counter": 6344, + "rsa.db.database": "nderi", + "rsa.internal.event_desc": "iae", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny", + "illu" + ], + "rsa.misc.category": "quido", + "rsa.misc.disposition": "emip", + "rsa.misc.event_type": "inBC", + "rsa.misc.group": "mollita", + "rsa.misc.log_session_id": "uamei", + "rsa.misc.operation_id": "ntNe", + "rsa.misc.policy_name": "saquaea", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "ecatcupi", + "rsa.misc.rule_name": "tatem", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2016-12-08T19:06:33.000Z", + "rsa.web.alias_host": "eetd", + "rule.name": "tatem", + "service.type": "imperva", + "source.address": "adminim2559.www5.invalid", + "source.ip": [ + "10.88.45.111" + ], + "source.port": 6165, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur", + "url.query": "tionula", + "user.name": "undeomni" + }, + { + "destination.ip": [ + "10.214.3.140" + ], + "destination.port": 6127, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.214.3.140,dstPort=6127,dbUsername=scipitl,srcIP=10.29.119.245,srcPort=1179,creatTime=2016-12-23 00:09:07,srvGroup=olli,service=rever,appName=ore,event#=offici,eventType=Logout,usrGroup=ection,usrAuth=False,application=\"roquisqu\",osUsername=edolorin,srcHost=dolorem6882.api.local,dbName=rsi,schemaName=taliqui,bindVar=mides,sqlError=success,respSize=5140,respTime=119.229000,affRows=tcu,action=\"cancel\",rawQuery=\"inrepreh\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "ection", + "host.hostname": "dolorem6882.api.local", + "input.type": "log", + "log.offset": 11171, + "network.application": "roquisqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.214.3.140", + "10.29.119.245" + ], + "related.user": [ + "scipitl", + "taliqui", + "edolorin" + ], + "rsa.counters.dclass_c1": 5140, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rsi", + "rsa.db.index": "inrepreh", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ection", + "rsa.misc.group_object": "olli", + "rsa.misc.result": "success", + "rsa.time.duration_time": 119.229, + "rsa.time.starttime": "2016-12-23T02:09:07.000Z", + "service.type": "imperva", + "source.address": "dolorem6882.api.local", + "source.ip": [ + "10.29.119.245" + ], + "source.port": 1179, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "scipitl" + }, + { + "destination.ip": [ + "10.110.133.7" + ], + "destination.port": 57, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=dipiscin,event#=olup,createTime=2017-01-06 07:11:41,updateTime=aco,alertSev=medium,group=accusa,ruleName=\"natu\",evntDesc=\"liquid\",category=enim,disposition=Finibus,eventType=radi,proto=rdp,srcPort=2064,srcIP=10.218.123.234,dstPort=57,dstIP=10.110.133.7,policyName=\"radipisc\",occurrences=5347,httpHost=nibus,webMethod=vitaed,url=\"https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo\",webQuery=\"atemUte\",soapAction=docon,resultCode=mdolore,sessionID=eosquira,username=pta,addUsername=snos,responseTime=orsi,responseSize=tetura,direction=external,dbUsername=lorsita,queryGroup=eavol,application=\"osamnis\",srcHost=temaccu5302.test,osUsername=etconsec,schemaName=caboNem,dbName=urExcept,hdrName=rumetMal,action=\"allow\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "group.name": "accusa", + "host.hostname": "temaccu5302.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 11619, + "network.application": "osamnis", + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.218.123.234", + "10.110.133.7" + ], + "related.user": [ + "etconsec", + "pta", + "caboNem" + ], + "rsa.counters.event_counter": 5347, + "rsa.db.database": "urExcept", + "rsa.internal.event_desc": "liquid", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "vitaed", + "allow" + ], + "rsa.misc.category": "enim", + "rsa.misc.disposition": "Finibus", + "rsa.misc.event_type": "radi", + "rsa.misc.group": "accusa", + "rsa.misc.log_session_id": "eosquira", + "rsa.misc.operation_id": "dipiscin", + "rsa.misc.policy_name": "radipisc", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "mdolore", + "rsa.misc.rule_name": "natu", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2017-01-06T09:11:41.000Z", + "rsa.web.alias_host": "nibus", + "rule.name": "natu", + "service.type": "imperva", + "source.address": "temaccu5302.test", + "source.ip": [ + "10.218.123.234" + ], + "source.port": 2064, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo", + "url.query": "atemUte", + "user.name": "pta" + }, + { + "destination.ip": [ + "10.105.190.170" + ], + "destination.port": 2519, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.105.190.170,dstPort=2519,dbUsername=doeiu,srcIP=10.182.152.242,srcPort=1877,creatTime=2017-01-20 14:14:16,srvGroup=orumw,service=redol,appName=ecillum,event#=isci,eventType=Logout,usrGroup=dolor,usrAuth=True,application=\"tiumto\",osUsername=litan,srcHost=nder347.www.corp,dbName=alorum,schemaName=mquisn,bindVar=atq,sqlError=unknown,respSize=3474,respTime=68.556000,affRows=ugiatquo,action=\"block\",rawQuery=\"equamnih\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "dolor", + "host.hostname": "nder347.www.corp", + "input.type": "log", + "log.offset": 12387, + "network.application": "tiumto", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.105.190.170", + "10.182.152.242" + ], + "related.user": [ + "litan", + "mquisn", + "doeiu" + ], + "rsa.counters.dclass_c1": 3474, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "alorum", + "rsa.db.index": "equamnih", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "dolor", + "rsa.misc.group_object": "orumw", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 68.556, + "rsa.time.starttime": "2017-01-20T16:14:16.000Z", + "service.type": "imperva", + "source.address": "nder347.www.corp", + "source.ip": [ + "10.182.152.242" + ], + "source.port": 1877, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "doeiu" + }, + { + "destination.ip": [ + "10.123.166.197" + ], + "destination.port": 7082, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=citati,event#=uamei,createTime=2017-02-03 21:16:50,updateTime=eursinto,alertSev=low,group=tutla,ruleName=\"licaboNe\",evntDesc=\"tautfug\",category=giatquov,disposition=olu,eventType=rmagnido,proto=ipv6-icmp,srcPort=7647,srcIP=10.59.188.188,dstPort=7082,dstIP=10.123.166.197,policyName=\"ici\",occurrences=7102,httpHost=mips,webMethod=itae,url=\"https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu\",webQuery=\"tan\",soapAction=quiac,resultCode=sunt,sessionID=autfugit,username=emUte,addUsername=iusmodi,responseTime=fdeFi,responseSize=Except,direction=inbound,dbUsername=equat,queryGroup=aliquid,application=\"usantiu\",srcHost=idunt4633.internal.host,osUsername=liquam,schemaName=min,dbName=oluptat,hdrName=odt,action=block", + "fileset.name": "securesphere", + "group.name": "tutla", + "host.hostname": "idunt4633.internal.host", + "input.type": "log", + "log.level": "low", + "log.offset": 12830, + "network.application": "usantiu", + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.59.188.188", + "10.123.166.197" + ], + "related.user": [ + "liquam", + "emUte", + "min" + ], + "rsa.counters.event_counter": 7102, + "rsa.db.database": "oluptat", + "rsa.internal.event_desc": "tautfug", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block", + "itae" + ], + "rsa.misc.category": "giatquov", + "rsa.misc.disposition": "olu", + "rsa.misc.event_type": "rmagnido", + "rsa.misc.group": "tutla", + "rsa.misc.log_session_id": "autfugit", + "rsa.misc.operation_id": "citati", + "rsa.misc.policy_name": "ici", + "rsa.misc.result_code": "sunt", + "rsa.misc.rule_name": "licaboNe", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2017-02-03T23:16:50.000Z", + "rsa.web.alias_host": "mips", + "rule.name": "licaboNe", + "service.type": "imperva", + "source.address": "idunt4633.internal.host", + "source.ip": [ + "10.59.188.188" + ], + "source.port": 7647, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu", + "url.query": "tan", + "user.name": "emUte" + }, + { + "destination.ip": [ + "10.72.75.207" + ], + "destination.port": 6336, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.72.75.207,dstPort=6336,dbUsername=urau,srcIP=10.201.168.116,srcPort=2037,creatTime=2017-02-18 04:19:24,srvGroup=utali,service=sed,appName=xeac,event#=umdolors,eventType=Logout,usrGroup=lumdo,usrAuth=False,application=\"acom\",osUsername=eFini,srcHost=ectob4634.mail.localhost,dbName=prehend,schemaName=eufug,bindVar=roquisq,sqlError=unknown,respSize=3348,respTime=79.765000,affRows=civelits,action=\"accept\",rawQuery=\"reet\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "lumdo", + "host.hostname": "ectob4634.mail.localhost", + "input.type": "log", + "log.offset": 13585, + "network.application": "acom", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.201.168.116", + "10.72.75.207" + ], + "related.user": [ + "urau", + "eufug", + "eFini" + ], + "rsa.counters.dclass_c1": 3348, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "prehend", + "rsa.db.index": "reet", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "lumdo", + "rsa.misc.group_object": "utali", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 79.765, + "rsa.time.starttime": "2017-02-18T06:19:24.000Z", + "service.type": "imperva", + "source.address": "ectob4634.mail.localhost", + "source.ip": [ + "10.201.168.116" + ], + "source.port": 2037, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "urau" + }, + { + "destination.ip": [ + "10.9.46.123" + ], + "destination.port": 586, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.9.46.123,dstPort=586,dbUsername=mfu,srcIP=10.58.133.175,srcPort=1634,creatTime=4 March 2017 11:21:59,srvGroup=llumq,service=tenim,appName=eiusmo,event#=ainc,eventType=Login,usrGroup=miurerep,usrAuth=True,application=\"lestia\",osUsername=nde,srcHost=snu6436.www.local,dbName=texplica,schemaName=oco,bindVar=aboree,sqlError=unknown,respSize=3795,respTime=14.713000,affRows=edquian,action=\"block\",rawQuery=\"uames\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "miurerep", + "host.hostname": "snu6436.www.local", + "input.type": "log", + "log.offset": 14032, + "network.application": "lestia", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.9.46.123", + "10.58.133.175" + ], + "related.user": [ + "nde", + "mfu", + "oco" + ], + "rsa.counters.dclass_c1": 3795, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "texplica", + "rsa.db.index": "uames", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "miurerep", + "rsa.misc.group_object": "llumq", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 14.713, + "rsa.time.starttime": "2017-03-04T13:21:59.000Z", + "service.type": "imperva", + "source.address": "snu6436.www.local", + "source.ip": [ + "10.58.133.175" + ], + "source.port": 1634, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mfu" + }, + { + "destination.ip": [ + "10.169.50.59" + ], + "destination.port": 7693, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.169.50.59,dstPort=7693,dbUsername=pta,srcIP=10.70.29.203,srcPort=5994,creatTime=18 March 2017 18:24:33,srvGroup=piciatis,service=destla,appName=fugitse,event#=minimve,eventType=Login,usrGroup=serrorsi,usrAuth=False,application=\"tametco\",osUsername=mquisnos,srcHost=lore7099.www.host,dbName=isn,schemaName=veniamq,bindVar=lup,sqlError=unknown,respSize=2358,respTime=94.460000,affRows=ipitlabo,action=\"block\",rawQuery=\"prehen\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "serrorsi", + "host.hostname": "lore7099.www.host", + "input.type": "log", + "log.offset": 14468, + "network.application": "tametco", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.70.29.203", + "10.169.50.59" + ], + "related.user": [ + "pta", + "veniamq", + "mquisnos" + ], + "rsa.counters.dclass_c1": 2358, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "isn", + "rsa.db.index": "prehen", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "serrorsi", + "rsa.misc.group_object": "piciatis", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 94.46, + "rsa.time.starttime": "2017-03-18T20:24:33.000Z", + "service.type": "imperva", + "source.address": "lore7099.www.host", + "source.ip": [ + "10.70.29.203" + ], + "source.port": 5994, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "pta" + }, + { + "destination.ip": [ + "10.165.182.111" + ], + "destination.port": 5525, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.165.182.111,dstPort=5525,dbUsername=ames,srcIP=10.137.85.123,srcPort=218,creatTime=2017-04-02 01:27:07,srvGroup=amquisno,service=modoc,appName=magnam,event#=uinesc,eventType=Logout,usrGroup=cid,usrAuth=True,application=\"emi\",osUsername=Bonorum,srcHost=lesti6939.api.local,dbName=idu,schemaName=sis,bindVar=idolo,sqlError=success,respSize=6401,respTime=171.434000,affRows=its,action=\"block\",rawQuery=\"edutp\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "cid", + "host.hostname": "lesti6939.api.local", + "input.type": "log", + "log.offset": 14919, + "network.application": "emi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.137.85.123", + "10.165.182.111" + ], + "related.user": [ + "ames", + "sis", + "Bonorum" + ], + "rsa.counters.dclass_c1": 6401, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "idu", + "rsa.db.index": "edutp", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "cid", + "rsa.misc.group_object": "amquisno", + "rsa.misc.result": "success", + "rsa.time.duration_time": 171.434, + "rsa.time.starttime": "2017-04-02T03:27:07.000Z", + "service.type": "imperva", + "source.address": "lesti6939.api.local", + "source.ip": [ + "10.137.85.123" + ], + "source.port": 218, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ames" + }, + { + "event.action": "tateveli", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=enimadmi,createTime=2017-04-16 08:29:41,eventType=tateveli,eventSev=high,username=sumdolo,subsystem=idolorem,message=\"temvele\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "high", + "log.offset": 15352, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "sumdolo" + ], + "rsa.internal.event_desc": "temvele", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "tateveli", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2017-04-16T10:29:41.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "sumdolo" + }, + { + "destination.ip": [ + "10.173.178.109" + ], + "destination.port": 6659, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=inimve,event#=uio,createTime=2017-04-30 15:32:16,updateTime=mexercit,alertSev=high,group=onofdeF,ruleName=\"ibusBo\",evntDesc=\"orin\",category=enia,disposition=iavol,eventType=natuserr,proto=rdp,srcPort=3327,srcIP=10.64.184.196,dstPort=6659,dstIP=10.173.178.109,policyName=\"tatemse\",occurrences=4493,httpHost=amqui,webMethod=lamco,url=\"https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi\",webQuery=\"tlabore\",soapAction=idunt,resultCode=expl,sessionID=olore,username=uian,addUsername=atuserro,responseTime=madminim,responseSize=tobeata,direction=inbound,dbUsername=ioff,queryGroup=oinBCS,application=\"itsedd\",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action=\"block\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "group.name": "onofdeF", + "host.hostname": "upt6017.api.localdomain", + "input.type": "log", + "log.level": "high", + "log.offset": 15503, + "network.application": "itsedd", + "network.direction": "inbound", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.173.178.109", + "10.64.184.196" + ], + "related.user": [ + "uian", + "tam", + "nesci" + ], + "rsa.counters.event_counter": 4493, + "rsa.db.database": "sin", + "rsa.internal.event_desc": "orin", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block", + "lamco" + ], + "rsa.misc.category": "enia", + "rsa.misc.disposition": "iavol", + "rsa.misc.event_type": "natuserr", + "rsa.misc.group": "onofdeF", + "rsa.misc.log_session_id": "olore", + "rsa.misc.operation_id": "inimve", + "rsa.misc.policy_name": "tatemse", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "expl", + "rsa.misc.rule_name": "ibusBo", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2017-04-30T17:32:16.000Z", + "rsa.web.alias_host": "amqui", + "rule.name": "ibusBo", + "service.type": "imperva", + "source.address": "upt6017.api.localdomain", + "source.ip": [ + "10.64.184.196" + ], + "source.port": 3327, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi", + "url.query": "tlabore", + "user.name": "uian" + }, + { + "destination.ip": [ + "10.90.50.149" + ], + "destination.port": 1936, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-05-14 22:34:50,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application=\"dat\",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action=\"block\",rawQuery=\"iav\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ectobea", + "host.hostname": "turQuis4046.api.test", + "input.type": "log", + "log.offset": 16271, + "network.application": "dat", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.168.225.209", + "10.90.50.149" + ], + "related.user": [ + "aUtenima", + "olupta", + "olu" + ], + "rsa.counters.dclass_c1": 1127, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "deomnisi", + "rsa.db.index": "iav", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ectobea", + "rsa.misc.group_object": "taliq", + "rsa.misc.result": "success", + "rsa.time.duration_time": 55.87, + "rsa.time.starttime": "2017-05-15T00:34:50.000Z", + "service.type": "imperva", + "source.address": "turQuis4046.api.test", + "source.ip": [ + "10.168.225.209" + ], + "source.port": 6, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "olu" + }, + { + "destination.ip": [ + "10.59.182.36" + ], + "destination.port": 5792, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=29 May 2017 05:37:24,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application=\"tis\",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action=\"allow\",rawQuery=\"tconse\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "enimad", + "host.hostname": "con6049.internal.lan", + "input.type": "log", + "log.offset": 16712, + "network.application": "tis", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.59.182.36", + "10.18.150.82" + ], + "related.user": [ + "mtota", + "qua", + "luptat" + ], + "rsa.counters.dclass_c1": 6112, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "quelaud", + "rsa.db.index": "tconse", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "enimad", + "rsa.misc.group_object": "rit", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 135.357, + "rsa.time.starttime": "2017-05-29T07:37:24.000Z", + "service.type": "imperva", + "source.address": "con6049.internal.lan", + "source.ip": [ + "10.18.150.82" + ], + "source.port": 6648, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mtota" + }, + { + "event.action": "ulamcola", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=rem,createTime=2017-06-12 12:39:58,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message=\"nturmag\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "very-high", + "log.offset": 17148, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "llita" + ], + "rsa.internal.event_desc": "nturmag", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "ulamcola", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2017-06-12T14:39:58.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "llita" + }, + { + "destination.ip": [ + "10.228.229.144" + ], + "destination.port": 3236, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.228.229.144,dstPort=3236,dbUsername=ametcons,srcIP=10.151.240.35,srcPort=3197,creatTime=2017-06-26 19:42:33,srvGroup=roquisq,service=uasi,appName=maveniam,event#=uis,eventType=lill,usrGroup=remeum,usrAuth=mmod,application=\"taevit\",osUsername=ama,srcHost=tatnonp1371.www.invalid,dbName=xercit,schemaName=lam,bindVar=asnu,sqlError=failure,respSize=4325,respTime=168.492000,affRows=eriam,action=\"cancel\",rawQuery=\"aquae\"", + "fileset.name": "securesphere", + "group.name": "remeum", + "host.hostname": "tatnonp1371.www.invalid", + "input.type": "log", + "log.offset": 17295, + "network.application": "taevit", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.228.229.144", + "10.151.240.35" + ], + "related.user": [ + "lam", + "ametcons", + "ama" + ], + "rsa.counters.dclass_c1": 4325, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "xercit", + "rsa.db.index": "aquae", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "lill", + "rsa.misc.group": "remeum", + "rsa.misc.group_object": "roquisq", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 168.492, + "rsa.time.starttime": "2017-06-26T21:42:33.000Z", + "service.type": "imperva", + "source.address": "tatnonp1371.www.invalid", + "source.ip": [ + "10.151.240.35" + ], + "source.port": 3197, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ametcons" + }, + { + "destination.ip": [ + "10.242.48.203" + ], + "destination.port": 1102, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.242.48.203,dstPort=1102,dbUsername=ese,srcIP=10.147.142.242,srcPort=2586,creatTime=2017-07-11 02:45:07,srvGroup=eca,service=ctionofd,appName=mpori,event#=olupt,eventType=Logout,usrGroup=ola,usrAuth=False,application=\"ptat\",osUsername=quasi,srcHost=tium3542.internal.invalid,dbName=squamest,schemaName=quisn,bindVar=pteu,sqlError=success,respSize=3970,respTime=11.548000,affRows=antium,action=\"block\",rawQuery=\"velillum\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "ola", + "host.hostname": "tium3542.internal.invalid", + "input.type": "log", + "log.offset": 17739, + "network.application": "ptat", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.242.48.203", + "10.147.142.242" + ], + "related.user": [ + "quisn", + "ese", + "quasi" + ], + "rsa.counters.dclass_c1": 3970, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "squamest", + "rsa.db.index": "velillum", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ola", + "rsa.misc.group_object": "eca", + "rsa.misc.result": "success", + "rsa.time.duration_time": 11.548, + "rsa.time.starttime": "2017-07-11T04:45:07.000Z", + "service.type": "imperva", + "source.address": "tium3542.internal.invalid", + "source.ip": [ + "10.147.142.242" + ], + "source.port": 2586, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ese" + }, + { + "destination.ip": [ + "10.254.10.98" + ], + "destination.port": 3787, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=lapari,event#=Mal,createTime=2017-07-25 09:47:41,updateTime=itinvo,alertSev=very-high,group=paq,ruleName=\"emipsumq\",evntDesc=\"culpaq\",category=quamq,disposition=usan,eventType=tdolo,proto=ipv6,srcPort=4723,srcIP=10.213.165.165,dstPort=3787,dstIP=10.254.10.98,policyName=\"adipisc\",occurrences=7365,httpHost=tasnul,webMethod=uptasn,url=\"https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui\",webQuery=\"lup\",soapAction=aeca,resultCode=isau,sessionID=giat,username=ttenb,addUsername=eirure,responseTime=boreetd,responseSize=tNe,direction=outbound,dbUsername=eeufug,queryGroup=ntin,application=\"iades\",srcHost=radipis3991.mail.invalid,osUsername=civeli,schemaName=eufugia,dbName=utlabore,hdrName=tamr,action=\"cancel\",errormsg=\"success\"", + "fileset.name": "securesphere", + "group.name": "paq", + "host.hostname": "radipis3991.mail.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 18185, + "network.application": "iades", + "network.direction": "outbound", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.213.165.165", + "10.254.10.98" + ], + "related.user": [ + "ttenb", + "civeli", + "eufugia" + ], + "rsa.counters.event_counter": 7365, + "rsa.db.database": "utlabore", + "rsa.internal.event_desc": "culpaq", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "uptasn" + ], + "rsa.misc.category": "quamq", + "rsa.misc.disposition": "usan", + "rsa.misc.event_type": "tdolo", + "rsa.misc.group": "paq", + "rsa.misc.log_session_id": "giat", + "rsa.misc.operation_id": "lapari", + "rsa.misc.policy_name": "adipisc", + "rsa.misc.result": "success", + "rsa.misc.result_code": "isau", + "rsa.misc.rule_name": "emipsumq", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2017-07-25T11:47:41.000Z", + "rsa.web.alias_host": "tasnul", + "rule.name": "emipsumq", + "service.type": "imperva", + "source.address": "radipis3991.mail.invalid", + "source.ip": [ + "10.213.165.165" + ], + "source.port": 4723, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui", + "url.query": "lup", + "user.name": "ttenb" + }, + { + "event.action": "trudexe", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=onemul,createTime=2017-08-08 16:50:15,eventType=trudexe,eventSev=very-high,username=ura,subsystem=oreeufug,message=\"Quisa\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "very-high", + "log.offset": 18948, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "ura" + ], + "rsa.internal.event_desc": "Quisa", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "trudexe", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2017-08-08T18:50:15.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ura" + }, + { + "destination.ip": [ + "10.169.28.157" + ], + "destination.port": 3402, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=llitani,event#=uscipit,createTime=2017-08-22 23:52:50,updateTime=luptat,alertSev=very-high,group=etco,ruleName=\"iuntN\",evntDesc=\"utfugi\",category=ursintoc,disposition=tio,eventType=mmodicon,proto=ipv6,srcPort=5439,srcIP=10.116.1.130,dstPort=3402,dstIP=10.169.28.157,policyName=\"exeacomm\",occurrences=1295,httpHost=ionula,webMethod=pexeaco,url=\"https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs\",webQuery=\"ercitati\",soapAction=atem,resultCode=serro,sessionID=lumquid,username=eturadip,addUsername=amquaera,responseTime=rsitamet,responseSize=leumiur,direction=internal,dbUsername=utod,queryGroup=olesti,application=\"edquia\",srcHost=ihi7294.www5.localhost,osUsername=reseo,schemaName=amco,dbName=ons,hdrName=onsecte,action=\"accept\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "group.name": "etco", + "host.hostname": "ihi7294.www5.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 19095, + "network.application": "edquia", + "network.direction": "internal", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.116.1.130", + "10.169.28.157" + ], + "related.user": [ + "reseo", + "eturadip", + "amco" + ], + "rsa.counters.event_counter": 1295, + "rsa.db.database": "ons", + "rsa.internal.event_desc": "utfugi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "pexeaco", + "accept" + ], + "rsa.misc.category": "ursintoc", + "rsa.misc.disposition": "tio", + "rsa.misc.event_type": "mmodicon", + "rsa.misc.group": "etco", + "rsa.misc.log_session_id": "lumquid", + "rsa.misc.operation_id": "llitani", + "rsa.misc.policy_name": "exeacomm", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "serro", + "rsa.misc.rule_name": "iuntN", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2017-08-23T01:52:50.000Z", + "rsa.web.alias_host": "ionula", + "rule.name": "iuntN", + "service.type": "imperva", + "source.address": "ihi7294.www5.localhost", + "source.ip": [ + "10.116.1.130" + ], + "source.port": 5439, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs", + "url.query": "ercitati", + "user.name": "eturadip" + }, + { + "destination.ip": [ + "10.29.138.31" + ], + "destination.port": 5871, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.29.138.31,dstPort=5871,dbUsername=volupta,srcIP=10.45.69.152,srcPort=4083,creatTime=6 September 2017 06:55:24,srvGroup=emi,service=uaerat,appName=iduntu,event#=samvol,eventType=Login,usrGroup=equa,usrAuth=False,application=\"apari\",osUsername=tsunt,srcHost=caecat4920.api.host,dbName=enim,schemaName=umq,bindVar=sistena,sqlError=failure,respSize=744,respTime=33.416000,affRows=temquia,action=\"deny\",rawQuery=\"eumiu\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "equa", + "host.hostname": "caecat4920.api.host", + "input.type": "log", + "log.offset": 19873, + "network.application": "apari", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.45.69.152", + "10.29.138.31" + ], + "related.user": [ + "volupta", + "umq", + "tsunt" + ], + "rsa.counters.dclass_c1": 744, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "enim", + "rsa.db.index": "eumiu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "equa", + "rsa.misc.group_object": "emi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 33.416, + "rsa.time.starttime": "2017-09-06T08:55:24.000Z", + "service.type": "imperva", + "source.address": "caecat4920.api.host", + "source.ip": [ + "10.45.69.152" + ], + "source.port": 4083, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "volupta" + }, + { + "destination.ip": [ + "10.152.213.228" + ], + "destination.port": 3387, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.152.213.228,dstPort=3387,dbUsername=ptatev,srcIP=10.100.113.11,srcPort=6971,creatTime=2017-09-20 13:57:58,srvGroup=aliqu,service=sequine,appName=utaliqui,event#=isciv,eventType=Logout,usrGroup=osqu,usrAuth=False,application=\"ptatemse\",osUsername=itationu,srcHost=setquas6188.internal.local,dbName=magnaali,schemaName=velillum,bindVar=ionev,sqlError=success,respSize=7245,respTime=131.118000,affRows=ameaq,action=\"cancel\",rawQuery=\"Except\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "osqu", + "host.hostname": "setquas6188.internal.local", + "input.type": "log", + "log.offset": 20314, + "network.application": "ptatemse", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.100.113.11", + "10.152.213.228" + ], + "related.user": [ + "ptatev", + "velillum", + "itationu" + ], + "rsa.counters.dclass_c1": 7245, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "magnaali", + "rsa.db.index": "Except", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "osqu", + "rsa.misc.group_object": "aliqu", + "rsa.misc.result": "success", + "rsa.time.duration_time": 131.118, + "rsa.time.starttime": "2017-09-20T15:57:58.000Z", + "service.type": "imperva", + "source.address": "setquas6188.internal.local", + "source.ip": [ + "10.100.113.11" + ], + "source.port": 6971, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ptatev" + }, + { + "event.action": "tquii", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=uiac,createTime=2017-10-04 21:00:32,eventType=tquii,eventSev=low,username=reme,subsystem=emeumfu,message=\"inBCSedu\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 20779, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "reme" + ], + "rsa.internal.event_desc": "inBCSedu", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "tquii", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2017-10-04T23:00:32.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "reme" + }, + { + "destination.ip": [ + "10.208.33.55" + ], + "destination.port": 1849, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.208.33.55,dstPort=1849,dbUsername=ulapari,srcIP=10.248.102.129,srcPort=3510,creatTime=2017-10-19 04:03:07,srvGroup=iatn,service=saquaeab,appName=eli,event#=rissusci,eventType=Logout,usrGroup=ectetur,usrAuth=True,application=\"dictasun\",osUsername=inimv,srcHost=nibusBo3674.www5.localhost,dbName=ntut,schemaName=mremaper,bindVar=uteirur,sqlError=unknown,respSize=6433,respTime=111.360000,affRows=isni,action=\"accept\",rawQuery=\"quovo\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ectetur", + "host.hostname": "nibusBo3674.www5.localhost", + "input.type": "log", + "log.offset": 20919, + "network.application": "dictasun", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.208.33.55", + "10.248.102.129" + ], + "related.user": [ + "ulapari", + "inimv", + "mremaper" + ], + "rsa.counters.dclass_c1": 6433, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ntut", + "rsa.db.index": "quovo", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ectetur", + "rsa.misc.group_object": "iatn", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 111.36, + "rsa.time.starttime": "2017-10-19T06:03:07.000Z", + "service.type": "imperva", + "source.address": "nibusBo3674.www5.localhost", + "source.ip": [ + "10.248.102.129" + ], + "source.port": 3510, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ulapari" + }, + { + "destination.ip": [ + "10.203.164.132" + ], + "destination.port": 6213, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.203.164.132,dstPort=6213,dbUsername=mporin,srcIP=10.109.230.216,srcPort=4447,creatTime=2017-11-02 11:05:41,srvGroup=uov,service=pariat,appName=icaboNe,event#=boreetd,eventType=Logout,usrGroup=uir,usrAuth=True,application=\"rumex\",osUsername=ectobea,srcHost=totamr7676.www5.home,dbName=imadm,schemaName=ibus,bindVar=lumdol,sqlError=success,respSize=547,respTime=166.971000,affRows=reprehe,action=\"block\",rawQuery=\"ihil\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "uir", + "host.hostname": "totamr7676.www5.home", + "input.type": "log", + "log.offset": 21377, + "network.application": "rumex", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.203.164.132", + "10.109.230.216" + ], + "related.user": [ + "ectobea", + "ibus", + "mporin" + ], + "rsa.counters.dclass_c1": 547, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "imadm", + "rsa.db.index": "ihil", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "uir", + "rsa.misc.group_object": "uov", + "rsa.misc.result": "success", + "rsa.time.duration_time": 166.971, + "rsa.time.starttime": "2017-11-02T13:05:41.000Z", + "service.type": "imperva", + "source.address": "totamr7676.www5.home", + "source.ip": [ + "10.109.230.216" + ], + "source.port": 4447, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mporin" + }, + { + "destination.ip": [ + "10.151.203.60" + ], + "destination.port": 482, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.151.203.60,dstPort=482,dbUsername=dol,srcIP=10.117.81.75,srcPort=3365,creatTime=16 November 2017 18:08:15,srvGroup=iciatis,service=agn,appName=cul,event#=tate,eventType=Login,usrGroup=psam,usrAuth=True,application=\"itaedi\",osUsername=exeac,srcHost=idents7231.mail.home,dbName=veniamqu,schemaName=iconsequ,bindVar=ueporr,sqlError=unknown,respSize=484,respTime=27.563000,affRows=tur,action=\"block\",rawQuery=\"onorumet\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "psam", + "host.hostname": "idents7231.mail.home", + "input.type": "log", + "log.offset": 21821, + "network.application": "itaedi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.117.81.75", + "10.151.203.60" + ], + "related.user": [ + "iconsequ", + "dol", + "exeac" + ], + "rsa.counters.dclass_c1": 484, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "veniamqu", + "rsa.db.index": "onorumet", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "psam", + "rsa.misc.group_object": "iciatis", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 27.563, + "rsa.time.starttime": "2017-11-16T20:08:15.000Z", + "service.type": "imperva", + "source.address": "idents7231.mail.home", + "source.ip": [ + "10.117.81.75" + ], + "source.port": 3365, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "dol" + }, + { + "destination.ip": [ + "10.224.217.153" + ], + "destination.port": 6339, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.224.217.153,dstPort=6339,dbUsername=eriti,srcIP=10.45.152.205,srcPort=6907,creatTime=1 December 2017 01:10:49,srvGroup=riame,service=datatn,appName=seq,event#=mquis,eventType=Login,usrGroup=tur,usrAuth=True,application=\"itation\",osUsername=utlabo,srcHost=tat50.mail.host,dbName=essequam,schemaName=imav,bindVar=mtot,sqlError=success,respSize=922,respTime=17.709000,affRows=prehend,action=\"allow\",rawQuery=\"liquid\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "tur", + "host.hostname": "tat50.mail.host", + "input.type": "log", + "log.offset": 22263, + "network.application": "itation", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.224.217.153", + "10.45.152.205" + ], + "related.user": [ + "utlabo", + "eriti", + "imav" + ], + "rsa.counters.dclass_c1": 922, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "essequam", + "rsa.db.index": "liquid", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tur", + "rsa.misc.group_object": "riame", + "rsa.misc.result": "success", + "rsa.time.duration_time": 17.709, + "service.type": "imperva", + "source.address": "tat50.mail.host", + "source.ip": [ + "10.45.152.205" + ], + "source.port": 6907, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "eriti" + }, + { + "destination.ip": [ + "10.1.193.187" + ], + "destination.port": 5119, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=umq,event#=ipsu,createTime=2017-12-15 08:13:24,updateTime=oremip,alertSev=low,group=odit,ruleName=\"vol\",evntDesc=\"epteurs\",category=itse,disposition=rever,eventType=sBonoru,proto=udp,srcPort=2652,srcIP=10.60.164.100,dstPort=5119,dstIP=10.1.193.187,policyName=\"yCice\",occurrences=508,httpHost=ionem,webMethod=taevitae,url=\"https://api.example.net/quam/saute.htm?nostru=docons#emipsumq\",webQuery=\"orinr\",soapAction=ineavol,resultCode=umdo,sessionID=tass,username=ugi,addUsername=riat,responseTime=atvol,responseSize=emipsum,direction=internal,dbUsername=uameiu,queryGroup=quiado,application=\"conse\",srcHost=mips3283.corp,osUsername=hite,schemaName=adipis,dbName=abo,hdrName=suntex,action=\"allow\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "group.name": "odit", + "host.hostname": "mips3283.corp", + "input.type": "log", + "log.level": "low", + "log.offset": 22703, + "network.application": "conse", + "network.direction": "internal", + "network.protocol": "udp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.60.164.100", + "10.1.193.187" + ], + "related.user": [ + "adipis", + "ugi", + "hite" + ], + "rsa.counters.event_counter": 508, + "rsa.db.database": "abo", + "rsa.internal.event_desc": "epteurs", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow", + "taevitae" + ], + "rsa.misc.category": "itse", + "rsa.misc.disposition": "rever", + "rsa.misc.event_type": "sBonoru", + "rsa.misc.group": "odit", + "rsa.misc.log_session_id": "tass", + "rsa.misc.operation_id": "umq", + "rsa.misc.policy_name": "yCice", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "umdo", + "rsa.misc.rule_name": "vol", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2017-12-15T10:13:24.000Z", + "rsa.web.alias_host": "ionem", + "rule.name": "vol", + "service.type": "imperva", + "source.address": "mips3283.corp", + "source.ip": [ + "10.60.164.100" + ], + "source.port": 2652, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.net/quam/saute.htm?nostru=docons#emipsumq", + "url.query": "orinr", + "user.name": "ugi" + }, + { + "destination.ip": [ + "10.248.244.203" + ], + "destination.port": 806, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.248.244.203,dstPort=806,dbUsername=mquamei,srcIP=10.146.228.234,srcPort=4346,creatTime=2017-12-29 15:15:58,srvGroup=rissusci,service=uaturQ,appName=iusmod,event#=susc,eventType=taed,usrGroup=eatae,usrAuth=siutali,application=\"oloremq\",osUsername=sum,srcHost=aliquip7229.mail.domain,dbName=doe,schemaName=eiusm,bindVar=oremipsu,sqlError=failure,respSize=3058,respTime=133.358000,affRows=llum,action=\"allow\",rawQuery=\"mto\"", + "fileset.name": "securesphere", + "group.name": "eatae", + "host.hostname": "aliquip7229.mail.domain", + "input.type": "log", + "log.offset": 23440, + "network.application": "oloremq", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.146.228.234", + "10.248.244.203" + ], + "related.user": [ + "mquamei", + "eiusm", + "sum" + ], + "rsa.counters.dclass_c1": 3058, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "doe", + "rsa.db.index": "mto", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "taed", + "rsa.misc.group": "eatae", + "rsa.misc.group_object": "rissusci", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 133.358, + "rsa.time.starttime": "2017-12-29T17:15:58.000Z", + "service.type": "imperva", + "source.address": "aliquip7229.mail.domain", + "source.ip": [ + "10.146.228.234" + ], + "source.port": 4346, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mquamei" + }, + { + "destination.ip": [ + "10.122.127.237" + ], + "destination.port": 1138, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.122.127.237,dstPort=1138,dbUsername=consecte,srcIP=10.86.121.152,srcPort=3971,creatTime=2018-01-12 22:18:32,srvGroup=mquamei,service=litesse,appName=fug,event#=liquid,eventType=Logout,usrGroup=uidex,usrAuth=False,application=\"umdolo\",osUsername=nimv,srcHost=fde7756.mail.corp,dbName=usmod,schemaName=ine,bindVar=qui,sqlError=success,respSize=2771,respTime=136.167000,affRows=orsitame,action=\"block\",rawQuery=\"ipex\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "uidex", + "host.hostname": "fde7756.mail.corp", + "input.type": "log", + "log.offset": 23887, + "network.application": "umdolo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.122.127.237", + "10.86.121.152" + ], + "related.user": [ + "nimv", + "ine", + "consecte" + ], + "rsa.counters.dclass_c1": 2771, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "usmod", + "rsa.db.index": "ipex", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "uidex", + "rsa.misc.group_object": "mquamei", + "rsa.misc.result": "success", + "rsa.time.duration_time": 136.167, + "rsa.time.starttime": "2018-01-13T00:18:32.000Z", + "service.type": "imperva", + "source.address": "fde7756.mail.corp", + "source.ip": [ + "10.86.121.152" + ], + "source.port": 3971, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "consecte" + }, + { + "destination.ip": [ + "10.201.223.119" + ], + "destination.port": 3614, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.201.223.119,dstPort=3614,dbUsername=rcit,srcIP=10.204.223.184,srcPort=6092,creatTime=2018-01-27 05:21:06,srvGroup=giat,service=nculpa,appName=olupt,event#=tvol,eventType=Logout,usrGroup=ostru,usrAuth=True,application=\"mea\",osUsername=tuserror,srcHost=agnama5013.internal.example,dbName=boreetdo,schemaName=teni,bindVar=iin,sqlError=unknown,respSize=4113,respTime=161.837000,affRows=tNeq,action=\"block\",rawQuery=\"liq\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ostru", + "host.hostname": "agnama5013.internal.example", + "input.type": "log", + "log.offset": 24328, + "network.application": "mea", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.204.223.184", + "10.201.223.119" + ], + "related.user": [ + "rcit", + "teni", + "tuserror" + ], + "rsa.counters.dclass_c1": 4113, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "boreetdo", + "rsa.db.index": "liq", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ostru", + "rsa.misc.group_object": "giat", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 161.837, + "rsa.time.starttime": "2018-01-27T07:21:06.000Z", + "service.type": "imperva", + "source.address": "agnama5013.internal.example", + "source.ip": [ + "10.204.223.184" + ], + "source.port": 6092, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "rcit" + }, + { + "destination.ip": [ + "10.200.12.126" + ], + "destination.port": 2347, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.200.12.126,dstPort=2347,dbUsername=magnido,srcIP=10.223.56.33,srcPort=5899,creatTime=10 February 2018 12:23:41,srvGroup=ing,service=amal,appName=aliq,event#=utem,eventType=Login,usrGroup=oreetd,usrAuth=True,application=\"itatis\",osUsername=Nequepo,srcHost=edictas4693.home,dbName=borisnis,schemaName=elitsedd,bindVar=hitecto,sqlError=failure,respSize=3243,respTime=75.415000,affRows=imven,action=\"block\",rawQuery=\"hende\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "oreetd", + "host.hostname": "edictas4693.home", + "input.type": "log", + "log.offset": 24771, + "network.application": "itatis", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.223.56.33", + "10.200.12.126" + ], + "related.user": [ + "Nequepo", + "elitsedd", + "magnido" + ], + "rsa.counters.dclass_c1": 3243, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "borisnis", + "rsa.db.index": "hende", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "oreetd", + "rsa.misc.group_object": "ing", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 75.415, + "rsa.time.starttime": "2018-02-10T14:23:41.000Z", + "service.type": "imperva", + "source.address": "edictas4693.home", + "source.ip": [ + "10.223.56.33" + ], + "source.port": 5899, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "magnido" + }, + { + "destination.ip": [ + "10.65.225.101" + ], + "destination.port": 1752, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=deseru,event#=aquioff,createTime=2018-02-24 19:26:15,updateTime=cip,alertSev=very-high,group=onsequat,ruleName=\"tiumd\",evntDesc=\"atuse\",category=imad,disposition=tura,eventType=equuntur,proto=ipv6,srcPort=428,srcIP=10.94.89.177,dstPort=1752,dstIP=10.65.225.101,policyName=\"nulapari\",occurrences=2513,httpHost=ostrumex,webMethod=eruntmol,url=\"https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia\",webQuery=\"edquiac\",soapAction=psamvolu,resultCode=teturad,sessionID=ritq,username=tuserror,addUsername=tla,responseTime=orroq,responseSize=modtempo,direction=outbound,dbUsername=uptate,queryGroup=sumqui,application=\"eritin\",srcHost=nibu2565.api.local,osUsername=citation,schemaName=emquel,dbName=rspiciat,hdrName=iavol,action=\"cancel\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "group.name": "onsequat", + "host.hostname": "nibu2565.api.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 25217, + "network.application": "eritin", + "network.direction": "outbound", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.94.89.177", + "10.65.225.101" + ], + "related.user": [ + "citation", + "tuserror", + "emquel" + ], + "rsa.counters.event_counter": 2513, + "rsa.db.database": "rspiciat", + "rsa.internal.event_desc": "atuse", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "eruntmol" + ], + "rsa.misc.category": "imad", + "rsa.misc.disposition": "tura", + "rsa.misc.event_type": "equuntur", + "rsa.misc.group": "onsequat", + "rsa.misc.log_session_id": "ritq", + "rsa.misc.operation_id": "deseru", + "rsa.misc.policy_name": "nulapari", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "teturad", + "rsa.misc.rule_name": "tiumd", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-02-24T21:26:15.000Z", + "rsa.web.alias_host": "ostrumex", + "rule.name": "tiumd", + "service.type": "imperva", + "source.address": "nibu2565.api.local", + "source.ip": [ + "10.94.89.177" + ], + "source.port": 428, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia", + "url.query": "edquiac", + "user.name": "tuserror" + }, + { + "destination.ip": [ + "10.65.174.196" + ], + "destination.port": 472, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.65.174.196,dstPort=472,dbUsername=iin,srcIP=10.191.184.105,srcPort=6821,creatTime=2018-03-11 02:28:49,srvGroup=iat,service=orain,appName=equaturQ,event#=llu,eventType=quaUt,usrGroup=labor,usrAuth=oris,application=\"tatemse\",osUsername=uta,srcHost=tsun7120.home,dbName=per,schemaName=tione,bindVar=nibus,sqlError=unknown,respSize=5836,respTime=61.864000,affRows=olo,action=\"deny\",rawQuery=\"BCSedutp\"", + "fileset.name": "securesphere", + "group.name": "labor", + "host.hostname": "tsun7120.home", + "input.type": "log", + "log.offset": 26002, + "network.application": "tatemse", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.65.174.196", + "10.191.184.105" + ], + "related.user": [ + "tione", + "iin", + "uta" + ], + "rsa.counters.dclass_c1": 5836, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "per", + "rsa.db.index": "BCSedutp", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "quaUt", + "rsa.misc.group": "labor", + "rsa.misc.group_object": "iat", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 61.864, + "rsa.time.starttime": "2018-03-11T04:28:49.000Z", + "service.type": "imperva", + "source.address": "tsun7120.home", + "source.ip": [ + "10.191.184.105" + ], + "source.port": 6821, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "iin" + }, + { + "destination.ip": [ + "10.41.181.179" + ], + "destination.port": 2803, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=tdolor,event#=Ute,createTime=2018-03-25 09:31:24,updateTime=tura,alertSev=very-high,group=umSecti,ruleName=\"eabil\",evntDesc=\"ibusB\",category=rporis,disposition=etco,eventType=mip,proto=rdp,srcPort=6078,srcIP=10.224.148.48,dstPort=2803,dstIP=10.41.181.179,policyName=\"siarch\",occurrences=7468,httpHost=setq,webMethod=rumwr,url=\"https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd\",webQuery=\"ntore\",soapAction=tect,resultCode=ion,sessionID=tutl,username=niam,addUsername=oru,responseTime=mcorp,responseSize=uelaud,direction=outbound,dbUsername=ameiu,queryGroup=utei,application=\"caecat\",srcHost=lumquid6940.mail.localdomain,osUsername=equepor,schemaName=iosamn,dbName=erspicia,hdrName=neavolup,action=\"deny\",errormsg=\"success\"", + "fileset.name": "securesphere", + "group.name": "umSecti", + "host.hostname": "lumquid6940.mail.localdomain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 26426, + "network.application": "caecat", + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.224.148.48", + "10.41.181.179" + ], + "related.user": [ + "equepor", + "niam", + "iosamn" + ], + "rsa.counters.event_counter": 7468, + "rsa.db.database": "erspicia", + "rsa.internal.event_desc": "ibusB", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "rumwr", + "deny" + ], + "rsa.misc.category": "rporis", + "rsa.misc.disposition": "etco", + "rsa.misc.event_type": "mip", + "rsa.misc.group": "umSecti", + "rsa.misc.log_session_id": "tutl", + "rsa.misc.operation_id": "tdolor", + "rsa.misc.policy_name": "siarch", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ion", + "rsa.misc.rule_name": "eabil", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-03-25T11:31:24.000Z", + "rsa.web.alias_host": "setq", + "rule.name": "eabil", + "service.type": "imperva", + "source.address": "lumquid6940.mail.localdomain", + "source.ip": [ + "10.224.148.48" + ], + "source.port": 6078, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd", + "url.query": "ntore", + "user.name": "niam" + }, + { + "destination.ip": [ + "10.21.208.103" + ], + "destination.port": 5543, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.21.208.103,dstPort=5543,dbUsername=imidest,srcIP=10.21.61.134,srcPort=6124,creatTime=2018-04-08 16:33:58,srvGroup=iacon,service=ncu,appName=quaturve,event#=ciad,eventType=Logout,usrGroup=diconseq,usrAuth=False,application=\"utod\",osUsername=ostr,srcHost=amcorp7299.api.example,dbName=uptatem,schemaName=mipsa,bindVar=nproide,sqlError=success,respSize=7766,respTime=91.186000,affRows=siutali,action=\"deny\",rawQuery=\"nemullam\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "diconseq", + "host.hostname": "amcorp7299.api.example", + "input.type": "log", + "log.offset": 27184, + "network.application": "utod", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.21.61.134", + "10.21.208.103" + ], + "related.user": [ + "ostr", + "imidest", + "mipsa" + ], + "rsa.counters.dclass_c1": 7766, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uptatem", + "rsa.db.index": "nemullam", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "diconseq", + "rsa.misc.group_object": "iacon", + "rsa.misc.result": "success", + "rsa.time.duration_time": 91.186, + "rsa.time.starttime": "2018-04-08T18:33:58.000Z", + "service.type": "imperva", + "source.address": "amcorp7299.api.example", + "source.ip": [ + "10.21.61.134" + ], + "source.port": 6124, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "imidest" + }, + { + "destination.ip": [ + "10.23.6.216" + ], + "destination.port": 4578, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.23.6.216,dstPort=4578,dbUsername=iarchit,srcIP=10.221.192.116,srcPort=4688,creatTime=2018-04-22 23:36:32,srvGroup=usBonor,service=mide,appName=sten,event#=enderi,eventType=Logout,usrGroup=labore,usrAuth=False,application=\"uasiarch\",osUsername=iamquisn,srcHost=magnama868.api.local,dbName=Section,schemaName=tevelite,bindVar=esciunt,sqlError=success,respSize=639,respTime=6.388000,affRows=borisnis,action=\"accept\",rawQuery=\"oremagn\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "labore", + "host.hostname": "magnama868.api.local", + "input.type": "log", + "log.offset": 27634, + "network.application": "uasiarch", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.221.192.116", + "10.23.6.216" + ], + "related.user": [ + "iarchit", + "tevelite", + "iamquisn" + ], + "rsa.counters.dclass_c1": 639, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "Section", + "rsa.db.index": "oremagn", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "labore", + "rsa.misc.group_object": "usBonor", + "rsa.misc.result": "success", + "rsa.time.duration_time": 6.388, + "rsa.time.starttime": "2018-04-23T01:36:32.000Z", + "service.type": "imperva", + "source.address": "magnama868.api.local", + "source.ip": [ + "10.221.192.116" + ], + "source.port": 4688, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "iarchit" + }, + { + "destination.ip": [ + "10.240.62.238" + ], + "destination.port": 5850, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=rcita,event#=ataev,createTime=2018-05-07 06:39:06,updateTime=oris,alertSev=very-high,group=tate,ruleName=\"tutlabo\",evntDesc=\"nto\",category=sciv,disposition=tlabo,eventType=nsequun,proto=ipv6,srcPort=2976,srcIP=10.191.142.143,dstPort=5850,dstIP=10.240.62.238,policyName=\"sintoc\",occurrences=7580,httpHost=laboris,webMethod=ali,url=\"https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa\",webQuery=\"sunt\",soapAction=orumSe,resultCode=olupta,sessionID=emveleum,username=modtempo,addUsername=mfugi,responseTime=roqui,responseSize=ntutlabo,direction=external,dbUsername=isq,queryGroup=eacommo,application=\"amqua\",srcHost=tionevol3157.mail.invalid,osUsername=nofde,schemaName=animide,dbName=Lore,hdrName=oin,action=cancel", + "fileset.name": "securesphere", + "group.name": "tate", + "host.hostname": "tionevol3157.mail.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 28092, + "network.application": "amqua", + "network.direction": "external", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.240.62.238", + "10.191.142.143" + ], + "related.user": [ + "modtempo", + "nofde", + "animide" + ], + "rsa.counters.event_counter": 7580, + "rsa.db.database": "Lore", + "rsa.internal.event_desc": "nto", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "ali", + "cancel" + ], + "rsa.misc.category": "sciv", + "rsa.misc.disposition": "tlabo", + "rsa.misc.event_type": "nsequun", + "rsa.misc.group": "tate", + "rsa.misc.log_session_id": "emveleum", + "rsa.misc.operation_id": "rcita", + "rsa.misc.policy_name": "sintoc", + "rsa.misc.result_code": "olupta", + "rsa.misc.rule_name": "tutlabo", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-05-07T08:39:06.000Z", + "rsa.web.alias_host": "laboris", + "rule.name": "tutlabo", + "service.type": "imperva", + "source.address": "tionevol3157.mail.invalid", + "source.ip": [ + "10.191.142.143" + ], + "source.port": 2976, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa", + "url.query": "sunt", + "user.name": "modtempo" + }, + { + "destination.ip": [ + "10.111.22.134" + ], + "destination.port": 7499, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ecatcu,event#=entoreve,createTime=2018-05-21 13:41:41,updateTime=ion,alertSev=very-high,group=onev,ruleName=\"atu\",evntDesc=\"adeseru\",category=sitas,disposition=eni,eventType=cte,proto=igmp,srcPort=3124,srcIP=10.178.79.217,dstPort=7499,dstIP=10.111.22.134,policyName=\"datatno\",occurrences=3538,httpHost=siar,webMethod=orisnis,url=\"https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco\",webQuery=\"ommodoco\",soapAction=ritinv,resultCode=rita,sessionID=oidents,username=ccusan,addUsername=inimav,responseTime=quel,responseSize=ugitsed,direction=external,dbUsername=idolor,queryGroup=xplic,application=\"stenat\",srcHost=mquis319.api.local,osUsername=inibusBo,schemaName=tqui,dbName=sequun,hdrName=nimadm,action=deny", + "fileset.name": "securesphere", + "group.name": "onev", + "host.hostname": "mquis319.api.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 28845, + "network.application": "stenat", + "network.direction": "external", + "network.protocol": "igmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.111.22.134", + "10.178.79.217" + ], + "related.user": [ + "ccusan", + "inibusBo", + "tqui" + ], + "rsa.counters.event_counter": 3538, + "rsa.db.database": "sequun", + "rsa.internal.event_desc": "adeseru", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny", + "orisnis" + ], + "rsa.misc.category": "sitas", + "rsa.misc.disposition": "eni", + "rsa.misc.event_type": "cte", + "rsa.misc.group": "onev", + "rsa.misc.log_session_id": "oidents", + "rsa.misc.operation_id": "ecatcu", + "rsa.misc.policy_name": "datatno", + "rsa.misc.result_code": "rita", + "rsa.misc.rule_name": "atu", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-05-21T15:41:41.000Z", + "rsa.web.alias_host": "siar", + "rule.name": "atu", + "service.type": "imperva", + "source.address": "mquis319.api.local", + "source.ip": [ + "10.178.79.217" + ], + "source.port": 3124, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco", + "url.query": "ommodoco", + "user.name": "ccusan" + }, + { + "destination.ip": [ + "10.161.225.172" + ], + "destination.port": 3708, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.161.225.172,dstPort=3708,dbUsername=meaqu,srcIP=10.77.86.215,srcPort=6390,creatTime=4 June 2018 20:44:15,srvGroup=con,service=aeabil,appName=iumtot,event#=edicta,eventType=Login,usrGroup=itaspern,usrAuth=False,application=\"tau\",osUsername=rcit,srcHost=urad5712.api.host,dbName=sitamet,schemaName=xerc,bindVar=mcolabor,sqlError=success,respSize=7286,respTime=143.926000,affRows=evita,action=\"block\",rawQuery=\"ant\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "itaspern", + "host.hostname": "urad5712.api.host", + "input.type": "log", + "log.offset": 29582, + "network.application": "tau", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.161.225.172", + "10.77.86.215" + ], + "related.user": [ + "meaqu", + "rcit", + "xerc" + ], + "rsa.counters.dclass_c1": 7286, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "sitamet", + "rsa.db.index": "ant", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "itaspern", + "rsa.misc.group_object": "con", + "rsa.misc.result": "success", + "rsa.time.duration_time": 143.926, + "rsa.time.starttime": "2018-06-04T22:44:15.000Z", + "service.type": "imperva", + "source.address": "urad5712.api.host", + "source.ip": [ + "10.77.86.215" + ], + "source.port": 6390, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "meaqu" + }, + { + "destination.ip": [ + "10.186.133.184" + ], + "destination.port": 7864, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.186.133.184,dstPort=7864,dbUsername=boriosa,srcIP=10.211.161.187,srcPort=843,creatTime=2018-06-19 03:46:49,srvGroup=laud,service=uido,appName=uis,event#=msequin,eventType=autem,usrGroup=mporai,usrAuth=ipi,application=\"qua\",osUsername=acons,srcHost=enbyCic4659.www5.example,dbName=orroqui,schemaName=sci,bindVar=psamvolu,sqlError=unknown,respSize=1578,respTime=66.164000,affRows=temse,action=\"deny\",rawQuery=\"onevol\"", + "fileset.name": "securesphere", + "group.name": "mporai", + "host.hostname": "enbyCic4659.www5.example", + "input.type": "log", + "log.offset": 30021, + "network.application": "qua", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.186.133.184", + "10.211.161.187" + ], + "related.user": [ + "sci", + "boriosa", + "acons" + ], + "rsa.counters.dclass_c1": 1578, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "orroqui", + "rsa.db.index": "onevol", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "autem", + "rsa.misc.group": "mporai", + "rsa.misc.group_object": "laud", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 66.164, + "rsa.time.starttime": "2018-06-19T05:46:49.000Z", + "service.type": "imperva", + "source.address": "enbyCic4659.www5.example", + "source.ip": [ + "10.211.161.187" + ], + "source.port": 843, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "boriosa" + }, + { + "destination.ip": [ + "10.160.147.230" + ], + "destination.port": 2126, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.160.147.230,dstPort=2126,dbUsername=nimvenia,srcIP=10.254.198.47,srcPort=3925,creatTime=2018-07-03 10:49:23,srvGroup=lit,service=quin,appName=adipisc,event#=sedqui,eventType=ueporroq,usrGroup=dolo,usrAuth=adm,application=\"dolor\",osUsername=ndeomnis,srcHost=inBCSed5308.api.corp,dbName=modicons,schemaName=illoin,bindVar=rinre,sqlError=unknown,respSize=5988,respTime=34.664000,affRows=olorem,action=\"cancel\",rawQuery=\"dquiaco\"", + "fileset.name": "securesphere", + "group.name": "dolo", + "host.hostname": "inBCSed5308.api.corp", + "input.type": "log", + "log.offset": 30463, + "network.application": "dolor", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.254.198.47", + "10.160.147.230" + ], + "related.user": [ + "illoin", + "nimvenia", + "ndeomnis" + ], + "rsa.counters.dclass_c1": 5988, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "modicons", + "rsa.db.index": "dquiaco", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "ueporroq", + "rsa.misc.group": "dolo", + "rsa.misc.group_object": "lit", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 34.664, + "rsa.time.starttime": "2018-07-03T12:49:23.000Z", + "service.type": "imperva", + "source.address": "inBCSed5308.api.corp", + "source.ip": [ + "10.254.198.47" + ], + "source.port": 3925, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "nimvenia" + }, + { + "destination.ip": [ + "10.40.24.93" + ], + "destination.port": 7487, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.40.24.93,dstPort=7487,dbUsername=mSecti,srcIP=10.182.197.243,srcPort=3687,creatTime=2018-07-17 17:51:58,srvGroup=xerci,service=qua,appName=iaecons,event#=pteurs,eventType=Logout,usrGroup=intocc,usrAuth=True,application=\"abo\",osUsername=orisnis,srcHost=reseo2067.api.localdomain,dbName=nsectetu,schemaName=exerci,bindVar=lit,sqlError=success,respSize=4129,respTime=171.277000,affRows=ono,action=\"cancel\",rawQuery=\"equuntu\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "intocc", + "host.hostname": "reseo2067.api.localdomain", + "input.type": "log", + "log.offset": 30915, + "network.application": "abo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.182.197.243", + "10.40.24.93" + ], + "related.user": [ + "orisnis", + "exerci", + "mSecti" + ], + "rsa.counters.dclass_c1": 4129, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "nsectetu", + "rsa.db.index": "equuntu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "intocc", + "rsa.misc.group_object": "xerci", + "rsa.misc.result": "success", + "rsa.time.duration_time": 171.277, + "rsa.time.starttime": "2018-07-17T19:51:58.000Z", + "service.type": "imperva", + "source.address": "reseo2067.api.localdomain", + "source.ip": [ + "10.182.197.243" + ], + "source.port": 3687, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mSecti" + }, + { + "destination.ip": [ + "10.249.13.159" + ], + "destination.port": 3023, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.249.13.159,dstPort=3023,dbUsername=uisautei,srcIP=10.108.130.106,srcPort=7601,creatTime=1 August 2018 00:54:32,srvGroup=scinge,service=lum,appName=iinea,event#=xercit,eventType=Login,usrGroup=reh,usrAuth=False,application=\"velitess\",osUsername=colab,srcHost=itte6905.mail.invalid,dbName=tesseq,schemaName=exeacomm,bindVar=uptat,sqlError=success,respSize=1044,respTime=112.679000,affRows=ptatema,action=\"cancel\",rawQuery=\"cepteurs\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "reh", + "host.hostname": "itte6905.mail.invalid", + "input.type": "log", + "log.offset": 31363, + "network.application": "velitess", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.249.13.159", + "10.108.130.106" + ], + "related.user": [ + "colab", + "uisautei", + "exeacomm" + ], + "rsa.counters.dclass_c1": 1044, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tesseq", + "rsa.db.index": "cepteurs", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "reh", + "rsa.misc.group_object": "scinge", + "rsa.misc.result": "success", + "rsa.time.duration_time": 112.679, + "rsa.time.starttime": "2018-08-01T02:54:32.000Z", + "service.type": "imperva", + "source.address": "itte6905.mail.invalid", + "source.ip": [ + "10.108.130.106" + ], + "source.port": 7601, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "uisautei" + }, + { + "destination.ip": [ + "10.39.244.49" + ], + "destination.port": 3852, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ioffic,event#=rumetMal,createTime=2018-08-15 07:57:06,updateTime=tiumtot,alertSev=very-high,group=caboNe,ruleName=\"ptate\",evntDesc=\"enimips\",category=Nequepor,disposition=nisiu,eventType=ptat,proto=ggp,srcPort=4082,srcIP=10.64.94.174,dstPort=3852,dstIP=10.39.244.49,policyName=\"ctas\",occurrences=7128,httpHost=sequ,webMethod=gna,url=\"https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod\",webQuery=\"tur\",soapAction=minimav,resultCode=uovo,sessionID=aven,username=Sedut,addUsername=stiaec,responseTime=rveli,responseSize=serr,direction=internal,dbUsername=uid,queryGroup=lamcor,application=\"rorsitv\",srcHost=caboNemo274.www.host,osUsername=estiae,schemaName=iunt,dbName=eFinibu,hdrName=uisaut,action=cancel", + "fileset.name": "securesphere", + "group.name": "caboNe", + "host.hostname": "caboNemo274.www.host", + "input.type": "log", + "log.level": "very-high", + "log.offset": 31820, + "network.application": "rorsitv", + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.39.244.49", + "10.64.94.174" + ], + "related.user": [ + "iunt", + "Sedut", + "estiae" + ], + "rsa.counters.event_counter": 7128, + "rsa.db.database": "eFinibu", + "rsa.internal.event_desc": "enimips", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "gna" + ], + "rsa.misc.category": "Nequepor", + "rsa.misc.disposition": "nisiu", + "rsa.misc.event_type": "ptat", + "rsa.misc.group": "caboNe", + "rsa.misc.log_session_id": "aven", + "rsa.misc.operation_id": "ioffic", + "rsa.misc.policy_name": "ctas", + "rsa.misc.result_code": "uovo", + "rsa.misc.rule_name": "ptate", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-08-15T09:57:06.000Z", + "rsa.web.alias_host": "sequ", + "rule.name": "ptate", + "service.type": "imperva", + "source.address": "caboNemo274.www.host", + "source.ip": [ + "10.64.94.174" + ], + "source.port": 4082, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod", + "url.query": "tur", + "user.name": "Sedut" + }, + { + "event.action": "ercitati", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=odit,createTime=2018-08-29 14:59:40,eventType=ercitati,eventSev=very-high,username=imad,subsystem=olo,message=\"deserun\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "very-high", + "log.offset": 32562, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "imad" + ], + "rsa.internal.event_desc": "deserun", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "ercitati", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-08-29T16:59:40.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "imad" + }, + { + "event.action": "uatDuis", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=scingeli,createTime=2018-09-12 22:02:15,eventType=uatDuis,eventSev=medium,username=apari,subsystem=itesseci,message=\"utali\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "medium", + "log.offset": 32706, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "apari" + ], + "rsa.internal.event_desc": "utali", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "uatDuis", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-09-13T00:02:15.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "apari" + }, + { + "destination.ip": [ + "10.115.203.143" + ], + "destination.port": 6889, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.115.203.143,dstPort=6889,dbUsername=utoditau,srcIP=10.134.135.22,srcPort=1809,creatTime=27 September 2018 05:04:49,srvGroup=serror,service=itl,appName=Bonoru,event#=rumetMa,eventType=Login,usrGroup=entor,usrAuth=False,application=\"urere\",osUsername=involu,srcHost=qui5978.api.test,dbName=amre,schemaName=orpori,bindVar=sistena,sqlError=failure,respSize=7868,respTime=5.277000,affRows=borisn,action=\"cancel\",rawQuery=\"quatu\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "entor", + "host.hostname": "qui5978.api.test", + "input.type": "log", + "log.offset": 32854, + "network.application": "urere", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.134.135.22", + "10.115.203.143" + ], + "related.user": [ + "orpori", + "utoditau", + "involu" + ], + "rsa.counters.dclass_c1": 7868, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "amre", + "rsa.db.index": "quatu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "entor", + "rsa.misc.group_object": "serror", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 5.277, + "rsa.time.starttime": "2018-09-27T07:04:49.000Z", + "service.type": "imperva", + "source.address": "qui5978.api.test", + "source.ip": [ + "10.134.135.22" + ], + "source.port": 1809, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "utoditau" + }, + { + "destination.ip": [ + "10.43.244.252" + ], + "destination.port": 1752, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.43.244.252,dstPort=1752,dbUsername=inculp,srcIP=10.251.212.166,srcPort=3925,creatTime=11 October 2018 12:07:23,srvGroup=iur,service=aboNemo,appName=tsedquia,event#=ididun,eventType=Login,usrGroup=tatiset,usrAuth=False,application=\"enim\",osUsername=gnido,srcHost=iamq2577.internal.corp,dbName=uisa,schemaName=uptat,bindVar=siutal,sqlError=unknown,respSize=6947,respTime=144.976000,affRows=tempori,action=\"accept\",rawQuery=\"lamco\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "tatiset", + "host.hostname": "iamq2577.internal.corp", + "input.type": "log", + "log.offset": 33304, + "network.application": "enim", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.43.244.252", + "10.251.212.166" + ], + "related.user": [ + "uptat", + "gnido", + "inculp" + ], + "rsa.counters.dclass_c1": 6947, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uisa", + "rsa.db.index": "lamco", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tatiset", + "rsa.misc.group_object": "iur", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 144.976, + "rsa.time.starttime": "2018-10-11T14:07:23.000Z", + "service.type": "imperva", + "source.address": "iamq2577.internal.corp", + "source.ip": [ + "10.251.212.166" + ], + "source.port": 3925, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "inculp" + }, + { + "event.action": "edutpe", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=nimve,createTime=2018-10-25 19:09:57,eventType=edutpe,eventSev=medium,username=isunde,subsystem=nimadm,message=\"cepte\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "medium", + "log.offset": 33759, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "isunde" + ], + "rsa.internal.event_desc": "cepte", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "edutpe", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-10-25T21:09:57.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "isunde" + }, + { + "destination.ip": [ + "10.20.231.188" + ], + "destination.port": 1200, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.20.231.188,dstPort=1200,dbUsername=tesseq,srcIP=10.88.189.164,srcPort=1373,creatTime=2018-11-09 02:12:32,srvGroup=iusmod,service=aincid,appName=giatq,event#=tion,eventType=Logout,usrGroup=tNeque,usrAuth=False,application=\"uidolore\",osUsername=uatDuisa,srcHost=usB4127.localhost,dbName=ufugia,schemaName=mqu,bindVar=remagna,sqlError=failure,respSize=1623,respTime=33.468000,affRows=Uteni,action=\"cancel\",rawQuery=\"porinci\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "tNeque", + "host.hostname": "usB4127.localhost", + "input.type": "log", + "log.offset": 33902, + "network.application": "uidolore", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.88.189.164", + "10.20.231.188" + ], + "related.user": [ + "mqu", + "uatDuisa", + "tesseq" + ], + "rsa.counters.dclass_c1": 1623, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ufugia", + "rsa.db.index": "porinci", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "tNeque", + "rsa.misc.group_object": "iusmod", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 33.468, + "rsa.time.starttime": "2018-11-09T04:12:32.000Z", + "service.type": "imperva", + "source.address": "usB4127.localhost", + "source.ip": [ + "10.88.189.164" + ], + "source.port": 1373, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tesseq" + }, + { + "event.action": "uianon", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=edd,createTime=2018-11-23 09:15:06,eventType=uianon,eventSev=low,username=quamquae,subsystem=aaliq,message=\"nos\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 34350, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "quamquae" + ], + "rsa.internal.event_desc": "nos", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "uianon", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2018-11-23T11:15:06.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "quamquae" + }, + { + "destination.ip": [ + "10.231.77.26" + ], + "destination.port": 7082, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.231.77.26,dstPort=7082,dbUsername=rehe,srcIP=10.225.11.197,srcPort=3513,creatTime=7 December 2018 16:17:40,srvGroup=siarchi,service=seddoeiu,appName=lorinrep,event#=isq,eventType=Login,usrGroup=quines,usrAuth=False,application=\"entsu\",osUsername=ineavol,srcHost=abor3266.mail.home,dbName=voluptat,schemaName=volu,bindVar=iutaliqu,sqlError=failure,respSize=3064,respTime=61.960000,affRows=iusmo,action=\"allow\",rawQuery=\"uovo\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "quines", + "host.hostname": "abor3266.mail.home", + "input.type": "log", + "log.offset": 34487, + "network.application": "entsu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.231.77.26", + "10.225.11.197" + ], + "related.user": [ + "volu", + "ineavol", + "rehe" + ], + "rsa.counters.dclass_c1": 3064, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "voluptat", + "rsa.db.index": "uovo", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "quines", + "rsa.misc.group_object": "siarchi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 61.96, + "service.type": "imperva", + "source.address": "abor3266.mail.home", + "source.ip": [ + "10.225.11.197" + ], + "source.port": 3513, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "rehe" + }, + { + "destination.ip": [ + "10.148.3.197" + ], + "destination.port": 979, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.148.3.197,dstPort=979,dbUsername=usa,srcIP=10.106.166.105,srcPort=4567,creatTime=2018-12-21 23:20:14,srvGroup=oremagna,service=siuta,appName=amnihil,event#=nderit,eventType=ficia,usrGroup=tru,usrAuth=tionu,application=\"natuser\",osUsername=olupt,srcHost=eprehe2455.www.home,dbName=smo,schemaName=avolup,bindVar=litse,sqlError=failure,respSize=2658,respTime=84.894000,affRows=untutlab,action=\"allow\",rawQuery=\"byCicer\"", + "fileset.name": "securesphere", + "group.name": "tru", + "host.hostname": "eprehe2455.www.home", + "input.type": "log", + "log.offset": 34938, + "network.application": "natuser", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.106.166.105", + "10.148.3.197" + ], + "related.user": [ + "avolup", + "olupt", + "usa" + ], + "rsa.counters.dclass_c1": 2658, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "smo", + "rsa.db.index": "byCicer", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "ficia", + "rsa.misc.group": "tru", + "rsa.misc.group_object": "oremagna", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 84.894, + "rsa.time.starttime": "2018-12-22T01:20:14.000Z", + "service.type": "imperva", + "source.address": "eprehe2455.www.home", + "source.ip": [ + "10.106.166.105" + ], + "source.port": 4567, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "usa" + }, + { + "destination.ip": [ + "10.172.121.239" + ], + "destination.port": 5339, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.172.121.239,dstPort=5339,dbUsername=iuta,srcIP=10.57.169.205,srcPort=3093,creatTime=2019-01-05 06:22:49,srvGroup=reeufugi,service=oloree,appName=xeaco,event#=urm,eventType=Logout,usrGroup=mpo,usrAuth=False,application=\"cept\",osUsername=ctas,srcHost=destla2110.www5.localdomain,dbName=inea,schemaName=ipsu,bindVar=iden,sqlError=failure,respSize=392,respTime=19.061000,affRows=reetd,action=\"cancel\",rawQuery=\"maven\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "mpo", + "host.hostname": "destla2110.www5.localdomain", + "input.type": "log", + "log.offset": 35381, + "network.application": "cept", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.57.169.205", + "10.172.121.239" + ], + "related.user": [ + "iuta", + "ctas", + "ipsu" + ], + "rsa.counters.dclass_c1": 392, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "inea", + "rsa.db.index": "maven", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "mpo", + "rsa.misc.group_object": "reeufugi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 19.061, + "rsa.time.starttime": "2019-01-05T08:22:49.000Z", + "service.type": "imperva", + "source.address": "destla2110.www5.localdomain", + "source.ip": [ + "10.57.169.205" + ], + "source.port": 3093, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "iuta" + }, + { + "destination.ip": [ + "10.129.234.200" + ], + "destination.port": 3833, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.129.234.200,dstPort=3833,dbUsername=tisundeo,srcIP=10.42.218.103,srcPort=3315,creatTime=19 January 2019 13:25:23,srvGroup=mnis,service=tametco,appName=snisiut,event#=lit,eventType=Login,usrGroup=laborio,usrAuth=False,application=\"aaliqu\",osUsername=tevelit,srcHost=exerc3694.api.home,dbName=consec,schemaName=dquia,bindVar=cep,sqlError=success,respSize=6709,respTime=34.273000,affRows=volupta,action=\"allow\",rawQuery=\"ipex\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "laborio", + "host.hostname": "exerc3694.api.home", + "input.type": "log", + "log.offset": 35821, + "network.application": "aaliqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.129.234.200", + "10.42.218.103" + ], + "related.user": [ + "tevelit", + "tisundeo", + "dquia" + ], + "rsa.counters.dclass_c1": 6709, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "consec", + "rsa.db.index": "ipex", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "laborio", + "rsa.misc.group_object": "mnis", + "rsa.misc.result": "success", + "rsa.time.duration_time": 34.273, + "rsa.time.starttime": "2019-01-19T15:25:23.000Z", + "service.type": "imperva", + "source.address": "exerc3694.api.home", + "source.ip": [ + "10.42.218.103" + ], + "source.port": 3315, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tisundeo" + }, + { + "destination.ip": [ + "10.111.132.221" + ], + "destination.port": 2262, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.111.132.221,dstPort=2262,dbUsername=ali,srcIP=10.76.121.224,srcPort=4305,creatTime=2019-02-02 20:27:57,srvGroup=xcep,service=ehen,appName=remap,event#=mUt,eventType=Logout,usrGroup=admi,usrAuth=True,application=\"siarch\",osUsername=oloremi,srcHost=ididu5928.www5.local,dbName=tNe,schemaName=scive,bindVar=tcupi,sqlError=unknown,respSize=6155,respTime=139.491000,affRows=Sed,action=\"cancel\",rawQuery=\"ita\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "admi", + "host.hostname": "ididu5928.www5.local", + "input.type": "log", + "log.offset": 36271, + "network.application": "siarch", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.111.132.221", + "10.76.121.224" + ], + "related.user": [ + "ali", + "scive", + "oloremi" + ], + "rsa.counters.dclass_c1": 6155, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tNe", + "rsa.db.index": "ita", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "admi", + "rsa.misc.group_object": "xcep", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 139.491, + "rsa.time.starttime": "2019-02-02T22:27:57.000Z", + "service.type": "imperva", + "source.address": "ididu5928.www5.local", + "source.ip": [ + "10.76.121.224" + ], + "source.port": 4305, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ali" + }, + { + "destination.ip": [ + "10.195.8.141" + ], + "destination.port": 4342, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.195.8.141,dstPort=4342,dbUsername=enimip,srcIP=10.17.214.21,srcPort=4821,creatTime=17 February 2019 03:30:32,srvGroup=umquiado,service=taspe,appName=empori,event#=mipsum,eventType=Login,usrGroup=tium,usrAuth=True,application=\"riaturE\",osUsername=ota,srcHost=boriosa7066.www.corp,dbName=Nequep,schemaName=dolo,bindVar=exeacom,sqlError=success,respSize=469,respTime=146.775000,affRows=eufugiat,action=\"accept\",rawQuery=\"non\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "tium", + "host.hostname": "boriosa7066.www.corp", + "input.type": "log", + "log.offset": 36701, + "network.application": "riaturE", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.17.214.21", + "10.195.8.141" + ], + "related.user": [ + "ota", + "enimip", + "dolo" + ], + "rsa.counters.dclass_c1": 469, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "Nequep", + "rsa.db.index": "non", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tium", + "rsa.misc.group_object": "umquiado", + "rsa.misc.result": "success", + "rsa.time.duration_time": 146.775, + "rsa.time.starttime": "2019-02-17T05:30:32.000Z", + "service.type": "imperva", + "source.address": "boriosa7066.www.corp", + "source.ip": [ + "10.17.214.21" + ], + "source.port": 4821, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "enimip" + }, + { + "destination.ip": [ + "10.173.13.179" + ], + "destination.port": 1211, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.173.13.179,dstPort=1211,dbUsername=ptasn,srcIP=10.179.60.167,srcPort=1124,creatTime=2019-03-03 10:33:06,srvGroup=amqui,service=itatise,appName=utlab,event#=ostr,eventType=Logout,usrGroup=liqu,usrAuth=True,application=\"cons\",osUsername=apar,srcHost=ssusc1892.internal.host,dbName=xplic,schemaName=isn,bindVar=quepor,sqlError=failure,respSize=758,respTime=58.800000,affRows=etur,action=\"block\",rawQuery=\"cusan\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "liqu", + "host.hostname": "ssusc1892.internal.host", + "input.type": "log", + "log.offset": 37150, + "network.application": "cons", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.179.60.167", + "10.173.13.179" + ], + "related.user": [ + "ptasn", + "apar", + "isn" + ], + "rsa.counters.dclass_c1": 758, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "xplic", + "rsa.db.index": "cusan", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "liqu", + "rsa.misc.group_object": "amqui", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 58.8, + "rsa.time.starttime": "2019-03-03T12:33:06.000Z", + "service.type": "imperva", + "source.address": "ssusc1892.internal.host", + "source.ip": [ + "10.179.60.167" + ], + "source.port": 1124, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ptasn" + }, + { + "destination.ip": [ + "10.42.135.34" + ], + "destination.port": 4361, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.42.135.34,dstPort=4361,dbUsername=tiset,srcIP=10.178.190.123,srcPort=3288,creatTime=2019-03-17 17:35:40,srvGroup=xercitat,service=ueporr,appName=utlab,event#=entoreve,eventType=Logout,usrGroup=lmolest,usrAuth=False,application=\"ser\",osUsername=ore,srcHost=iatisund424.mail.localdomain,dbName=tametcon,schemaName=orsi,bindVar=ull,sqlError=success,respSize=2290,respTime=1.468000,affRows=etdolore,action=\"cancel\",rawQuery=\"ore\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "lmolest", + "host.hostname": "iatisund424.mail.localdomain", + "input.type": "log", + "log.offset": 37585, + "network.application": "ser", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.42.135.34", + "10.178.190.123" + ], + "related.user": [ + "ore", + "orsi", + "tiset" + ], + "rsa.counters.dclass_c1": 2290, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tametcon", + "rsa.db.index": "ore", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "lmolest", + "rsa.misc.group_object": "xercitat", + "rsa.misc.result": "success", + "rsa.time.duration_time": 1.468, + "rsa.time.starttime": "2019-03-17T19:35:40.000Z", + "service.type": "imperva", + "source.address": "iatisund424.mail.localdomain", + "source.ip": [ + "10.178.190.123" + ], + "source.port": 3288, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tiset" + }, + { + "event.action": "cons", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=ectetur,createTime=2019-04-01 00:38:14,eventType=cons,eventSev=medium,username=fugit,subsystem=dantiu,message=\"ntutla\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "medium", + "log.offset": 38037, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "fugit" + ], + "rsa.internal.event_desc": "ntutla", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "cons", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2019-04-01T02:38:14.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "fugit" + }, + { + "destination.ip": [ + "10.207.198.239" + ], + "destination.port": 4735, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.207.198.239,dstPort=4735,dbUsername=Loremips,srcIP=10.8.147.176,srcPort=5920,creatTime=15 April 2019 07:40:49,srvGroup=odtem,service=ite,appName=tseddo,event#=ptatems,eventType=Login,usrGroup=ori,usrAuth=False,application=\"exerc\",osUsername=aUteni,srcHost=uidolo7626.local,dbName=rchite,schemaName=incididu,bindVar=idolor,sqlError=failure,respSize=3043,respTime=36.712000,affRows=oinB,action=\"accept\",rawQuery=\"econsequ\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "ori", + "host.hostname": "uidolo7626.local", + "input.type": "log", + "log.offset": 38180, + "network.application": "exerc", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.207.198.239", + "10.8.147.176" + ], + "related.user": [ + "incididu", + "Loremips", + "aUteni" + ], + "rsa.counters.dclass_c1": 3043, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rchite", + "rsa.db.index": "econsequ", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "ori", + "rsa.misc.group_object": "odtem", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 36.712, + "rsa.time.starttime": "2019-04-15T09:40:49.000Z", + "service.type": "imperva", + "source.address": "uidolo7626.local", + "source.ip": [ + "10.8.147.176" + ], + "source.port": 5920, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "Loremips" + }, + { + "destination.ip": [ + "10.116.26.185" + ], + "destination.port": 595, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.116.26.185,dstPort=595,dbUsername=oNe,srcIP=10.206.221.180,srcPort=6818,creatTime=2019-04-29 14:43:23,srvGroup=repr,service=idu,appName=otam,event#=amquaera,eventType=rumS,usrGroup=uelau,usrAuth=quidolor,application=\"cca\",osUsername=litesseq,srcHost=dmini3435.internal.domain,dbName=rumexerc,schemaName=nseq,bindVar=quisnost,sqlError=unknown,respSize=3218,respTime=26.485000,affRows=orisnisi,action=\"block\",rawQuery=\"nul\"", + "fileset.name": "securesphere", + "group.name": "uelau", + "host.hostname": "dmini3435.internal.domain", + "input.type": "log", + "log.offset": 38627, + "network.application": "cca", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.206.221.180", + "10.116.26.185" + ], + "related.user": [ + "litesseq", + "oNe", + "nseq" + ], + "rsa.counters.dclass_c1": 3218, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rumexerc", + "rsa.db.index": "nul", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "rumS", + "rsa.misc.group": "uelau", + "rsa.misc.group_object": "repr", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 26.485, + "rsa.time.starttime": "2019-04-29T16:43:23.000Z", + "service.type": "imperva", + "source.address": "dmini3435.internal.domain", + "source.ip": [ + "10.206.221.180" + ], + "source.port": 6818, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "oNe" + }, + { + "destination.ip": [ + "10.86.180.150" + ], + "destination.port": 5495, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.86.180.150,dstPort=5495,dbUsername=mnisis,srcIP=10.253.127.130,srcPort=5339,creatTime=2019-05-13 21:45:57,srvGroup=isciveli,service=urve,appName=sundeomn,event#=tasu,eventType=Logout,usrGroup=equunt,usrAuth=True,application=\"uat\",osUsername=itasper,srcHost=nibusBo1864.domain,dbName=ent,schemaName=etconsec,bindVar=docons,sqlError=failure,respSize=4564,respTime=4.592000,affRows=mremap,action=\"allow\",rawQuery=\"sperna\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "equunt", + "host.hostname": "nibusBo1864.domain", + "input.type": "log", + "log.offset": 39075, + "network.application": "uat", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.86.180.150", + "10.253.127.130" + ], + "related.user": [ + "mnisis", + "itasper", + "etconsec" + ], + "rsa.counters.dclass_c1": 4564, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ent", + "rsa.db.index": "sperna", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "equunt", + "rsa.misc.group_object": "isciveli", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 4.592, + "rsa.time.starttime": "2019-05-13T23:45:57.000Z", + "service.type": "imperva", + "source.address": "nibusBo1864.domain", + "source.ip": [ + "10.253.127.130" + ], + "source.port": 5339, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mnisis" + }, + { + "destination.ip": [ + "10.158.161.5" + ], + "destination.port": 579, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=mexe,event#=sequatDu,createTime=2019-05-28 04:48:31,updateTime=ssuscip,alertSev=high,group=ciade,ruleName=\"busBonor\",evntDesc=\"enima\",category=emseq,disposition=osamni,eventType=umetMa,proto=ipv6-icmp,srcPort=4469,srcIP=10.220.175.201,dstPort=579,dstIP=10.158.161.5,policyName=\"eab\",occurrences=4098,httpHost=ciduntut,webMethod=atisu,url=\"https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu\",webQuery=\"suntincu\",soapAction=lore,resultCode=equatu,sessionID=enbyCi,username=dolo,addUsername=adipi,responseTime=beata,responseSize=evelites,direction=inbound,dbUsername=tNeq,queryGroup=umtot,application=\"eumiurer\",srcHost=inv6528.www5.example,osUsername=rrors,schemaName=dolo,dbName=tsed,hdrName=corpori,action=allow", + "fileset.name": "securesphere", + "group.name": "ciade", + "host.hostname": "inv6528.www5.example", + "input.type": "log", + "log.level": "high", + "log.offset": 39520, + "network.application": "eumiurer", + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.220.175.201", + "10.158.161.5" + ], + "related.user": [ + "rrors", + "dolo" + ], + "rsa.counters.event_counter": 4098, + "rsa.db.database": "tsed", + "rsa.internal.event_desc": "enima", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "atisu", + "allow" + ], + "rsa.misc.category": "emseq", + "rsa.misc.disposition": "osamni", + "rsa.misc.event_type": "umetMa", + "rsa.misc.group": "ciade", + "rsa.misc.log_session_id": "enbyCi", + "rsa.misc.operation_id": "mexe", + "rsa.misc.policy_name": "eab", + "rsa.misc.result_code": "equatu", + "rsa.misc.rule_name": "busBonor", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-05-28T06:48:31.000Z", + "rsa.web.alias_host": "ciduntut", + "rule.name": "busBonor", + "service.type": "imperva", + "source.address": "inv6528.www5.example", + "source.ip": [ + "10.220.175.201" + ], + "source.port": 4469, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu", + "url.query": "suntincu", + "user.name": "dolo" + }, + { + "event.action": "ema", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=uioff,createTime=2019-06-11 11:51:06,eventType=ema,eventSev=low,username=mpo,subsystem=deritinv,message=\"ten\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 40273, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "mpo" + ], + "rsa.internal.event_desc": "ten", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "ema", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2019-06-11T13:51:06.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mpo" + }, + { + "destination.ip": [ + "10.150.27.144" + ], + "destination.port": 5627, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.150.27.144,dstPort=5627,dbUsername=res,srcIP=10.248.16.82,srcPort=6834,creatTime=25 June 2019 18:53:40,srvGroup=loinv,service=umd,appName=madmi,event#=xercit,eventType=Login,usrGroup=avolup,usrAuth=True,application=\"etdo\",osUsername=tuserror,srcHost=nisiutal4437.www.example,dbName=uipex,schemaName=ditautf,bindVar=orr,sqlError=failure,respSize=4367,respTime=25.972000,affRows=uptas,action=\"cancel\",rawQuery=\"osquira\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "avolup", + "host.hostname": "nisiutal4437.www.example", + "input.type": "log", + "log.offset": 40407, + "network.application": "etdo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.248.16.82", + "10.150.27.144" + ], + "related.user": [ + "ditautf", + "tuserror", + "res" + ], + "rsa.counters.dclass_c1": 4367, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uipex", + "rsa.db.index": "osquira", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "avolup", + "rsa.misc.group_object": "loinv", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 25.972, + "rsa.time.starttime": "2019-06-25T20:53:40.000Z", + "service.type": "imperva", + "source.address": "nisiutal4437.www.example", + "source.ip": [ + "10.248.16.82" + ], + "source.port": 6834, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "res" + }, + { + "destination.ip": [ + "10.146.131.76" + ], + "destination.port": 2281, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.146.131.76,dstPort=2281,dbUsername=orsi,srcIP=10.173.19.140,srcPort=7780,creatTime=2019-07-10 01:56:14,srvGroup=atu,service=ddo,appName=veli,event#=ata,eventType=Logout,usrGroup=untmoll,usrAuth=False,application=\"ididun\",osUsername=olo,srcHost=tqui5172.www.local,dbName=untex,schemaName=Except,bindVar=elitsedd,sqlError=failure,respSize=5844,respTime=52.550000,affRows=cingel,action=\"allow\",rawQuery=\"seos\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "untmoll", + "host.hostname": "tqui5172.www.local", + "input.type": "log", + "log.offset": 40851, + "network.application": "ididun", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.173.19.140", + "10.146.131.76" + ], + "related.user": [ + "Except", + "olo", + "orsi" + ], + "rsa.counters.dclass_c1": 5844, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "untex", + "rsa.db.index": "seos", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "untmoll", + "rsa.misc.group_object": "atu", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 52.55, + "rsa.time.starttime": "2019-07-10T03:56:14.000Z", + "service.type": "imperva", + "source.address": "tqui5172.www.local", + "source.ip": [ + "10.173.19.140" + ], + "source.port": 7780, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "orsi" + }, + { + "destination.ip": [ + "10.69.5.227" + ], + "destination.port": 5845, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.69.5.227,dstPort=5845,dbUsername=doloreme,srcIP=10.171.175.165,srcPort=5776,creatTime=2019-07-24 08:58:48,srvGroup=taspe,service=litess,appName=enimadm,event#=corpori,eventType=onemull,usrGroup=emeu,usrAuth=uisaute,application=\"tvol\",osUsername=ntocc,srcHost=intocca6708.mail.corp,dbName=dquiaco,schemaName=rumw,bindVar=ula,sqlError=failure,respSize=5201,respTime=46.690000,affRows=quam,action=\"deny\",rawQuery=\"edquian\"", + "fileset.name": "securesphere", + "group.name": "emeu", + "host.hostname": "intocca6708.mail.corp", + "input.type": "log", + "log.offset": 41284, + "network.application": "tvol", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.69.5.227", + "10.171.175.165" + ], + "related.user": [ + "rumw", + "ntocc", + "doloreme" + ], + "rsa.counters.dclass_c1": 5201, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "dquiaco", + "rsa.db.index": "edquian", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "onemull", + "rsa.misc.group": "emeu", + "rsa.misc.group_object": "taspe", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 46.69, + "rsa.time.starttime": "2019-07-24T10:58:48.000Z", + "service.type": "imperva", + "source.address": "intocca6708.mail.corp", + "source.ip": [ + "10.171.175.165" + ], + "source.port": 5776, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "doloreme" + }, + { + "destination.ip": [ + "10.213.214.118" + ], + "destination.port": 7851, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.213.214.118,dstPort=7851,dbUsername=ate,srcIP=10.253.175.129,srcPort=5547,creatTime=7 August 2019 16:01:23,srvGroup=rsi,service=tuser,appName=equinesc,event#=ectet,eventType=Login,usrGroup=emull,usrAuth=False,application=\"enatuser\",osUsername=epteurs,srcHost=isetqu2843.www.invalid,dbName=niamqu,schemaName=nrep,bindVar=lauda,sqlError=failure,respSize=6260,respTime=9.295000,affRows=aincidu,action=\"deny\",rawQuery=\"ipsamvol\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "emull", + "host.hostname": "isetqu2843.www.invalid", + "input.type": "log", + "log.offset": 41730, + "network.application": "enatuser", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.213.214.118", + "10.253.175.129" + ], + "related.user": [ + "nrep", + "epteurs", + "ate" + ], + "rsa.counters.dclass_c1": 6260, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "niamqu", + "rsa.db.index": "ipsamvol", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "emull", + "rsa.misc.group_object": "rsi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 9.295, + "rsa.time.starttime": "2019-08-07T18:01:23.000Z", + "service.type": "imperva", + "source.address": "isetqu2843.www.invalid", + "source.ip": [ + "10.253.175.129" + ], + "source.port": 5547, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ate" + }, + { + "destination.ip": [ + "10.89.26.170" + ], + "destination.port": 3548, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=estquido,event#=eufugiat,createTime=2019-08-21 23:03:57,updateTime=minima,alertSev=high,group=bor,ruleName=\"uisnos\",evntDesc=\"loi\",category=tation,disposition=seddoe,eventType=adol,proto=rdp,srcPort=7756,srcIP=10.149.91.130,dstPort=3548,dstIP=10.89.26.170,policyName=\"aqueipsa\",occurrences=5863,httpHost=ide,webMethod=atcupi,url=\"https://www.example.com/sit/ugi.gif?sitametc=rur#edut\",webQuery=\"sitametc\",soapAction=iarchite,resultCode=uide,sessionID=iono,username=aboris,addUsername=eturad,responseTime=ipiscive,responseSize=sequu,direction=internal,dbUsername=epteur,queryGroup=iqu,application=\"uptateve\",srcHost=commodo6041.mail.localhost,osUsername=atus,schemaName=orumetMa,dbName=inventor,hdrName=dolo,action=block", + "fileset.name": "securesphere", + "group.name": "bor", + "host.hostname": "commodo6041.mail.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 42181, + "network.application": "uptateve", + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.149.91.130", + "10.89.26.170" + ], + "related.user": [ + "aboris", + "atus", + "orumetMa" + ], + "rsa.counters.event_counter": 5863, + "rsa.db.database": "inventor", + "rsa.internal.event_desc": "loi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block", + "atcupi" + ], + "rsa.misc.category": "tation", + "rsa.misc.disposition": "seddoe", + "rsa.misc.event_type": "adol", + "rsa.misc.group": "bor", + "rsa.misc.log_session_id": "iono", + "rsa.misc.operation_id": "estquido", + "rsa.misc.policy_name": "aqueipsa", + "rsa.misc.result_code": "uide", + "rsa.misc.rule_name": "uisnos", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-08-22T01:03:57.000Z", + "rsa.web.alias_host": "ide", + "rule.name": "uisnos", + "service.type": "imperva", + "source.address": "commodo6041.mail.localhost", + "source.ip": [ + "10.149.91.130" + ], + "source.port": 7756, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.com/sit/ugi.gif?sitametc=rur#edut", + "url.query": "sitametc", + "user.name": "aboris" + }, + { + "destination.ip": [ + "10.81.108.232" + ], + "destination.port": 856, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=tmolli,event#=orumSe,createTime=2019-09-05 06:06:31,updateTime=mSe,alertSev=high,group=teturad,ruleName=\"alorumwr\",evntDesc=\"pis\",category=idol,disposition=mmodico,eventType=emaccu,proto=rdp,srcPort=5818,srcIP=10.52.106.68,dstPort=856,dstIP=10.81.108.232,policyName=\"atemq\",occurrences=5098,httpHost=volupta,webMethod=Quisaut,url=\"https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem\",webQuery=\"plicab\",soapAction=isisten,resultCode=eiusmodt,sessionID=naaliq,username=aco,addUsername=psamvolu,responseTime=inculp,responseSize=eni,direction=inbound,dbUsername=sedqu,queryGroup=ipitlabo,application=\"olorinr\",srcHost=gitse6744.api.local,osUsername=neavolup,schemaName=uaturve,dbName=lapa,hdrName=uepor,action=\"allow\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "group.name": "teturad", + "host.hostname": "gitse6744.api.local", + "input.type": "log", + "log.level": "high", + "log.offset": 42925, + "network.application": "olorinr", + "network.direction": "inbound", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.81.108.232", + "10.52.106.68" + ], + "related.user": [ + "aco", + "neavolup", + "uaturve" + ], + "rsa.counters.event_counter": 5098, + "rsa.db.database": "lapa", + "rsa.internal.event_desc": "pis", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "Quisaut", + "allow" + ], + "rsa.misc.category": "idol", + "rsa.misc.disposition": "mmodico", + "rsa.misc.event_type": "emaccu", + "rsa.misc.group": "teturad", + "rsa.misc.log_session_id": "naaliq", + "rsa.misc.operation_id": "tmolli", + "rsa.misc.policy_name": "atemq", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "eiusmodt", + "rsa.misc.rule_name": "alorumwr", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-09-05T08:06:31.000Z", + "rsa.web.alias_host": "volupta", + "rule.name": "alorumwr", + "service.type": "imperva", + "source.address": "gitse6744.api.local", + "source.ip": [ + "10.52.106.68" + ], + "source.port": 5818, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem", + "url.query": "plicab", + "user.name": "aco" + }, + { + "destination.ip": [ + "10.223.10.28" + ], + "destination.port": 1991, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=umquamei,event#=nih,createTime=2019-09-19 13:09:05,updateTime=tionev,alertSev=high,group=quia,ruleName=\"eabill\",evntDesc=\"itatiset\",category=uaerat,disposition=met,eventType=isno,proto=icmp,srcPort=2572,srcIP=10.230.48.97,dstPort=1991,dstIP=10.223.10.28,policyName=\"emveleu\",occurrences=4029,httpHost=norumet,webMethod=tconse,url=\"https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo\",webQuery=\"lestia\",soapAction=anti,resultCode=eavo,sessionID=enderi,username=erit,addUsername=uptatem,responseTime=reeufug,responseSize=temveleu,direction=unknown,dbUsername=repre,queryGroup=consec,application=\"untmoll\",srcHost=par3605.internal.localdomain,osUsername=usmodte,schemaName=untex,dbName=ommodi,hdrName=ntiu,action=\"deny\",errormsg=\"success\"", + "fileset.name": "securesphere", + "group.name": "quia", + "host.hostname": "par3605.internal.localdomain", + "input.type": "log", + "log.level": "high", + "log.offset": 43696, + "network.application": "untmoll", + "network.direction": "unknown", + "network.protocol": "icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.223.10.28", + "10.230.48.97" + ], + "related.user": [ + "erit", + "untex", + "usmodte" + ], + "rsa.counters.event_counter": 4029, + "rsa.db.database": "ommodi", + "rsa.internal.event_desc": "itatiset", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "tconse", + "deny" + ], + "rsa.misc.category": "uaerat", + "rsa.misc.disposition": "met", + "rsa.misc.event_type": "isno", + "rsa.misc.group": "quia", + "rsa.misc.log_session_id": "enderi", + "rsa.misc.operation_id": "umquamei", + "rsa.misc.policy_name": "emveleu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eavo", + "rsa.misc.rule_name": "eabill", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-09-19T15:09:05.000Z", + "rsa.web.alias_host": "norumet", + "rule.name": "eabill", + "service.type": "imperva", + "source.address": "par3605.internal.localdomain", + "source.ip": [ + "10.230.48.97" + ], + "source.port": 2572, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo", + "url.query": "lestia", + "user.name": "erit" + }, + { + "destination.ip": [ + "10.115.42.231" + ], + "destination.port": 2143, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application=\"ameiusm\",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action=\"deny\",rawQuery=\"natus\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "abi", + "host.hostname": "isau4356.www.home", + "input.type": "log", + "log.offset": 44466, + "network.application": "ameiusm", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.115.42.231", + "10.161.212.150" + ], + "related.user": [ + "tasnul", + "sequamn", + "res" + ], + "rsa.counters.dclass_c1": 4846, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "niamqui", + "rsa.db.index": "natus", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "abi", + "rsa.misc.group_object": "corporis", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 6.993, + "rsa.time.starttime": "2019-10-03T22:11:40.000Z", + "service.type": "imperva", + "source.address": "isau4356.www.home", + "source.ip": [ + "10.161.212.150" + ], + "source.port": 2748, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "res" + }, + { + "destination.ip": [ + "10.247.108.144" + ], + "destination.port": 3896, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=emp,event#=suscipit,createTime=2019-10-18 03:14:14,updateTime=iaconseq,alertSev=medium,group=sciuntNe,ruleName=\"nevo\",evntDesc=\"stiaec\",category=officia,disposition=ametcon,eventType=gnid,proto=ipv6,srcPort=5677,srcIP=10.226.75.20,dstPort=3896,dstIP=10.247.108.144,policyName=\"iutaliqu\",occurrences=3711,httpHost=onsectet,webMethod=iat,url=\"https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip\",webQuery=\"iquaUte\",soapAction=aborumSe,resultCode=writt,sessionID=dent,username=tema,addUsername=saquaeab,responseTime=rpo,responseSize=inr,direction=internal,dbUsername=edquiac,queryGroup=olore,application=\"urEx\",srcHost=labo3477.www5.domain,osUsername=maccusan,schemaName=fugia,dbName=psa,hdrName=iset,action=\"block\",errormsg=\"success\"", + "fileset.name": "securesphere", + "group.name": "sciuntNe", + "host.hostname": "labo3477.www5.domain", + "input.type": "log", + "log.level": "medium", + "log.offset": 44914, + "network.application": "urEx", + "network.direction": "internal", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.247.108.144", + "10.226.75.20" + ], + "related.user": [ + "fugia", + "tema", + "maccusan" + ], + "rsa.counters.event_counter": 3711, + "rsa.db.database": "psa", + "rsa.internal.event_desc": "stiaec", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block", + "iat" + ], + "rsa.misc.category": "officia", + "rsa.misc.disposition": "ametcon", + "rsa.misc.event_type": "gnid", + "rsa.misc.group": "sciuntNe", + "rsa.misc.log_session_id": "dent", + "rsa.misc.operation_id": "emp", + "rsa.misc.policy_name": "iutaliqu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "writt", + "rsa.misc.rule_name": "nevo", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2019-10-18T05:14:14.000Z", + "rsa.web.alias_host": "onsectet", + "rule.name": "nevo", + "service.type": "imperva", + "source.address": "labo3477.www5.domain", + "source.ip": [ + "10.226.75.20" + ], + "source.port": 5677, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip", + "url.query": "iquaUte", + "user.name": "tema" + }, + { + "destination.ip": [ + "10.192.15.65" + ], + "destination.port": 3328, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.192.15.65,dstPort=3328,dbUsername=nimides,srcIP=10.97.22.61,srcPort=6420,creatTime=2019-11-01 10:16:48,srvGroup=labor,service=quelaud,appName=ira,event#=gna,eventType=aparia,usrGroup=ntoreve,usrAuth=remips,application=\"uptatemU\",osUsername=illumd,srcHost=itseddo2209.mail.domain,dbName=olu,schemaName=rExcep,bindVar=turExcep,sqlError=success,respSize=4173,respTime=166.270000,affRows=duntutla,action=\"block\",rawQuery=\"tmollit\"", + "fileset.name": "securesphere", + "group.name": "ntoreve", + "host.hostname": "itseddo2209.mail.domain", + "input.type": "log", + "log.offset": 45679, + "network.application": "uptatemU", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.192.15.65", + "10.97.22.61" + ], + "related.user": [ + "rExcep", + "nimides", + "illumd" + ], + "rsa.counters.dclass_c1": 4173, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "olu", + "rsa.db.index": "tmollit", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "aparia", + "rsa.misc.group": "ntoreve", + "rsa.misc.group_object": "labor", + "rsa.misc.result": "success", + "rsa.time.duration_time": 166.27, + "rsa.time.starttime": "2019-11-01T12:16:48.000Z", + "service.type": "imperva", + "source.address": "itseddo2209.mail.domain", + "source.ip": [ + "10.97.22.61" + ], + "source.port": 6420, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "nimides" + }, + { + "destination.ip": [ + "10.116.76.161" + ], + "destination.port": 2009, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=venia,event#=Loremi,createTime=2019-11-15 17:19:22,updateTime=uisnostr,alertSev=medium,group=vol,ruleName=\"ommodi\",evntDesc=\"ritat\",category=dipi,disposition=asnulapa,eventType=atev,proto=tcp,srcPort=7469,srcIP=10.197.254.133,dstPort=2009,dstIP=10.116.76.161,policyName=\"tla\",occurrences=2608,httpHost=ender,webMethod=quid,url=\"https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema\",webQuery=\"ioffici\",soapAction=agni,resultCode=tat,sessionID=metconse,username=ide,addUsername=equu,responseTime=pernatur,responseSize=orem,direction=outbound,dbUsername=caecatc,queryGroup=iarc,application=\"emquia\",srcHost=duntutl3396.api.host,osUsername=idu,schemaName=trudex,dbName=ncul,hdrName=mcorpor,action=cancel", + "fileset.name": "securesphere", + "group.name": "vol", + "host.hostname": "duntutl3396.api.host", + "input.type": "log", + "log.level": "medium", + "log.offset": 46132, + "network.application": "emquia", + "network.direction": "outbound", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.116.76.161", + "10.197.254.133" + ], + "related.user": [ + "ide", + "trudex", + "idu" + ], + "rsa.counters.event_counter": 2608, + "rsa.db.database": "ncul", + "rsa.internal.event_desc": "ritat", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "quid", + "cancel" + ], + "rsa.misc.category": "dipi", + "rsa.misc.disposition": "asnulapa", + "rsa.misc.event_type": "atev", + "rsa.misc.group": "vol", + "rsa.misc.log_session_id": "metconse", + "rsa.misc.operation_id": "venia", + "rsa.misc.policy_name": "tla", + "rsa.misc.result_code": "tat", + "rsa.misc.rule_name": "ommodi", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2019-11-15T19:19:22.000Z", + "rsa.web.alias_host": "ender", + "rule.name": "ommodi", + "service.type": "imperva", + "source.address": "duntutl3396.api.host", + "source.ip": [ + "10.197.254.133" + ], + "source.port": 7469, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema", + "url.query": "ioffici", + "user.name": "ide" + }, + { + "destination.ip": [ + "10.28.77.79" + ], + "destination.port": 3615, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.28.77.79,dstPort=3615,dbUsername=upta,srcIP=10.144.14.15,srcPort=1150,creatTime=30 November 2019 00:21:57,srvGroup=consequ,service=min,appName=riame,event#=gnaal,eventType=Login,usrGroup=nti,usrAuth=True,application=\"tetura\",osUsername=utlab,srcHost=colabo6686.internal.invalid,dbName=uptass,schemaName=rspic,bindVar=itsedq,sqlError=success,respSize=4810,respTime=22.348000,affRows=iut,action=\"deny\",rawQuery=\"nemu\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "nti", + "host.hostname": "colabo6686.internal.invalid", + "input.type": "log", + "log.offset": 46865, + "network.application": "tetura", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.28.77.79", + "10.144.14.15" + ], + "related.user": [ + "rspic", + "utlab", + "upta" + ], + "rsa.counters.dclass_c1": 4810, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uptass", + "rsa.db.index": "nemu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "nti", + "rsa.misc.group_object": "consequ", + "rsa.misc.result": "success", + "rsa.time.duration_time": 22.348, + "rsa.time.starttime": "2019-11-30T02:21:57.000Z", + "service.type": "imperva", + "source.address": "colabo6686.internal.invalid", + "source.ip": [ + "10.144.14.15" + ], + "source.port": 1150, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "upta" + }, + { + "destination.ip": [ + "10.248.177.182" + ], + "destination.port": 317, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.248.177.182,dstPort=317,dbUsername=quei,srcIP=10.18.15.43,srcPort=2224,creatTime=2019-12-14 07:24:31,srvGroup=reetdol,service=umtotam,appName=itaedi,event#=ant,eventType=tiumt,usrGroup=taedicta,usrAuth=mveniamq,application=\"exerci\",osUsername=quaturve,srcHost=tsunti1164.www.example,dbName=equatur,schemaName=caecat,bindVar=oreetd,sqlError=unknown,respSize=983,respTime=113.318000,affRows=nderit,action=\"accept\",rawQuery=\"icer\"", + "fileset.name": "securesphere", + "group.name": "taedicta", + "host.hostname": "tsunti1164.www.example", + "input.type": "log", + "log.offset": 47307, + "network.application": "exerci", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.18.15.43", + "10.248.177.182" + ], + "related.user": [ + "quei", + "quaturve", + "caecat" + ], + "rsa.counters.dclass_c1": 983, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "equatur", + "rsa.db.index": "icer", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "tiumt", + "rsa.misc.group": "taedicta", + "rsa.misc.group_object": "reetdol", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 113.318, + "rsa.time.starttime": "2019-12-14T09:24:31.000Z", + "service.type": "imperva", + "source.address": "tsunti1164.www.example", + "source.ip": [ + "10.18.15.43" + ], + "source.port": 2224, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "quei" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md new file mode 100644 index 00000000000..70331a42101 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/README.md @@ -0,0 +1,7 @@ +# infoblox module + +This is a module for Infoblox NIOS logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 +at 2020-07-13 17:55:37.264156 +0000 UTC. + diff --git a/x-pack/filebeat/module/infoblox/_meta/config.yml b/x-pack/filebeat/module/infoblox/_meta/config.yml new file mode 100644 index 00000000000..85df3964b38 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/_meta/config.yml @@ -0,0 +1,19 @@ +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc new file mode 100644 index 00000000000..9b53fa89810 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: infoblox +:has-dashboards: false + +== Infoblox module + +experimental[] + +This is a module for receiving Infoblox NIOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nios + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nios` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9512` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/infoblox/_meta/fields.yml b/x-pack/filebeat/module/infoblox/_meta/fields.yml new file mode 100644 index 00000000000..38b39cb5624 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: infoblox + title: Infoblox NIOS + description: > + infoblox fields. + fields: diff --git a/x-pack/filebeat/module/infoblox/fields.go b/x-pack/filebeat/module/infoblox/fields.go new file mode 100644 index 00000000000..5b80cfb5f74 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package infoblox + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "infoblox", asset.ModuleFieldsPri, AssetInfoblox); err != nil { + panic(err) + } +} + +// AssetInfoblox returns asset data. +// This is the base64 encoded gzipped contents of module/infoblox. +func AssetInfoblox() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JlzM1Fer6L4RYbgW8JufhL+T9+W+XfyGkBMM0ry1X8jX5t78QQrofkRkHUZrJX0j4r9f4sfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHZYrpcve30uY0UbYApd8TWZUGNj6eIBv+7/3tAKiZsQuoEWMdIiR1QI04GdW09mMM7KghkwBJFFTA3oJ5WRAnzb0DsTMtWrq25Oyy9TNsoi1pGKLvPHVx9aPLbFZpDLzrb/vX2F8wwa78nHBjfse4YY0BkpiFWG0tk3gv6YrUoExdO7+TS1hqgLjiFbu8x3QhLxVc3IKTJWg44R4WHwXqUPJaeHCEqQtHGmJAQeEM3M/sNwgz5mSFqQ17n5waSyVtkXDRHG0vDoEwZLa3Q+G2HGPk1uCUEtWC84WhBIDxnAlyYJbQyh5D/Z3biUY0+7+ZHA0OmLNQjWiJBKWoMkUunNXU22AvANLHWqUzLSqeks9favm5sUFZVdgzbMB+FOugVmxfk5swJuSD+CFhT/hsofmJMpIAUsQB3BSKLl7P7c4eQq1BkZtwKSEGZdQEiUFomXpVACpaB3HqjLzItmF2bPH78I9Pz/9gSypaMKN5yVIy2c8nE64pswSoeZ+v/RgI5A67sCH04Lfc9tRU205awTV+PuwsZPRkzEAfdBJiZ2MAeTxkzK6Jcvj7snL/78n+/fErZpnQ+53fdX0jwIJ2d2WR4Pdkh4i9LKjpsGoRrNMb+/92Zbr/t8PM2OphQqkfYzI0abktmCC7tzhR4IeSKvXjxGxhdOpHiNiXB6GWF6NqZUcj/eklUAPkR552TYDKFPaUCN6TczO7H2xdQs4bAZ6yEBJuJ8VsaOHDKDfYEWMc3HHtXIkLsqeVyXKPs+uAZmJ2EciHLwz+9gx1OpG8i8NbNRo3dEf/rTeNmpPlGTucaBWPXbLdkTcLHlecdjn7olbhs84o/37/FbNydkSpCWXKJxJI0vQzgTREATVgPQZv4aSGLAOyNaPt9cw4wZLuwkD2Pc2WLpNGIC+06YMPYHp/UuHHcwBXXfgyd14sFAmk77aP5e/KmP7IlLsnkgDsuRy3n5oYsem50P6evjLDzlggx+NMvb8YvkToWWpnawcu+67zB1Qb9XXytzlq9zsffX/Lnsdt/LLhl254B1pfW9ZSSiZ8yXIzkn29SoCjkWH+S/yWiDlY1T+vo6IxqhDQ9XrQsOXDHvdDx7iBiPd0zVy+cwvTS7wIj0P3mxLycd1DYTRoQSZAgFuF6DJp3Npf3hFlCa/CEXtjy/JlBo8RW2AbMbnjUbV7wa6D1F3v2K6MQyaz/hM4F9wv56rXG62fdZxu/JX72BQekV1mU2p60m0Htl9Tp5ffN7S9yjRIOjulhJi1sZCFR7RgLaDtgB/Uo1nnvu30nzOJRXtb7a1lRv4kEv/2pMYcX7x+VWEBQH9ASfuz4IOoyGXU7w+m4M6VBwPfX0WQEvQR4ld/4pLkfPT+0RJPb79YCmCOSxW+qidbIIV2f1stFW0zjeKFl4UZ7qcKCGAWaW/RgHsuPcAOTfuzHFDmGcdlA7TLUX1rdpVW8geRj9Ci69i08eiqlbKYLJbpSSZrgebRoiGLw0Y6wAaXtViHfbJfdkJegKULYjhJZCn3xO70A15+fPPz8iKGmIAZLfKHk48CuX1FpwwtZIG8rGCfTWngqlG2s6n0FRTL/TcVTZRCOQpnaol9JjBZTSzshVvxmqg1ej9YV/NsXlgVkHJm109LQWjvolpjp1jgc8It/9sXn7/w1+NF+kvahSgLdL/HFDzT2cPvqVr0OQlOZOM1qYRPrLiTMo7yfUY9HsGPyK5lbFVfnxJ/tWR+5z8+CP5V8KUdvoyUhEWfU7+u7D/032RG7LNlG+iWyhVCY/W1pUrKBgVYkrZVV4N2CMnlcVrQ623KxwTQZa14tKiaWIhnuCMh6MArVWm/LSNPmhqYJwKxBgxNVZpp1nLtdc63AdLKnjpD0YMKUJmqpGle2EEIPJczoNydGPy4vaNGEBOEQsM12FP2GhkF9ZC0fKxvHMBHWL4n0AqsJqziNURTOH+l9EW9s99K4Tds0/tRqNVs3bbJuRXtXJbM7Q5uSRKO2PMKnIFUN/AtEfx4n0lTNOKgTHFkpdFmSvqetZKnjlI0NTiJS8dB3t24ZJr21DhjPYt37uMuDh4xZ3ZjbFyZIanIlz181OinbQ26FBBplE9B9t97UZOGJ0p6enBOeEz4fZzQmcJBQ0F//lp63v9AJWyQC7DeWca8KGdrscEpftfG4j5CgIvYaXC1ILnzGx41Oa84QO1/1HoZk7mZjzveOvcGxDOenvqWqslPCH/NSKMXrzMuHiAGL1b1RlHFydvLoLuy6h07OFVrfSuxkvwifzq0iCax+H++OSfKjTE0XSPuVK3Tflm85ONwe71HLTMJ+Tlz6/ICvleAZWEChH3FaBTH9Wkjf+IrECDB0stEUCNJUrulItsM/HB1cSvm4mRu5ojbBt497vSJTIOs5qALaQSar7eDcTNuB5osYT8TNiCasqsZ6K71GvEH53mkjQy5PSILZ/5aEVt6oJuH6jPGUTYE7tEi6JySqaSbRhB09WoTEPJuqNWUoYaq49RyOBzUIw1uoVoLJUl1SWRSldU8D9j+b1KV1H+lCHL4WAWqWY6eJLuxKQN1h0yLwSfAVIcMfANMCXLEQV7s92FsTn9LHsI4pKpqhZgowdg1IlKUYG3mu+IwV69mbYPdJAv3drR4zx2lLdP5ujxq5S0i0TbtKlPTZXzsslyKh+I8WeyzMF2B/JPJXN3W9gjFt3qrYrp02s/7nJ4IKKy3eg3xMK1DZePLEGbXjlFuS8PLLK/9z1sa6CpyNyU6TGlSyjzvYMhySY8U6ZbsdUx2kyb7ov9+PrwtdKqmiDUBovyDQNJNVdera8aYfl3loMmtK5FW/2y6WVTUUnnsdJcQgSGd1p70SPlcTWE2yeGqJX0kTFLq3rXMxgwdqs5FIe3zxrCFtxZN6oEMyHvGmPRTOoDdbeS2pG8XGrhwE3aK8BmM4f3Eo6hCeEmtwt63mmYgQbJ/IGgTrUu+ZKXTrPB8xAXZJetIPu4w7w4kdc110ejcLOfPhZ07U4it2LtiTVO6Dl9zSGFB3S/bzThpo+6cJ47adzJs8lgyS6dTDWpJVA1UOTuC7Hjf+qrghrklwaaox0ld7r9KdrIxxU1BJEoR84NIvdDaqYmVAq2GJpBps0rm+H1nVc5cK2LDKjWRQ7tuU4piraBvkwONYOu1HtFHsaE3DEfo2/M4Lm805tzqNi8Sa4dEizYPBA73RBSO4IoGyjxKRRr04jcYacRK0o1lqkKXngcOuMFs7LVbHBCqAws2DIgRw4ILEFzm7N0ZA9h7eqhCLAX2dnn8slbvDjoHehf6a7SxUHDuFMNjM/4xvCJa7c+mDPWUyXoyvmzmSIb0LkYebkpmGhdVGUIskTxDmbzsTbh87aV3rcElSa/XYbUWG7ahIBdvxqu3+7QWJWkqZXhCQXHrc4WmtOy9B2mMJW/vbujXXgaYYt8rYvuKIpkU4Hm7K6yKErbEarY9hDWr2TrboYXS/5+D0hbgiyVDgmzeylT0z8eoHtNG9pV0z+Axe1oh1j+WvABu50E3Y+Yl/Q5e9V9M7yQoeo/iJng5VrQLrdYKksoWYSOF/EEWqHmRZuo8iBCvT2Idxbqx+iZsiX7/o7pVti1GsVHXPFXgrN17tuzRy5cIAKhubYU6xG53IicedNxBn5oBCBicXGqpIXr3Bprh9C59P66TT9UWpbG/R8+qlS0CMUawNzwOLMFlXMoJKxyy4KxwCWseqF+VEKs1XzaWOhJiGGOvvGoO229//zFRYepaTJh13FO8GxtK/cxDQ3B3fwij0xff4sYt1gB5hjWNhw0m5wvvQQ9IZfgN6UxoCd0DtjKO2S6z5RucRjAbsF4vZ3h74n/fa9vhdJkqtXKfdb+Neia3uwa7Sd9Xl5QbVO76TrAqT0q4U6pQXXose6UEmWnNua6UqqGEFDM9Ra/kYQK0LbLLtKbRcPffHgriI9eEwBMQooozCWRSn6noQa0ZPZlP6DZcMwnhzVauwvT2Su4k6jHveA+wtaGfwaUrbhdBGXZy3pyigtOsdpEEiW/myv333teAlRSiojimJFu2gsGvkAEHJJqRpx0sBzMhFxuZMruYIN+ZVUejE98OV9jnBHjS0Z9sk0ZxG9gPCVMNMa2BzL8Y7BN+BNu3E6Gmujg33CKL346rgIdXfvxNyxu0fu2TPmUsic3GV4Oy1PEglBjFOPoL3W7EbUnccPe8it4TSipF2vDGRWk5ObqOak1zkR5TsCyJ3FFmWp6SO3lHR96X2ejaQUWtCE1NdjFy2AjB9+LgKmqclJMbQXth6U1YNledc+/Bw+l8fX2MMPD5MU3U1XdDO9ghm2jZMVlqVYhn5YpyaC2z7tMilFmDMicNUKsyZeGCu/8LFVFuQxSQ/YWEmrk6ep7PVOpS3tIdyrhWy6voAy1QG0iOjXonQoGivvkmw61CS/3bZwYdIXIKur6k528W2IXgRY9nGn1IHj9VgfPK7kctuvpgs6gK7472Cm3izWsidj6879f0/4xsaY94yL/He9I/gVX666xhrJhQNrIEcTdbQY0p6KIvKbZHpFLXLJVm3ffx94D6F6YUb8AsCtzUMuBFB7jsLp76BbULLob6tTCSJVhwxY+87etsenKDE9aSDstwhwh3TITo5n7VffvYaUpcfJcEo45d41kAqh2f8JGeBvUQgFh8HbqtrDz5uiDF37NsM/To36xmKqmXHZ9s/sPVigb1Xd4vZZcN+bYnr6+NoIIjHv8jhMgjVyJE7+678k47in1Flx213jHPu9lPj8l772keRoaNxA/bS8U/TrcnsX1au+Afghffs/9fH6KLA0lb52YGHoPtiNyPg3QkzDxh8jJghU3cSN1adY5e9lvR3VDgbZXF/b6saU3vo94ahzrT7qFyfnpjZpsKv/cDZqsQ+ylLDca7YSc+PrM0O9U+A/2a7OIoN7+xg/fBHfctLFd5aay3WPUSAHGc0b5B2WlyJJqTqdiUAXomzJwSWpBRwSBAWmy9kfZ2tC+qupXnjhJ5TSMtr6Qu32+fHF+satDk9Ay1nsUxuqyDxwoeOtayE2kxSNJzqUll3wuKQqLkSNaK52zee2Tgfxyh/Si1d0UdnXE/3SI9O4ynrJSRQ7O+98+Ei6ZaEpw4iwMsnU/n5CnZ9e0qgW8JhfeIeLBovSexP0iGJk7emwTnVObpyWOGTdXTuU+AK87lOL13Jjvw9PwgZurPSFXq/l8DjrfCLs4yz73YwEBB9ROFxrMQonSnR5vq49MGt0KvR/BszCMvQep/PSD1zGedc04zk/jZSS3js4zVdXFkfOucFdC7hWOcfX+PdNMv3PoKIn1qTMcN6PKho1ZaUEtfaCssT7mnbRUGjsPOLne4jcyJY7qckX1w2ToDbvqO+lKw0PkiBhpjfzUCVFK3lHW9lOOK7dOBB3VjlHyu1ZB1fulkLc1kw+11kBN8txgY6ltUinOnT+KcvFgZodbfKquCS9fjL9f7mVtjoGhw+jToPGxvwsOi/jVbd+xzNP3Bof8dDh375DnjEvVpIpx9upIzDz5nXKSNKXTYeCR/Skx4NydGbeOxBshnNwjpmEMjJk1gpy59QlTJRh3JNpmv3HLgssSrhMzQHBjD9M87ylbcGE0xXSLxBQ0xjcrqrnADJ6IB8/H3+WcUGTid+63UcpkhnOopr650ANpxGF18rTL56xBmzoU3XoJM2BZUBE2CfFth6dnI0WG3s01fI9zJ5R45atL8gq+Kv9t9yHl0pASLOUi4mSYqsb2fjdCmhJHz81sPba0y2NDPMYfUgtVLbJl87whJcxoCAGFzpdtDD9kazqteAla0DUWclkVHlfyNHIj3QdodYdfw6ytAve+emO5bbAxI4kStrENhg2b7ntdk0axev4dRlNjmkFWMVVV7j7lOUYnHjrhvWTfWqslL73/rO0iV4EZTYQqFTs80Hh3b9kvXGy0RtbPy4urBtc1Jj09jKxvV88r6/9Q0wP9TgeT97/VNARg4rer5vka555iQrHf+cuLc3I+UKj6aGTrWhuqS/ZjkLCwq6uGnSc1pO/iDwu51XHl3ouIYqrK3BVfg4q7XaUj4EIcLiPq0SJ9twQfMjhC5XnPBRxKh30CbRcP4XNedqGcESdeldpqHJSBJ3j50yl5Hd11k/OZaqd7X3zy3XPaQBQma1wDa/peBJ/6NYVYeWvbhWlf4sYRHCFRr3i57RDpqivpknJBh4EM0rnCCdZXzkDrkUkL/g4d4utPF3cLxkoVGkD5AOyApJBuYPh8MiIReVVMm7JcJ/fP8KpIWgfUg9sYOKzR+V4vVXqImquEXQ52SuwK0xyjIIGbfvaq77lKm5LbrrJu0xctYBQbbLep2PCiZBNe2E+kzxJLzcHl0azyk89n5GmolfjcCKcrT7nAAg7MAzu7rpVx33xGvhs6GuRuFOZKqpXcMoQMsAabWSy3oY9M2mT0CC643bTQk7bK/X0oTXoLc8rW5NOouSb4VNOHKMoPC2+xmEtSUS5nmlawNx2jphqn9ubvk7ClXF7gsuS9Kn1y9KYtYC/rLIIUuUH7wlQBx4hcFtJ237j3sCK/NhJNyXeqBEGecrmcfPuccMWek6n7P3D/RyUVa8PN5Nt4fNGyupgJOpicn1qH2tbwTy4ILoq+LpST63b4lZrtbdRgVVZM/V+nAc+2DYIB7Q5yFKFllVbu7mD2+d3vVAP56BOAv/3287vf33w4+/Zbn3O7pJry0TO5UvoqZcnyjRfs93bBfoRt1AlGZWolItTspO1S0j0HlLnnYp3BhJkpDdJwllKA9FxJGTCu0ntBIvGBVECLFeXD4cT39g5g7/PUQN31SV2ibppppkthp6WxOnXlO9ZrZ3OI9d/SZO9oW/ORz0l6aLHLZjDYQKUJxSabupdQ7+JAzPioo6klNZsj9lBSo92IImTulvfEhfLB/QTv7rhwyAf9/8Nw1Y3K7Cf/PcgRK3s++oDIXiQf5HC0cdx9+Cl1hKStrZ3t2aVPbZfR3mbZYZ/MZ+h2G5zcmyPTbctqfox4GBZ9zSgXjtdtM5eLIDPOT/u1bdiJy5mDFuaRFgbjWYVtznXhVMQD6Dkk8RrTrUP10YmqqkbueqIG2MnDGjfdF7v3cG3/DnGdusPNHKZZ3xe3SyrLf1fxqNkGN0stP0Qy3Bu74cJbyJnG1JxxlSxL9FgWPGK/oloOgw6PHXUjq7pQuYTx5ft3F+Q370fdJKXGEfly1FSCy/94S740oEd6tzZCFhp2O3XmTW7oOUTX5ENbdBZN6+q0dJbwIe0DVanHCDig9UGOo5ug2khw7N5wy/QDGqigusqwWw5sBvcCrRMWIHdAmzLZVNotmGm7XW2BLqnd1QrvC3cKki0qqlOVlXRw1zUdjC++d/SJskE6VRKYxSL5WWAwS1tA1QGezbHVUgawavpHBqg1TT4Jw3ecSn68MOhe8NQPTujcVoFTPZMjLQvKcDBK+vITB9vIhMZ7D/B0Xi9/ktd2kfx9Z7JgVhelSdp3vQfdQT4s8nQLwEtBk0sMWYCcc5mwKHIIOkdutCxmhVlxy5LLD1nMhFoZWqXPXenDlnaZD3qGqAuTBZc5xQmXNehquk6W8D6AXbOrPMCXVOQ4K7wuaq2sKtKHpBD68qcCPY7pYYtsd1OoeVHmYLYDnD7/jcmioteFtancBtuA3YkWkOFRqLjMhDSX+ZCuhSnEVBSpw6JbsL/PCDx5Z/Ae7NS9EPuwU1f19mH/nBH2q4yw/yUj7P+REfZf88C2qhZ0CjlESgc9vXkmi6oRqHxP1xneyRZ4fZVBL6kawedVnUf7dlomFfPUSUgBMs+hlBj4wtL7RmRhfEJihh00muWxJh3gPNakWZumzjCLlMmurDqLqWqVdaYHXGcQIVZZZ5jlgo1mTRbgjeTXkkplgGU4hMtXjiuZHoXlK1XbBdAyg1tNVXXBRAYftgOcIUiCcPV0bdO7RR1kkwVy3RQZYhpMc8sZFRkKiExB5yDZOmHWVR+2pGL9J5TTHHgvC2wDmgWybweTB2ufWJsF+nReL1/l8UGbYsrtX7M0GmOmSDsrbgewVslFtclyzREqMJ2+ys14H3+yWVs9wGAX3s+f3jnigaPalwW47yafroNcD/aMC8hhw5hilmMT+SxlcfY24By6gSl4jUmKRRZRx+vlT6Wx9aCZfyLYRrMssAWfQQ4zxqCjuYKSJysY3YbNZZ5TUqmyEWCYysHtAJzPM8gmVZsVtUln/vegxzLIkwDWMOfGapreE7KBnUHj01DnYrXOxmuDnch1JvnqM/P9Ec8A3WqgVQZF0pcC5UI7n3K9WihuCj9hNj30NdU0ywEvRwphU0Be+vn2qeFyY6lMPue4NHba6FTDAluo4GcF5YDaJMc1vR7d1iSnBouTG2bph10f2mlgH8w5LcvUd4CXqcOqbeugDG8RrwqmlaqydCVygDOYabwq8iRHho5HOdhcXyVvz1Sb9C1LeW1qzRMDFdRy2yTPPhNcQroWOxuoJulEnQ4uFt+md2sJ5bueFjOhkj/nHfAMKf/O5k0udRzQDBLH2dAZUE2emyDUPMvRlfMsF7hWOrUAq6bNPMc1q7hhOcRCZbIc2BxzICRYbK6UHG5yGe4bQKfO+PNQU6fjydUqtQWSpaJM+QHQyS1RlV4zUprPi8g8rnvDXUnQ6d+suvBDeZODTTqZegPWj3jNcsgyFG6GmTiphUEAm1oa1IV3JCVHlxrjPizYIlWd/wA0XNc8eSCgBl3NNZV20HM3BeRVFsDpn17fiezTp50poAkAazUvqKkTDgzog9Y0NVQNVOTQ7zQw5IPvOpoJeHomO8hpW7j2ICtdZsA4vSPTZPANG+8bzpAPYCB1IoAfeJzBODHwJf0BiDVoTQY1gyll+DyD4DV1ai+b0SzHPdCsTK5IG81iXXETALbpRmz1YTYmeVfNJZOpCyWi02LvC9Q36UxNvp3b9MfKA00f0etmeqaGu66Td2ttymmWPPRGiwxvYWNAFyVPXfWeZWxFGxnKwQbLjKVVam/wsuDSWDrLoBksubY51PBlLTO0brJKNzKlmzXWFi3SUfRNYxX50EgyWLrLHsk4LO8zFbwkJxpKbskJ1WXoZmiw/XscHT85KyOXxiaEIhgcok+wvwFTgsRKdbp8CC7zce6sqoVaw2Cw4I38m6kmWVPvW54xx0PvM8J5ZxrmcE0quttoYROLlfNmdxhIdiQFNzicoV09bD02UCKmqWulLRk2HiVktaCWcEtqDbOxo3CPtNy7DKGIMT5YHR0KhMvQ2X2kL7TgMvdE/h6qbrU+noZYNQe7AD3ZfN8sVDN40QiRsATdjSOyitRUGyDvwFKcCO7vKu1Y8PStmpsXF77s9Rk5DSO+nhO7iEwpwmbAHyCMPka0JXkP9nduJZj4Pg8PdRbmzXBkd3eLcHFPrAGq2WLCJY/ihzN3j9Bfe0d84iwMTIZ4IWgjcdbvvME5rm0T93gD951+7Xtoyt+Ou6Opa8Id5hePGPtuI4qENU2367yKy5KPcG3xVoy5C44xjXpEIG0G173HCdVSjEy8xO65GceBY/9cA5Zo+NKAsXuadh+erXz3XvleZcCxPH5VL7F3PVJd3um2O2UfTh4jjI1t/R07tJvXUcpTzv6/eb6hW+z8tBUKuHb8bKDVkC6J945H2D0uU2qA+HTtDhsyuFXdLoVfPAy+shsF32GutG9fH2UjIdQQA4Djzuj+eVWaSkPZEcb7DjpM+6Ulqr2bQ8MajRPQ9iFdg664VzeOhfRmST+Ygy+5gDkQAUsQhBrD59Jv3GZef/zoY0vmB5TfuP6ekz59kEnPDrNG8i8N7I5JpPHL18P3sI6Jh01BaTUaXvoLyZSUgLkVZMXtYkxQEBKpDOk0dg0HlRfd2bRw7ER50j1RQs05o4I4DEZMH8TiYbHDpUbGND4c7+rF2sTR66WzrdROVmvqB54KTk2xUNltAm/EdeYazlLZDDVyUrE/gifeD4D4S+OwxTctDGJhAqievBFGOUN8676dYrCc/Bp+MSFv5Lr71wC6RVveSEtoOWGqqhsLOi6Gs7jxHWH5zLNvdvcCZyxubQi3/2xefv/DX53te9rbjpZj30TRDue0SBsxu63jhq5Bk3/pfHLmRUADkYvf+tT1P/nPvNzgvHXq9+7HgcnLN8m2J7sDU9w6E/L+t49njnbQ4J0n6C8tuWEaairZ2mmVQT0Tu7kgBDn0nHx895qcS/vjy+fk/P3p2X++Jp/OpX31E3m6WqyJBG4XoAlbKBNGpSmtgVn81g+v/td/e/YkyhGwi4wybpcfKFMnFY2P4zGZT98dr/mlP4vnLVLxK14+LqT7sukGzA9sGHfrBz6G745iurFOPnNtGyrI2zfvo8j+qSTk82UddjL+j5IwifPWofvViFAk5GbhiVvwGN/gPfswpxZW9AFGpOPpviBvylKjn9af8hg63dPLqvrQOOd9YyHnJ+8u/Ks0Gh6rqDli9GPLqeQ11fB2k/MLh8qI98vx8MBJEEl46NYe52GriRV+utZxBUQPXVqW3H2Zik3AtjfLP/7OHfEAOJMQL7gKN/x0+wgMUNnkWmfR6277pFHyPmB4obTtRPJA6JYYYMMN4HZ9s+Q1R+a9p4fLefuYtGS9G2O8hJjdeCwvbsAOLV9qjGLcqZzebzTQcYiTy5rKOUw604kpOePzRkNJpmuECbLErKG4nKkPbD0wKBod0Zaji84y9DsQCXX/fglXcgeAhkpZKEJmd/o8o/SsLaUpaOFT8TOArq3OA3yW4UjMMlQLixzXIVf/kzoDU2lZtJ64fGr5rgXv6JjsrtZ3JjyABntmF6AlWPJxXcNz8ql9xt6iA+xHctE6wAYvwW9jmlo7qucIysSIadwiHfzizwkVIqpM1JsvYoIb1ZiYtwTt3kAurSLG4mPOJfl0PipQGCbIZpNXyUW2A6rqDGPfHGANJnVGrwObocTFv4ipU9HR354BWz9aoRAg58knRSLOTvnIqIWOaKBe5aGiF4CRhGE6wYxQ8ovSK6rL4ZxuQt7MMdlLE+pu/DXm0k3BrgBkXPVM3DXxrjFuZanoh+o8MgRbxmNmxIBCLkOeK6YlVNw6sRRGbMRJXAoqjxHHv4WDsk0Q6bkoBwRuuyw3kZSls2DnaMBuvzypI5XAsAvBMl0/uNtF7Km2nDWCaoL9okmLxNOz69dv1VzNZvHp78AKu4Ds27uF7Ee3oL+NPbzPHN4O3TeNXYC0IVl8FG3TpOyccLuEHr/kOOqfDOhRhFVjmToup8OS4whfNoyBMSM4Y+fxw5qjHZZ4gngRp+LOlV6TSGHCALdjCKctHGEHRyeVMMBnaiXdu+LkVkw57H5IBorSNlXLdP3oRt5NSnzXUqwZEBzKjp7gh9nRh7kkhtsmIj8JFhdAENEB6oIaQktVu9fFLoBrolZys2WecZZeK6mqkbxanMlhuG9Rf1wlwin3XJZO/ihtOgZQ8gsXQN4ExCYDNtzG2Ss7wvydHE0Y7+h/kHSFURZchqyFtFyI0RhhRMp693swwufrXYZ6jdScGE8Inaqc1QMR4qewoEuuGtQumapqrSo+kqEIx0buTNKpwCKyGTnZjxuXy07sZERyF8MtrZNEEdjCMOlwmQMQjKzf4Zd7d3uv7Oa+jR67TZllI+1uOVtqjb7EMvCCHWLW30oLwvd4DhI0Zy1JyBBM9NtNLeB2gU9tbLYbCchO2A8TY/V48LOl6ZC2Ww9G08v9NAX1wq+Vka6oadoZ4ZZXYJxc99qehhpGg0hhF5I1hbhxI7Dx4D23Qd/yaB3Su/vBjtaPt6Pph8IkG3J6a9KCw/gmCge0IcUbgXALYfD1UvfyRur0UffOX7QktOmbdy5ZL9XjCJAb5HgnQL7e4/jjzVuWarTBcbbsdvJRH1WCpLxjt5AfRz2OKWkbHMZOqccStB0/dfLKncYuigrsQj1AlIRueZKJRyN8bXTDsZeSVlm9TnuiOh+UCP5ah8iec5nJE/Kfk5+//548fXv65uIZOeXGcjlvuFlAiaXwUVyEmqvsfYH2RcIwW3bm8QjbjF8cyRjTKrNXcV/9p9vVGAbdjUGPfLKhz3e5LgzT/ru6357jD3GKxUypjLVJ32SKUZGqO90OIR9oyRvjVyBKE8MrLqj24smJTXeHGL7r8fIqvOeGl8fsNNLPlP/kDkLrRdzpi7m55PnqLN7IfXcdwxqh0rDn/w1OIvxkcBaC4wZ6ZRll3JWpdM7EgEHIBlmt9JxK/ueerGqZ7yjcltkHcLp/pkbYPeM6WkuaqevPL245fC18iy/fu2grq/lXoMIuGNVAag2lqrik0YK7nni6oJaDtObG9HhBj0ntW/qgxPrWj1BnOrju6jxxgqum2mIzpA2p+8XqEZsdBWFzG4k6gxI0tVAWyZLK9pwPJ3x+aVfsgmcXWi152TUPC9+jdS2Cpjo4GKH5j3vWtnXauIKzIZKXR6KyWzL0+rPrETKjw0Mxc3LJffR8sau4j7SA65TOlEPB76p5wjXqTL0f9Sqh5xFCvY6KGis1xFilvcR30CqwFFd7gt+auG89iVNf8bIUcDwp9w7Xu62ci2xvT+4dJOfa8RjHIfcirNbrMCTXbXT2OakFdVvm3melCUim1/WYlx9TIY9gT94ig053tuWvyljyjrIFlyMmXUkzSY5vdnn9SWKmf63BiQ+nH/kmZ2ZC3pa0Jp/xH14/KpX0daf/HD6eZEGX4DQnAVSTLw3oNcEehKZW0kCrUcWLUx29Bf7mOPIy9MBjDrLmbRdI6cn3ffnG8WxJOgKqmwP0ITRHvS2mOOUpr8Ns94y3raW3mhg52zA8vNwQ3UgZtWPN8+7l8ZFn30ZqpMYuQCyChZl/IyhZcVmqlSGmBsZnnLlPnsfqBEOe7PCCOPI8vpucG/IUO8KCZJtnCEOXz3rcIo3Ed/wtzClbk09mu/FtF4Gtdgtpk2fXuhWOYLCPvPZ9UwtRwVo1PGTuRRxwvOsDEKn+36o0xXKeIfu2yc6vUI915/XqdYRipDB60MJvDiD2OHm9Y6SGDN/gem9l3RmSPt4FdEjNcRx2XcBge282CZl+GwY7FG9IcXPxM5YNpBwJOFrhhiSXMOMy+OpROGFXv4rWI00HEbuDCsUy4bZxwOyof6kFY+ezzU176KU00puy82FbS9miOnIL/M2qyHAysI7625FlyMuUy3QTxJLeDUcyFhXmfTwjQqpftoPb4ttob8r7I1M7B1jnfftuwLqmuj1T7s/PN6SsFnzQSp242+FsWZ/8fivybPKZJb6thdLrfBv+N1NT+W83doxpEdnuot6q57GnybHlby8Q+g20PZhKNKCq7be+n6rRU1CAtFrVh4iOUjXTgXPhVmc8rOmsbbihHAFx9NUdx72HJ6qqqVx39xGvHY7T9/bKErR7hgouZyquFFBzlbtG6Ab5sWNFtpitIG9X9NmXXDkCvzRCrMl/NFTwGYeSnGLds3cORlFZwbRgSl3xBwq6/w5T4tff2M9UjGnzybvNbsLhdWNR5T5whOnNd/1Dt0SYshPc0d4nPyEf17UnfeM5cMzxOzi+eRpmRdJmsjtoOxy8I0I/MbG2tbvIHMNV1ymX29h5z2KtdOvtxxDzh7cjW97rlZP4OLW8qPPOIdrDCrfyjZ77Fk2tVCZNZBspt47bD1JTG3dNMllQkzLa3wOsQzl9YsiNFgm3uQc14a50xmjR6FTekB5MA7qg83Q25QZ08udpG3TS9Mdt0OHUZxAscG1BomqV3jhx8JOd5k7RW2jYSZVJrVH5JY5RS7glcz/isqhevQj/fRJQeBH+I+Q1xdz+VICOZ+cFch4weu6J6QfP0ePaG7U2IKcMA9GcScXlDLQeibsO6T4KXX3F/0bWR92zR0Cy7Us8621D5EphWFtlvVKRJY52/M583N4du4+YQaz7f/oHDBO0xgd+8noB+jj+CKezh4ynpyc4+vEZOcH146iBtkdqljLC5xPQYfgnbGVh7mnOC1lDxz1G9jbcLfrE9DpF791p/uehXsm7t0aJ7za55H/GvTX8KpNMOf/HGZEwV5b7DawX1IxMgDLs2G2FelvpFx8fLui2OtsEqEGCy84Zaxunt/U38YQUw+fHqKjY7m/UTT38ODpo2UkTbkyTXOlEyJgslc9bd78YCmIIWmf1gQ42pS89z9zi5BKD0/uk01EyJLrO4CGK/PQSUzv3P0Y96XkYkneXnntwHBehxohimfNF3w2pBkd2FJmycEePNsnbNJpcgPkVBIs6U3ODbzbjSvoPEsrWn4jBeJ3S5PzyzT/eXZAL906R3+TI9JUNtpkqqQ/B9uNKxbFFMcQWwK7MQU7k2wnhvD3IYkPnun6dXYswTAMNIwg3UnCPlguaD5pCPoCS6/HouoKMGg2Is6W2OdqEzz6WSyp46Q9iBIldQXi0rtb7BCFy7ArWZldsJzr5bQJpYtgLa2tTcJxBmwU0bmUOhjD6CG4Tn8u28kVpbtc33Cimqiprn7hb4u3xCA6heAn+imsQu5ZmahfLSlBZGPNQA2/dyl6G/x6obWu0otj6UuOiVvwYadUxhD0GBDFApOLWALKVLaiUg8YZudtNhVURkZGY7ZHaNncPS5h5+PvbN+/Du/diZ/nuQbFK7/r+k/ds4+aqWCrR5GLAm3aOswxzbrrJ2O0430Zya8hTj4R5ht06sLC3nai7A54g0lFqRJNJmr0NuH6S3IZ0gcl20cESNGYKzBpBmJIMausM5Uu/hyPtFVarnNLXM94Z7O0IbYdorbQlyvH3139/E0vBjbI99blTen78BMvdAoMtF+uU+mYn0UYxfz/77eL8gryj1xWXZTfWO76tjrajp2FuDVEcISuQMaBuH1md+hQvWUyenu2rHIvZ8Qo2H7oIvyU5u9qx5SwLUvn8NHTpDVjsxVAcb1MeuFdAS3H1X75uuCvMkeVQk0x9u9Ff4kzoB8puDOOq0YrvgrqVL+59TkwTSVGnhvzNWK3k/N+mgrIrwY2F8m8vwt+ed59yOQMW/2jGNayoiCoydCp6vyFUlsQoMnIsNcy5sXrtLPtjCoua2kVo1t/hQHZxGCCJTqljoekLoX29FlO614W80yc7zEFavf7L/w0AAP//6N26ng==" +} diff --git a/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml b/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml new file mode 100644 index 00000000000..35ad775a3aa --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Infoblox" + product: "Network" + type: "IPAM" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/infoblox/nios/config/liblogparser.js + - ${path.home}/module/infoblox/nios/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} (%{dhost}) via %{p0}"); + +var dup21 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + +var dup22 = setc("action","DHCPRELEASE"); + +var dup23 = setc("action","DHCPDISCOVER"); + +var dup24 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); + +var dup25 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); + +var dup26 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); + +var dup27 = setc("action","DHCPREQUEST"); + +var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); + +var dup29 = setc("event_description","unknown network segment"); + +var dup30 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dZ], + ], +}); + +var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); + +var dup32 = setc("action","DHCPACK"); + +var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); + +var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); + +var dup35 = setf("domain","zone"); + +var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + +var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + +var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + +var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + +var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + +var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + +var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + +var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + +var dup44 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); + +var dup45 = setc("event_description","updating zone"); + +var dup46 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); + +var dup47 = setf("domain","hostname"); + +var dup48 = setc("eventcategory","1801010000"); + +var dup49 = setc("ec_activity","Request"); + +var dup50 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + +var dup51 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); + +var dup52 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); + +var dup53 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + +var dup54 = setc("action","Refused"); + +var dup55 = setf("dns_querytype","event_description"); + +var dup56 = setc("eventcategory","1901000000"); + +var dup57 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); + +var dup58 = setc("eventcategory","1801000000"); + +var dup59 = setf("zone","domain"); + +var dup60 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dD,dZ], + ], +}); + +var dup61 = setf("info","hdata"); + +var dup62 = setc("eventcategory","1301000000"); + +var dup63 = setc("eventcategory","1303000000"); + +var dup64 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var dup65 = linear_select([ + dup17, + dup18, +]); + +var dup66 = linear_select([ + dup20, + dup21, +]); + +var dup67 = linear_select([ + dup25, + dup26, +]); + +var dup68 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var dup69 = linear_select([ + dup33, + dup34, +]); + +var dup70 = linear_select([ + dup37, + dup38, + dup39, +]); + +var dup71 = linear_select([ + dup42, + dup43, + dup44, +]); + +var dup72 = linear_select([ + dup51, + dup52, +]); + +var dup73 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var dup74 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var dup75 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var dup76 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup61, +])); + +var hdr1 = match("HEADER#0:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); + +var part1 = match("HEADER#0:006/1_0", "nwparser.p0", "%{hhostip->} %{messageid}[%{data}]: %{p0}"); + +var part2 = match("HEADER#0:006/1_1", "nwparser.p0", "%{hhostip->} %{messageid}: %{p0}"); + +var select1 = linear_select([ + part1, + part2, +]); + +var part3 = match("HEADER#0:006/2", "nwparser.p0", "%{payload}"); + +var all1 = all_match({ + processors: [ + hdr1, + select1, + part3, + ], + on_success: processor_chain([ + setc("header_id","006"), + ]), +}); + +var hdr2 = match("HEADER#1:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","001"), +])); + +var hdr3 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","005"), +])); + +var hdr4 = match("HEADER#3:002/0", "message", "%{month->} %{day->} %{time->} %{p0}"); + +var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "%{hhostname->} -%{messageid}:%{p0}"); + +var part5 = match("HEADER#3:002/1_1", "nwparser.p0", "%{hhostname->} %{messageid}:%{p0}"); + +var select2 = linear_select([ + part4, + part5, +]); + +var part6 = match("HEADER#3:002/2", "nwparser.p0", "%{} %{payload}"); + +var all2 = all_match({ + processors: [ + hdr4, + select2, + part6, + ], + on_success: processor_chain([ + setc("header_id","002"), + ]), +}); + +var hdr5 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr6 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr7 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var select3 = linear_select([ + all1, + hdr2, + hdr3, + all2, + hdr5, + hdr6, + hdr7, +]); + +var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, +])); + +var msg1 = msg("httpd", part7); + +var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([ + dup9, + dup2, + dup3, + dup10, + dup5, + dup6, + dup7, + dup8, +])); + +var msg2 = msg("httpd:01", part8); + +var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([ + dup11, + dup6, + dup7, + dup8, +])); + +var msg3 = msg("httpd:02", part9); + +var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ + dup11, + dup6, + dup7, + dup8, +])); + +var msg4 = msg("httpd:03", part10); + +var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg5 = msg("httpd:04", part11); + +var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([ + dup12, + dup6, + dup7, + dup8, +])); + +var msg6 = msg("httpd:05", part12); + +var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([ + dup13, + dup2, + dup3, + dup10, + dup14, + dup6, + dup7, + dup8, +])); + +var msg7 = msg("httpd:07", part13); + +var msg8 = msg("httpd:06", dup64); + +var select4 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, +]); + +var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","RRQ from remote host"), +])); + +var msg9 = msg("in.tftpd:01", part14); + +var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","sending NAK to remote host"), +])); + +var msg10 = msg("in.tftpd:02", part15); + +var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([ + setc("eventcategory","1801030000"), + dup6, + dup8, +])); + +var msg11 = msg("in.tftpd", part16); + +var select5 = linear_select([ + msg9, + msg10, + msg11, +]); + +var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}"); + +var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}"); + +var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}"); + +var select6 = linear_select([ + part18, + part19, +]); + +var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "%{}seconds"); + +var all3 = all_match({ + processors: [ + part17, + select6, + part20, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","received a REQUEST DHCP packet from relay-agent"), + ]), +}); + +var msg12 = msg("dhcpd:12", all3); + +var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","bind update rejected"), +])); + +var msg13 = msg("dhcpd:21", part21); + +var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Unable to add forward map"), +])); + +var msg14 = msg("dhcpd:10", part22); + +var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Average dynamic DNS update latency"), +])); + +var msg15 = msg("dhcpd:13", part23); + +var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Dynamic DNS update timeout count"), +])); + +var msg16 = msg("dhcpd:15", part24); + +var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Removed forward map"), +])); + +var msg17 = msg("dhcpd:22", part25); + +var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Removed reverse map"), +])); + +var msg18 = msg("dhcpd:25", part26); + +var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","received shutdown"), +])); + +var msg19 = msg("dhcpd:06", part27); + +var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "%{}new forward map from %{hostname->} %{space->} %{daddr}"); + +var all4 = all_match({ + processors: [ + dup16, + dup65, + part28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Added new forward map"), + ]), +}); + +var msg20 = msg("dhcpd:18", all4); + +var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "%{}reverse map from %{hostname->} %{space->} %{daddr}"); + +var all5 = all_match({ + processors: [ + dup16, + dup65, + part29, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","added reverse map"), + ]), +}); + +var msg21 = msg("dhcpd:19", all5); + +var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Abandoning IP declined"), +])); + +var msg22 = msg("dhcpd", part30); + +var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Abandoning IP pinged before offer"), +])); + +var msg23 = msg("dhcpd:30", part31); + +var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([ + dup15, + dup6, + dup8, + dup19, +])); + +var msg24 = msg("dhcpd:01", part32); + +var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([ + dup15, + dup6, + dup8, + dup19, +])); + +var msg25 = msg("dhcpd:02", part33); + +var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{p0}"); + +var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{} %{interface->} (%{info})"); + +var all6 = all_match({ + processors: [ + part34, + dup66, + part35, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup22, + ]), +}); + +var msg26 = msg("dhcpd:03", all6); + +var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup23, +])); + +var msg27 = msg("dhcpd:04", part36); + +var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}"); + +var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}"); + +var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}"); + +var select7 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{} %{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})"); + +var all7 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + setc("action","DHCPREQUEST ignored"), + ]), +}); + +var msg28 = msg("dhcpd:07", all7); + +var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{} %{interface}: wrong network"); + +var all8 = all_match({ + processors: [ + dup24, + dup67, + part41, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup27, + setc("result","wrong network"), + ]), +}); + +var msg29 = msg("dhcpd:09", all8); + +var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{} %{interface}: lease %{hostip->} unavailable"); + +var all9 = all_match({ + processors: [ + dup24, + dup67, + part42, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + dup27, + setc("result","lease unavailable"), + ]), +}); + +var msg30 = msg("dhcpd:26", all9); + +var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + dup27, +])); + +var msg31 = msg("dhcpd:08", part43); + +var all10 = all_match({ + processors: [ + dup24, + dup67, + dup28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup27, + ]), +}); + +var msg32 = msg("dhcpd:11", all10); + +var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([ + dup12, + dup6, + dup8, + dup22, + dup29, +])); + +var msg33 = msg("dhcpd:31", part44); + +var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","BOOTREQUEST"), + dup30, +])); + +var msg34 = msg("dhcpd:32", part45); + +var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Reclaiming abandoned lease"), +])); + +var msg35 = msg("dhcpd:33", part46); + +var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}"); + +var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}"); + +var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}"); + +var select8 = linear_select([ + part48, + part49, +]); + +var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}"); + +var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})"); + +var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}"); + +var part53 = match("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "%{fld7}"); + +var select9 = linear_select([ + part51, + part52, + part53, +]); + +var all11 = all_match({ + processors: [ + part47, + select8, + part50, + select9, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg36 = msg("dhcpd:34", all11); + +var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description"," Unable to add reverse map"), +])); + +var msg37 = msg("dhcpd:35", part54); + +var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description"," Forward map failed"), +])); + +var msg38 = msg("dhcpd:36", part55); + +var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{p0}"); + +var all12 = all_match({ + processors: [ + part56, + dup66, + dup31, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup32, + ]), +}); + +var msg39 = msg("dhcpd:14", all12); + +var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}"); + +var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}"); + +var select10 = linear_select([ + part58, + dup20, + dup21, +]); + +var all13 = all_match({ + processors: [ + part57, + select10, + dup31, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPOFFER"), + ]), +}); + +var msg40 = msg("dhcpd:24", all13); + +var part59 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPNAK"), +])); + +var msg41 = msg("dhcpd:17", part59); + +var part60 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{p0}"); + +var all14 = all_match({ + processors: [ + part60, + dup67, + dup28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup23, + ]), +}); + +var msg42 = msg("dhcpd:05", all14); + +var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + dup32, +])); + +var msg43 = msg("dhcpd:16", part61); + +var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPINFORM"), +])); + +var msg44 = msg("dhcpd:20", part62); + +var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPEXPIRE"), +])); + +var msg45 = msg("dhcpd:23", part63); + +var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg46 = msg("dhcpd:28", part64); + +var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg47 = msg("dhcpd:29", part65); + +var part66 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg48 = msg("dhcpd:39", part66); + +var part67 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg49 = msg("dhcpd:41", part67); + +var part68 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg50 = msg("dhcpd:42", part68); + +var part69 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([ + dup12, + dup6, + dup8, + setc("dclass_counter1_string","count of leases"), + dup30, +])); + +var msg51 = msg("dhcpd:43", part69); + +var part70 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup29, +])); + +var msg52 = msg("dhcpd:44", part70); + +var part71 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg53 = msg("dhcpd:45", part71); + +var part72 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Reclaiming REQUESTed abandoned IP address"), +])); + +var msg54 = msg("dhcpd:46", part72); + +var part73 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}"); + +var part74 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{macaddr}"); + +var part75 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{macaddr}"); + +var select11 = linear_select([ + part74, + part75, +]); + +var all15 = all_match({ + processors: [ + part73, + select11, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg55 = msg("dhcpd:47", all15); + +var part76 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg56 = msg("dhcpd:48", part76); + +var part77 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("protocol","ICMP"), +])); + +var msg57 = msg("dhcpd:49", part77); + +var part78 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg58 = msg("dhcpd:50", part78); + +var part79 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}"); + +var part80 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}"); + +var select12 = linear_select([ + part79, + part80, +]); + +var part81 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}"); + +var part82 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}"); + +var part83 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}"); + +var select13 = linear_select([ + part82, + part83, +]); + +var part84 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred"); + +var all16 = all_match({ + processors: [ + select12, + part81, + select13, + part84, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("disposition","deferred"), + ]), +}); + +var msg59 = msg("dhcpd:51", all16); + +var part85 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg60 = msg("dhcpd:52", part85); + +var msg61 = msg("dhcpd:37", dup68); + +var select14 = linear_select([ + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, +]); + +var part86 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","system event status"), +])); + +var msg62 = msg("ntpd:05", part86); + +var part87 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","frequency initialized from file"), +])); + +var msg63 = msg("ntpd:04", part87); + +var part88 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","ntpd exiting on signal"), +])); + +var msg64 = msg("ntpd:03", part88); + +var part89 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","time slew duraion"), +])); + +var msg65 = msg("ntpd", part89); + +var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","signal had flags"), +])); + +var msg66 = msg("ntpd:01", part90); + +var msg67 = msg("ntpd:02", dup64); + +var select15 = linear_select([ + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, +]); + +var part91 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}"); + +var all17 = all_match({ + processors: [ + part91, + dup69, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + ]), +}); + +var msg68 = msg("named:16", all17); + +var part92 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}"); + +var all18 = all_match({ + processors: [ + part92, + dup69, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + dup35, + ]), +}); + +var msg69 = msg("named", all18); + +var part93 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}"); + +var all19 = all_match({ + processors: [ + part93, + dup69, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + ]), +}); + +var msg70 = msg("named:12", all19); + +var part94 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}"); + +var part95 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}"); + +var select16 = linear_select([ + part94, + part95, +]); + +var part96 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}"); + +var all20 = all_match({ + processors: [ + dup36, + select16, + part96, + dup69, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + ]), +}); + +var msg71 = msg("named:01", all20); + +var part97 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}"); + +var part98 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}"); + +var part99 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}"); + +var select17 = linear_select([ + part99, + dup40, +]); + +var part100 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}"); + +var select18 = linear_select([ + dup41, + part100, +]); + +var all21 = all_match({ + processors: [ + part97, + dup70, + part98, + select17, + select18, + dup71, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup45, + dup35, + ]), +}); + +var msg72 = msg("named:17", all21); + +var part101 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}"); + +var part102 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}"); + +var part103 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}"); + +var select19 = linear_select([ + part102, + part103, +]); + +var part104 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'"); + +var all22 = all_match({ + processors: [ + part101, + select19, + part104, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg73 = msg("named:18", all22); + +var part105 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}"); + +var part106 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}"); + +var part107 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}"); + +var select20 = linear_select([ + part107, + dup40, +]); + +var part108 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}"); + +var select21 = linear_select([ + dup41, + part108, +]); + +var all23 = all_match({ + processors: [ + part105, + dup70, + part106, + select20, + select21, + dup71, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup45, + dup35, + ]), +}); + +var msg74 = msg("named:02", all23); + +var part109 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}"); + +var part110 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}"); + +var part111 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}"); + +var select22 = linear_select([ + part110, + part111, +]); + +var all24 = all_match({ + processors: [ + part109, + select22, + dup46, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup47, + ]), +}); + +var msg75 = msg("named:19", all24); + +var part112 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg76 = msg("named:03", part112); + +var part113 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","notify zone is up to date"), +])); + +var msg77 = msg("named:11", part113); + +var part114 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg78 = msg("named:13", part114); + +var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg79 = msg("named:14", part115); + +var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg80 = msg("named:15", part116); + +var part117 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}"); + +var part118 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); + +var part119 = match("MESSAGE#66:named:25/1_1", "nwparser.p0", "%{result}"); + +var select23 = linear_select([ + part118, + part119, +]); + +var all25 = all_match({ + processors: [ + part117, + select23, + ], + on_success: processor_chain([ + dup48, + dup49, + dup14, + dup6, + dup8, + setc("event_description","DNS format error"), + dup30, + ]), +}); + +var msg81 = msg("named:25", all25); + +var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})"); + +var all26 = all_match({ + processors: [ + dup50, + dup72, + part120, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg82 = msg("named:63", all26); + +var part121 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}"); + +var part122 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); + +var part123 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}"); + +var select24 = linear_select([ + part122, + part123, +]); + +var part124 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})"); + +var all27 = all_match({ + processors: [ + part121, + select24, + part124, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg83 = msg("named:72", all27); + +var part125 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg84 = msg("named:28", part125); + +var part126 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}"); + +var part127 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{result}"); + +var part128 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{result}"); + +var select25 = linear_select([ + part127, + part128, +]); + +var all28 = all_match({ + processors: [ + part126, + select25, + ], + on_success: processor_chain([ + dup48, + dup6, + dup8, + dup30, + setc("event_description","failed"), + ]), +}); + +var msg85 = msg("named:71", all28); + +var part129 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}"); + +var part130 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}"); + +var select26 = linear_select([ + part130, + dup46, +]); + +var all29 = all_match({ + processors: [ + part129, + select26, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg86 = msg("named:70", all29); + +var part131 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}"); + +var part132 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); + +var part133 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}"); + +var select27 = linear_select([ + part132, + part133, +]); + +var part134 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}"); + +var part135 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); + +var part136 = match("MESSAGE#72:named:40/3_1", "nwparser.p0", "%{context}"); + +var select28 = linear_select([ + part135, + part136, +]); + +var all30 = all_match({ + processors: [ + part131, + select27, + part134, + select28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg87 = msg("named:40", all30); + +var part137 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg88 = msg("named:05", part137); + +var part138 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}"); + +var part139 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}"); + +var part140 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}"); + +var select29 = linear_select([ + part138, + part139, + part140, + dup53, +]); + +var part141 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})"); + +var all31 = all_match({ + processors: [ + dup36, + select29, + part141, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","dns query"), + ]), +}); + +var msg89 = msg("named:10", all31); + +var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","received notify for zone"), +])); + +var msg90 = msg("named:29", part142); + +var part143 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","client received notify for zone"), +])); + +var msg91 = msg("named:08", part143); + +var part144 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","client update forwarding for zone denied"), +])); + +var msg92 = msg("named:09", part144); + +var part145 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}"); + +var part146 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}"); + +var part147 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}"); + +var select30 = linear_select([ + part146, + part147, +]); + +var part148 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}"); + +var part149 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}."); + +var part150 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}."); + +var select31 = linear_select([ + part149, + part150, +]); + +var all32 = all_match({ + processors: [ + part145, + select30, + part148, + select31, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg93 = msg("named:76", all32); + +var part151 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg94 = msg("named:75", part151); + +var part152 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}"); + +var part153 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}"); + +var part154 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}"); + +var select32 = linear_select([ + part153, + part154, +]); + +var all33 = all_match({ + processors: [ + part152, + select32, + dup46, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg95 = msg("named:06", all33); + +var part155 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup12, + dup49, + dup14, + dup6, + dup8, + dup54, + dup30, + dup55, +])); + +var msg96 = msg("named:20", part155); + +var part156 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); + +var part157 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); + +var part158 = match("MESSAGE#82:named:49/1_1", "nwparser.p0", "%{fld1}"); + +var select33 = linear_select([ + part157, + part158, +]); + +var all34 = all_match({ + processors: [ + part156, + select33, + ], + on_success: processor_chain([ + dup56, + dup49, + dup14, + dup6, + dup8, + dup54, + dup30, + dup35, + ]), +}); + +var msg97 = msg("named:49", all34); + +var part159 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{domain}): %{fld2}: zone transfer%{p0}"); + +var part160 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "%{domain}): zone transfer%{p0}"); + +var select34 = linear_select([ + part159, + part160, +]); + +var part161 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); + +var all35 = all_match({ + processors: [ + dup57, + select34, + part161, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg98 = msg("named:24", all35); + +var part162 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{domain}): %{fld2}: no more recursive clients %{p0}"); + +var part163 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "%{domain}): no more recursive clients%{p0}"); + +var select35 = linear_select([ + part162, + part163, +]); + +var part164 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); + +var all36 = all_match({ + processors: [ + dup57, + select35, + part164, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg99 = msg("named:26", all36); + +var part165 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{domain}): %{fld2->} : %{fld3->} response from Internet for %{p0}"); + +var part166 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{domain}): %{fld3->} response from Internet for %{p0}"); + +var select36 = linear_select([ + part165, + part166, +]); + +var part167 = match("MESSAGE#85:named:27/2", "nwparser.p0", "%{fld4}"); + +var all37 = all_match({ + processors: [ + dup57, + select36, + part167, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg100 = msg("named:27", all37); + +var part168 = match("MESSAGE#86:named:38/2_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); + +var part169 = match("MESSAGE#86:named:38/2_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); + +var select37 = linear_select([ + part168, + part169, + dup53, +]); + +var part170 = match("MESSAGE#86:named:38/3", "nwparser.p0", "%{}query%{p0}"); + +var part171 = match("MESSAGE#86:named:38/4_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}"); + +var part172 = match("MESSAGE#86:named:38/4_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})"); + +var select38 = linear_select([ + part171, + part172, +]); + +var all38 = all_match({ + processors: [ + dup50, + dup72, + select37, + part170, + select38, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg101 = msg("named:38", all38); + +var part173 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup12, + dup49, + dup14, + dup6, + dup8, + dup54, +])); + +var msg102 = msg("named:39", part173); + +var part174 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg103 = msg("named:46", part174); + +var part175 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg104 = msg("named:64", part175); + +var part176 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup12, + dup6, + dup8, + dup47, +])); + +var msg105 = msg("named:45", part176); + +var part177 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); + +var part178 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); + +var part179 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); + +var select39 = linear_select([ + part178, + part179, +]); + +var part180 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); + +var part181 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa "); + +var part182 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6->} "); + +var part183 = match("MESSAGE#91:named:44/3_2", "nwparser.p0", "%{fld5}"); + +var select40 = linear_select([ + part181, + part182, + part183, +]); + +var all39 = all_match({ + processors: [ + part177, + select39, + part180, + select40, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg106 = msg("named:44", all39); + +var part184 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg107 = msg("named:43", part184); + +var part185 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup12, + dup6, + dup8, + dup55, +])); + +var msg108 = msg("named:42", part185); + +var part186 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg109 = msg("named:41", part186); + +var part187 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ + setc("eventcategory","1502000000"), + dup6, + dup8, +])); + +var msg110 = msg("named:47", part187); + +var part188 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ + dup56, + dup6, + dup8, + dup30, +])); + +var msg111 = msg("named:48", part188); + +var part189 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg112 = msg("named:62", part189); + +var part190 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg113 = msg("named:53", part190); + +var part191 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([ + dup48, + dup6, + dup8, + setc("event_description"," query failed"), +])); + +var msg114 = msg("named:77", part191); + +var part192 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ + dup58, + dup6, + dup8, + dup47, +])); + +var msg115 = msg("named:52", part192); + +var part193 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ + dup58, + dup6, + dup8, +])); + +var msg116 = msg("named:50", part193); + +var part194 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ + dup56, + dup6, + dup8, + dup49, + dup14, + dup54, +])); + +var msg117 = msg("named:51", part194); + +var part195 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ + dup58, + dup6, + dup8, + dup2, + dup14, + dup30, +])); + +var msg118 = msg("named:54", part195); + +var part196 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); + +var part197 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); + +var part198 = match("MESSAGE#104:named:55/1_1", "nwparser.p0", "%{fld2}"); + +var select41 = linear_select([ + part197, + part198, +]); + +var all40 = all_match({ + processors: [ + part196, + select41, + ], + on_success: processor_chain([ + dup58, + dup6, + dup8, + dup5, + dup30, + dup59, + ]), +}); + +var msg119 = msg("named:55", all40); + +var part199 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup58, + dup6, + dup8, + dup49, + dup14, + dup30, + dup59, +])); + +var msg120 = msg("named:56", part199); + +var part200 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup58, + dup6, + dup8, + setc("ec_outcome","Error"), + dup30, + dup59, +])); + +var msg121 = msg("named:57", part200); + +var part201 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); + +var part202 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); + +var part203 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); + +var select42 = linear_select([ + part202, + part203, +]); + +var part204 = match("MESSAGE#107:named:04/2", "nwparser.p0", "%{sport}"); + +var all41 = all_match({ + processors: [ + part201, + select42, + part204, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg122 = msg("named:04", all41); + +var part205 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ + dup58, + dup6, + dup8, + dup30, + dup59, +])); + +var msg123 = msg("named:58", part205); + +var part206 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup59, +])); + +var msg124 = msg("named:59", part206); + +var part207 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup59, + setc("event_description","skipping nameserver because it is a CNAME"), +])); + +var msg125 = msg("named:60", part207); + +var part208 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg126 = msg("named:61", part208); + +var part209 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup35, +])); + +var msg127 = msg("named:73", part209); + +var part210 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg128 = msg("named:74", part210); + +var part211 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); + +var part212 = match("MESSAGE#114:named:07/0_1", "nwparser.payload", "%{event_description}"); + +var select43 = linear_select([ + part211, + part212, +]); + +var all42 = all_match({ + processors: [ + select43, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg129 = msg("named:07", all42); + +var select44 = linear_select([ + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, +]); + +var part213 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","can't read sid"), +])); + +var msg130 = msg("pidof:01", part213); + +var part214 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg131 = msg("pidof", part214); + +var select45 = linear_select([ + msg130, + msg131, +]); + +var part215 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Configured local-address not available as source address for DNS updates"), +])); + +var msg132 = msg("validate_dhcpd:01", part215); + +var msg133 = msg("validate_dhcpd", dup73); + +var select46 = linear_select([ + msg132, + msg133, +]); + +var msg134 = msg("syslog-ng", dup64); + +var part216 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg135 = msg("kernel", part216); + +var msg136 = msg("kernel:01", dup64); + +var select47 = linear_select([ + msg135, + msg136, +]); + +var msg137 = msg("radiusd", dup64); + +var part217 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg138 = msg("rc", part217); + +var msg139 = msg("rc3", dup64); + +var part218 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg140 = msg("rcsysinit", part218); + +var msg141 = msg("rcsysinit:01", dup64); + +var select48 = linear_select([ + msg140, + msg141, +]); + +var part219 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg142 = msg("watchdog", part219); + +var part220 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg143 = msg("watchdog:01", part220); + +var part221 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg144 = msg("watchdog:02", part221); + +var part222 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg145 = msg("watchdog:03", part222); + +var msg146 = msg("watchdog:04", dup64); + +var select49 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, +]); + +var msg147 = msg("init", dup64); + +var part223 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg148 = msg("logger", part223); + +var msg149 = msg("logger:01", dup64); + +var select50 = linear_select([ + msg148, + msg149, +]); + +var part224 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg150 = msg("openvpn-member", part224); + +var msg151 = msg("openvpn-member:01", dup74); + +var part225 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg152 = msg("openvpn-member:02", part225); + +var part226 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg153 = msg("openvpn-member:03", part226); + +var msg154 = msg("openvpn-member:04", dup75); + +var msg155 = msg("openvpn-member:05", dup64); + +var select51 = linear_select([ + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, +]); + +var part227 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg156 = msg("sshd", part227); + +var part228 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); + +var part229 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); + +var part230 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); + +var select52 = linear_select([ + part229, + part230, +]); + +var part231 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); + +var all43 = all_match({ + processors: [ + part228, + select52, + part231, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg157 = msg("sshd:01", all43); + +var part232 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg158 = msg("sshd:02", part232); + +var part233 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg159 = msg("sshd:03", part233); + +var part234 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ + setc("eventcategory","1601000000"), + dup6, + dup8, +])); + +var msg160 = msg("sshd:04", part234); + +var part235 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([ + dup1, + dup2, + dup4, + dup14, + dup6, + dup8, + setc("event_description","logout"), +])); + +var msg161 = msg("sshd:05", part235); + +var part236 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([ + dup15, + dup6, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), +])); + +var msg162 = msg("sshd:06", part236); + +var part237 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ + dup12, + dup6, + setc("result","slowing down ssh login"), + setc("event_description","Sleep 60 seconds"), +])); + +var msg163 = msg("sshd:07", part237); + +var part238 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010300"), + dup6, + setc("event_description","authentication succeeded"), + dup8, + dup60, +])); + +var msg164 = msg("sshd:08", part238); + +var part239 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","User group"), + dup60, +])); + +var msg165 = msg("sshd:09", part239); + +var part240 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Bad protocol version identification"), + dup60, +])); + +var msg166 = msg("sshd:10", part240); + +var select53 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, +]); + +var part241 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg167 = msg("openvpn-master", part241); + +var part242 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg168 = msg("openvpn-master:01", part242); + +var msg169 = msg("openvpn-master:02", dup74); + +var part243 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg170 = msg("openvpn-master:03", part243); + +var part244 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg171 = msg("openvpn-master:04", part244); + +var part245 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg172 = msg("openvpn-master:05", part245); + +var msg173 = msg("openvpn-master:06", dup75); + +var msg174 = msg("openvpn-master:07", dup64); + +var select54 = linear_select([ + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, +]); + +var part246 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg175 = msg("INFOBLOX-Grid", part246); + +var part247 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); + +var part248 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); + +var select55 = linear_select([ + part247, + part248, +]); + +var part249 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); + +var all44 = all_match({ + processors: [ + select55, + part249, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg176 = msg("INFOBLOX-Grid:02", all44); + +var part250 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Upgrade Complete"), +])); + +var msg177 = msg("INFOBLOX-Grid:03", part250); + +var part251 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg178 = msg("INFOBLOX-Grid:04", part251); + +var select56 = linear_select([ + msg175, + msg176, + msg177, + msg178, +]); + +var part252 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg179 = msg("db_jnld", part252); + +var part253 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); + +var part254 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); + +var part255 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); + +var part256 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); + +var part257 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); + +var part258 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); + +var select57 = linear_select([ + part254, + part255, + part256, + part257, + part258, +]); + +var part259 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "%{}\"%{fld1}\" in zone \"%{zone}\""); + +var all45 = all_match({ + processors: [ + part253, + select57, + part259, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg180 = msg("db_jnld:01", all45); + +var select58 = linear_select([ + msg179, + msg180, +]); + +var part260 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); + +var part261 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} "); + +var part262 = match("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "%{space->} "); + +var select59 = linear_select([ + part261, + part262, +]); + +var all46 = all_match({ + processors: [ + part260, + select59, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg181 = msg("sSMTP", all46); + +var part263 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg182 = msg("sSMTP:02", part263); + +var part264 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg183 = msg("sSMTP:03", part264); + +var msg184 = msg("sSMTP:04", dup73); + +var select60 = linear_select([ + msg181, + msg182, + msg183, + msg184, +]); + +var part265 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg185 = msg("scheduled_backups", part265); + +var part266 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Scheduled backup to the FTP server was successful"), +])); + +var msg186 = msg("scheduled_ftp_backups", part266); + +var part267 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Scheduled backup to the FTP server failed"), +])); + +var msg187 = msg("failed_scheduled_ftp_backups", part267); + +var select61 = linear_select([ + msg186, + msg187, +]); + +var part268 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Scheduled backup to the SCP server was successful"), +])); + +var msg188 = msg("scheduled_scp_backups", part268); + +var part269 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg189 = msg("python", part269); + +var part270 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg190 = msg("python:01", part270); + +var part271 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg191 = msg("python:02", part271); + +var part272 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg192 = msg("python:03", part272); + +var part273 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg193 = msg("python:04", part273); + +var part274 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg194 = msg("python:05", part274); + +var msg195 = msg("python:06", dup64); + +var select62 = linear_select([ + msg189, + msg190, + msg191, + msg192, + msg193, + msg194, + msg195, +]); + +var part275 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ + dup11, + dup6, + dup8, +])); + +var msg196 = msg("monitor", part275); + +var part276 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg197 = msg("snmptrapd", part276); + +var part277 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg198 = msg("snmptrapd:01", part277); + +var msg199 = msg("snmptrapd:02", dup64); + +var select63 = linear_select([ + msg197, + msg198, + msg199, +]); + +var part278 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg200 = msg("ntpdate", part278); + +var msg201 = msg("ntpdate:01", dup73); + +var select64 = linear_select([ + msg200, + msg201, +]); + +var msg202 = msg("phonehome", dup64); + +var part279 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg203 = msg("purge_scheduled_tasks", part279); + +var part280 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ + dup13, + dup2, + dup3, + dup10, + dup14, + dup6, + date_time({ + dest: "event_time", + args: ["fld20","fld21"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup8, + setc("event_description","Login Denied"), +])); + +var msg204 = msg("serial_console:04", part280); + +var part281 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ + dup13, + dup2, + dup3, + dup10, + dup14, + dup6, + dup8, + setc("event_description","No authentication methods succeeded for user"), +])); + +var msg205 = msg("serial_console:03", part281); + +var part282 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ + dup9, + dup2, + dup3, + dup10, + dup5, + dup6, + dup7, + dup8, +])); + +var msg206 = msg("serial_console", part282); + +var part283 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010100"), + dup2, + dup3, + dup10, + dup5, + dup6, + dup8, + setc("event_description","RADIUS authentication succeeded for user"), +])); + +var msg207 = msg("serial_console:01", part283); + +var part284 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","User group identification"), +])); + +var msg208 = msg("serial_console:02", part284); + +var part285 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","system reboot"), +])); + +var msg209 = msg("serial_console:05", part285); + +var part286 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Local authentication succeeded for user"), +])); + +var msg210 = msg("serial_console:06", part286); + +var select65 = linear_select([ + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, +]); + +var msg211 = msg("rc6", dup64); + +var msg212 = msg("acpid", dup64); + +var msg213 = msg("diskcheck", dup64); + +var part287 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg214 = msg("debug_mount", part287); + +var msg215 = msg("smart_check_io", dup64); + +var msg216 = msg("speedstep_control", dup64); + +var part288 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Distribution Started"), +])); + +var msg217 = msg("controld", part288); + +var part289 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Distribution Complete"), +])); + +var msg218 = msg("controld:02", part289); + +var select66 = linear_select([ + msg217, + msg218, +]); + +var part290 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","shutting down for system reboot"), +])); + +var msg219 = msg("shutdown", part290); + +var part291 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","ntpd exiting"), +])); + +var msg220 = msg("ntpd_initres", part291); + +var part292 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg221 = msg("rsyncd", part292); + +var part293 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg222 = msg("rsyncd:01", part293); + +var part294 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg223 = msg("rsyncd:02", part294); + +var part295 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg224 = msg("rsyncd:03", part295); + +var part296 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ + dup12, + dup6, + setc("event_description","building file list"), + dup8, +])); + +var msg225 = msg("rsyncd:04", part296); + +var select67 = linear_select([ + msg221, + msg222, + msg223, + msg224, + msg225, +]); + +var msg226 = msg("syslog", dup76); + +var msg227 = msg("restarting", dup76); + +var part297 = match("MESSAGE#227:ipmievd", "nwparser.payload", "%{fld1}", processor_chain([ + dup12, + dup6, + dup8, + dup61, +])); + +var msg228 = msg("ipmievd", part297); + +var part298 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg229 = msg("netauto_discovery", part298); + +var part299 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ + dup58, + dup6, + dup8, + dup60, + setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"), +])); + +var msg230 = msg("netauto_discovery:01", part299); + +var part300 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg231 = msg("netauto_discovery:02", part300); + +var part301 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ + dup62, + dup6, + dup8, + dup60, + dup14, +])); + +var msg232 = msg("netauto_discovery:03", part301); + +var select68 = linear_select([ + msg229, + msg230, + msg231, + msg232, +]); + +var part302 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg233 = msg("netauto_core:01", part302); + +var part303 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg234 = msg("netauto_core", part303); + +var select69 = linear_select([ + msg233, + msg234, +]); + +var part304 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{event_description}", processor_chain([ + dup48, + dup6, + dup8, + dup60, + dup14, +])); + +var msg235 = msg("captured_dns_uploader", part304); + +var part305 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ + dup62, + dup6, + dup8, + dup60, + dup10, + dup14, +])); + +var msg236 = msg("DIS", part305); + +var part306 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg237 = msg("DIS:01", part306); + +var select70 = linear_select([ + msg236, + msg237, +]); + +var part307 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", processor_chain([ + dup63, + dup6, + dup8, + dup60, +])); + +var msg238 = msg("ErrorMsg", part307); + +var part308 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup60, +])); + +var msg239 = msg("tacacs_acct", part308); + +var part309 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ + dup63, + dup6, + dup8, + dup60, + setc("event_description","Accounting request failed."), +])); + +var msg240 = msg("tacacs_acct:01", part309); + +var part310 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ + dup12, + dup6, + dup8, + dup60, +])); + +var msg241 = msg("tacacs_acct:02", part310); + +var select71 = linear_select([ + msg239, + msg240, + msg241, +]); + +var part311 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Relay-forward message"), +])); + +var msg242 = msg("dhcpdv6", part311); + +var part312 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulated Solicit message"), +])); + +var msg243 = msg("dhcpdv6:01", part312); + +var part313 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","IP unknown - No addresses available for this interface"), +])); + +var msg244 = msg("dhcpdv6:02", part313); + +var part314 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulating Advertise message"), +])); + +var msg245 = msg("dhcpdv6:03", part314); + +var part315 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Sending Relay-reply message"), +])); + +var msg246 = msg("dhcpdv6:04", part315); + +var part316 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulated Information-request message"), +])); + +var msg247 = msg("dhcpdv6:05", part316); + +var part317 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulating Reply message"), +])); + +var msg248 = msg("dhcpdv6:06", part317); + +var part318 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulated Renew message"), +])); + +var msg249 = msg("dhcpdv6:07", part318); + +var part319 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg250 = msg("dhcpdv6:08", part319); + +var msg251 = msg("dhcpdv6:09", dup68); + +var select72 = linear_select([ + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + msg248, + msg249, + msg250, + msg251, +]); + +var msg252 = msg("debug", dup68); + +var part320 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","proxying request"), +])); + +var msg253 = msg("cloud_api", part320); + +var chain1 = processor_chain([ + select3, + msgid_select({ + "DIS": select70, + "ErrorMsg": msg238, + "INFOBLOX-Grid": select56, + "acpid": msg212, + "captured_dns_uploader": msg235, + "cloud_api": msg253, + "controld": select66, + "db_jnld": select58, + "debug": msg252, + "debug_mount": msg214, + "dhcpd": select14, + "dhcpdv6": select72, + "diskcheck": msg213, + "httpd": select4, + "in.tftpd": select5, + "init": msg147, + "ipmievd": msg228, + "kernel": select47, + "logger": select50, + "monitor": msg196, + "named": select44, + "netauto_core": select69, + "netauto_discovery": select68, + "ntpd": select15, + "ntpd_initres": msg220, + "ntpdate": select64, + "openvpn-master": select54, + "openvpn-member": select51, + "phonehome": msg202, + "pidof": select45, + "purge_scheduled_tasks": msg203, + "python": select62, + "radiusd": msg137, + "rc": msg138, + "rc3": msg139, + "rc6": msg211, + "rcsysinit": select48, + "restarting": msg227, + "rsyncd": select67, + "sSMTP": select60, + "scheduled_backups": msg185, + "scheduled_ftp_backups": select61, + "scheduled_scp_backups": msg188, + "serial_console": select65, + "shutdown": msg219, + "smart_check_io": msg215, + "snmptrapd": select63, + "speedstep_control": msg216, + "sshd": select53, + "syslog": msg226, + "syslog-ng": msg134, + "tacacs_acct": select71, + "validate_dhcpd": select46, + "watchdog": select49, + }), +]); + +var part321 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); + +var part322 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); + +var part323 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); + +var part324 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); + +var part325 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + +var part326 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); + +var part327 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); + +var part328 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); + +var part329 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); + +var part330 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); + +var part331 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); + +var part332 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); + +var part333 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + +var part334 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + +var part335 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + +var part336 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + +var part337 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + +var part338 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + +var part339 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + +var part340 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + +var part341 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); + +var part342 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); + +var part343 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + +var part344 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); + +var part345 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); + +var part346 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + +var part347 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); + +var part348 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var select73 = linear_select([ + dup17, + dup18, +]); + +var select74 = linear_select([ + dup20, + dup21, +]); + +var select75 = linear_select([ + dup25, + dup26, +]); + +var part349 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var select76 = linear_select([ + dup33, + dup34, +]); + +var select77 = linear_select([ + dup37, + dup38, + dup39, +]); + +var select78 = linear_select([ + dup42, + dup43, + dup44, +]); + +var select79 = linear_select([ + dup51, + dup52, +]); + +var part350 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var part351 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var part352 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var part353 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup61, +])); diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml new file mode 100644 index 00000000000..5693b4aea49 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Infoblox NIOS + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/infoblox/nios/manifest.yml b/x-pack/filebeat/module/infoblox/nios/manifest.yml new file mode 100644 index 00000000000..4f6b364c6e7 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["infoblox.nios", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9512 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log b/x-pack/filebeat/module/infoblox/nios/test/generated.log new file mode 100644 index 00000000000..293140fb637 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 volup208.invalid eosquir: openvpn-master OpenVPN 1.5191 [igmp] [nulapari] mwritten +Feb 12 13:12:33 com1060.api.example 10.14.94.160 cloud_api[tur]: proxying request to atio5608.www5.localhost(10.202.204.154) eFini https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam ggp issusci +Feb 26 20:15:08 ptass3168.www5.example 10.62.40.126 netauto_core[taliqu]: ommod: Attempting CLI on devicescivelwith interface not in table, ip10.13.70.213 +March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia +March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo) +April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura +Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success +May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15 +May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec +June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo +June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema +July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu +July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot +August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15 +August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start +August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw +September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor +September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco +October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463 +October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299 +November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips +November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) +December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm +December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list +January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu +January 20 14:14:16 wri2784.api.domain hitect: restarting dol +February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq +February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat +March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre +March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete +April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos +April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME "etdol" in zone "uela" +April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor) +May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme +May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non +Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis +June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons +July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav +July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc +August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845 +August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa +September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor +September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start +October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine +October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con +November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli) +November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe +December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97 +December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt +December 29 15:15:58 tali7803.www.localdomain its: httpd ender +January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum +January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836 +February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim +February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu +March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat +sshd: Sleep 60 seconds for slowing down ssh login +April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure +April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd +May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui +May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips +June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv +June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi +July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo +July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima +Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown +August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15 +August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown. +September 12 22:02:15 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun +September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15 +October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 +October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri +Nov 9 02:12:32 umq1309.api.test uae: debug mve +November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start +December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15 +December 21 23:20:14 archite1843.mail.home isqua: radiusd uta +January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl +January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec +sshd[saquaea]: Did not receive identification string from 10.222.251.114 +February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79 +March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15 +March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success +April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem +April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun +April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr +May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS +May 28 04:48:31 abor4353.www5.host ame: python tesseq +June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto +June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start +July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod. +July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt +August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu +Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe +September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo +September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem +October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success +October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum +November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo +November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla +November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor +December 14 07:24:31 dtemp1362.internal.example mips: init itae diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json new file mode 100644 index 00000000000..9552bff05b5 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -0,0 +1,2376 @@ +[ + { + "event.code": "openvpn-master", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 29 06:09:59 volup208.invalid eosquir: openvpn-master OpenVPN 1.5191 [igmp] [nulapari] mwritten", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 0, + "network.protocol": "igmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.5191", + "rsa.db.index": "mwritten", + "rsa.internal.messageid": "openvpn-master", + "rsa.misc.event_source": "volup208.invalid", + "rsa.misc.version": "1.5191", + "rsa.time.day": "29", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "cloud_api", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Feb 12 13:12:33 com1060.api.example 10.14.94.160 cloud_api[tur]: proxying request to atio5608.www5.localhost(10.202.204.154) eFini https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam ggp issusci", + "fileset.name": "nios", + "host.ip": "10.202.204.154", + "host.name": "atio5608.www5.localhost", + "input.type": "log", + "log.offset": 103, + "network.protocol": "ggp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.202.204.154" + ], + "rsa.db.index": "issusci", + "rsa.internal.data": "tur", + "rsa.internal.event_desc": "proxying request", + "rsa.internal.messageid": "cloud_api", + "rsa.misc.action": [ + "eFini" + ], + "rsa.misc.event_source": "com1060.api.example", + "rsa.network.alias_host": [ + "atio5608.www5.localhost" + ], + "rsa.time.day": "12", + "rsa.time.month": "Feb", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ], + "url.original": "https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam" + }, + { + "event.code": "netauto_core", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Feb 26 20:15:08 ptass3168.www5.example 10.62.40.126 netauto_core[taliqu]: ommod: Attempting CLI on devicescivelwith interface not in table, ip10.13.70.213", + "fileset.name": "nios", + "host.ip": "10.13.70.213", + "input.type": "log", + "log.offset": 307, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.13.70.213" + ], + "rsa.internal.data": "taliqu", + "rsa.internal.messageid": "netauto_core", + "rsa.misc.client": "ommod", + "rsa.misc.device_name": "scivel", + "rsa.misc.event_source": "ptass3168.www5.example", + "rsa.time.day": "26", + "rsa.time.month": "Feb", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 462, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "veleumi", + "rsa.internal.event_desc": "tia", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "mcolabor1656.www5.corp", + "rsa.time.day": "12", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo)", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 536, + "network.protocol": "igmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "occ", + "rsa.internal.event_desc": "ect", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "Cice513.api.local", + "rsa.misc.result_code": "reetdolo", + "rsa.time.day": "26", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "speedstep_control", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 638, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "natura", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "obeataev7086.mail.invalid", + "rsa.time.day": "9", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ErrorMsg", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 713, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "ErrorMsg", + "rsa.misc.event_source": "nibusBon7400.localhost", + "rsa.misc.result": "success", + "rsa.time.day": "24", + "rsa.time.month": "Apr", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd_initres", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 775, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "iat1852.api.localdomain", + "rsa.time.day": "8", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpdate", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 868, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.104.111.129" + ], + "rsa.internal.data": "etconsec", + "rsa.internal.messageid": "ntpdate", + "rsa.misc.event_source": "mquisnos5771.example", + "rsa.time.day": "22", + "rsa.time.duration_time": 61.614, + "rsa.time.month": "May", + "service.type": "infoblox", + "source.ip": [ + "10.104.111.129" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 979, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.3162", + "rsa.email.email_src": "umdolore", + "rsa.internal.data": "umdo", + "rsa.internal.messageid": "kernel", + "rsa.misc.event_source": "ite996.host", + "rsa.misc.version": "1.3162", + "rsa.time.day": "5", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc6", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1070, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "eriame", + "rsa.internal.event_desc": "lorema", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "enim2780.www.lan", + "rsa.time.day": "20", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu", + "file.name": "oremagna", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1124, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "atcu", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "emporinc5075.internal.host", + "rsa.misc.result_code": "ationu", + "rsa.time.day": "4", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1228, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "shutting down for system reboot", + "rsa.internal.messageid": "shutdown", + "rsa.misc.event_source": "strude910.internal.local", + "rsa.time.day": "18", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1325, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "", + "rsa.time.day": "2", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1408, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "ritatis", + "rsa.misc.event_source": "itaut7095.invalid", + "rsa.time.day": "16", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "phonehome", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1487, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "lorumw", + "rsa.internal.messageid": "phonehome", + "rsa.misc.event_source": "colabor1552.www5.local", + "rsa.time.day": "30", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "validate_dhcpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1553, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "nihi", + "rsa.internal.event_desc": "Lor", + "rsa.internal.messageid": "validate_dhcpd", + "rsa.misc.event_source": "inima5444.www5.lan", + "rsa.time.day": "13", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug_mount", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1620, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "olupt", + "rsa.internal.event_desc": "modoco", + "rsa.internal.messageid": "debug_mount", + "rsa.misc.event_source": "erc3217.internal.lan", + "rsa.time.day": "28", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "named", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1696, + "observer.ingress.interface.name": "lo1132", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.45.25.68" + ], + "rsa.internal.messageid": "named", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_source": "uames499.internal.host", + "rsa.network.sinterface": "lo1132", + "rsa.time.day": "12", + "rsa.time.month": "October", + "service.type": "infoblox", + "source.ip": [ + "10.45.25.68" + ], + "source.port": 1463, + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1805, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.2299", + "rsa.internal.data": "intoccae", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "iineavo951.internal.test", + "rsa.misc.version": "1.2299", + "rsa.time.day": "26", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1902, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "emoeni", + "rsa.internal.event_desc": "oenimips", + "rsa.internal.messageid": "syslog", + "rsa.misc.event_source": "Loremip6417.mail.test", + "rsa.time.day": "10", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sSMTP", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) ", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1969, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "temveleu", + "rsa.internal.event_desc": "Sent mail for colabo (eme)", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.event_source": "mnisist2347.mail.host", + "rsa.time.day": "24", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2076, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.2807", + "rsa.internal.event_desc": "ihilm", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "datatn5076.internal.example", + "rsa.misc.version": "1.2807", + "rsa.time.day": "8", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rsyncd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2178, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "run", + "rsa.internal.event_desc": "building file list", + "rsa.internal.messageid": "rsyncd", + "rsa.misc.event_source": "ercit2385.internal.home", + "rsa.time.day": "23", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "httpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2255, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "eritqu", + "rsa.internal.messageid": "httpd", + "rsa.misc.event_source": "quisnos4590.mail.domain", + "rsa.time.day": "6", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "restarting", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 20 14:14:16 wri2784.api.domain hitect: restarting dol", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2317, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "hitect", + "rsa.internal.event_desc": "dol", + "rsa.internal.messageid": "restarting", + "rsa.misc.event_source": "wri2784.api.domain", + "rsa.time.day": "20", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc3", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2379, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "oluptate", + "rsa.internal.event_desc": "onseq", + "rsa.internal.messageid": "rc3", + "rsa.misc.event_source": "asun1250.api.localdomain", + "rsa.time.day": "3", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat", + "file.name": "equat", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2445, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "dantiumt", + "rsa.internal.messageid": "scheduled_backups", + "rsa.misc.device_name": "luptasn", + "rsa.misc.event_source": "intoc2428.domain", + "rsa.time.day": "18", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc6", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2565, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "amre", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "ento4488.www5.localhost", + "rsa.time.day": "4", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "controld", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2624, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "uioffi", + "rsa.internal.event_desc": "Distribution Complete", + "rsa.internal.messageid": "controld", + "rsa.misc.event_source": "boris5916.www5.example", + "rsa.time.day": "18", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "phonehome", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2717, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "reseos", + "rsa.internal.messageid": "phonehome", + "rsa.misc.event_source": "temqu3331.api.host", + "rsa.time.day": "2", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "db_jnld", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME \"etdol\" in zone \"uela\"", + "fileset.name": "nios", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2775, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "liquide", + "rsa.internal.messageid": "db_jnld", + "rsa.time.day": "16", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor)", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2912, + "network.protocol": "rdp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "ris", + "rsa.internal.event_desc": "uamqu", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "radi1512.mail.example", + "rsa.misc.result_code": "lor", + "rsa.time.day": "30", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog-ng", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3014, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "reme", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "onsecte7184.mail.domain", + "rsa.time.day": "14", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ipmievd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3077, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "nse", + "rsa.internal.messageid": "ipmievd", + "rsa.misc.event_source": "eveli265.www5.localdomain", + "rsa.time.day": "29", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "cloud_api", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis", + "fileset.name": "nios", + "host.ip": "10.74.104.215", + "host.name": "uptatema6843.www.host", + "input.type": "log", + "log.offset": 3136, + "network.protocol": "tcp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.74.104.215" + ], + "rsa.db.index": "rroquis", + "rsa.internal.data": "didunt", + "rsa.internal.event_desc": "proxying request", + "rsa.internal.messageid": "cloud_api", + "rsa.misc.action": [ + "xeacomm" + ], + "rsa.misc.event_source": "derit4688.mail.localhost", + "rsa.network.alias_host": [ + "uptatema6843.www.host" + ], + "rsa.time.day": "12", + "rsa.time.month": "Jun", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ], + "url.original": "https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta" + }, + { + "event.code": "INFOBLOX-Grid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3356, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "smo", + "rsa.internal.messageid": "INFOBLOX-Grid", + "rsa.misc.event_source": "evolup4403.local", + "rsa.time.day": "26", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "smart_check_io", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3442, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "temquiav", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "nonn839.api.corp", + "rsa.time.day": "11", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3513, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "isc", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "adm7744.mail.domain", + "rsa.time.day": "25", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3578, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "process.pid": 845, + "rsa.internal.messageid": "watchdog", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_source": "ios6980.example", + "rsa.time.day": "8", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3652, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "com", + "rsa.internal.event_desc": "tnulapa", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "osquira6030.internal.corp", + "rsa.time.day": "22", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3721, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "nbyCic", + "rsa.internal.event_desc": "utlabor", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "squirati63.mail.lan", + "rsa.time.day": "6", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3788, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "upida", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "tvolupt", + "rsa.misc.event_source": "lup2134.www.localhost", + "rsa.time.day": "20", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3867, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "ati", + "rsa.internal.event_desc": "uine", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "umdo4017.www.local", + "rsa.time.day": "4", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3926, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "con", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "loreme853.www5.localdomain", + "rsa.time.day": "19", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-master", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli)", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3992, + "network.protocol": "icmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "evit", + "rsa.internal.data": "itess", + "rsa.internal.event_desc": "runtm", + "rsa.internal.messageid": "openvpn-master", + "rsa.misc.event_source": "orumSe728.internal.test", + "rsa.misc.result_code": "molli", + "rsa.time.day": "2", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4110, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "ineavo", + "rsa.internal.event_desc": "pexe", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "oremi7400.www.local", + "rsa.time.day": "16", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "in.tftpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4185, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.143.187.97" + ], + "rsa.internal.data": "reprehen", + "rsa.internal.messageid": "in.tftpd", + "rsa.misc.event_source": "ess651.test", + "rsa.time.day": "1", + "rsa.time.month": "December", + "service.type": "infoblox", + "source.ip": [ + "10.143.187.97" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "serial_console", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt", + "event.outcome": "success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4288, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.user": [ + "temUt" + ], + "rsa.internal.data": "atatn", + "rsa.internal.event_desc": "RADIUS authentication succeeded for user", + "rsa.internal.messageid": "serial_console", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.event_source": "epre6970.www.example", + "rsa.time.day": "15", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ], + "user.name": "temUt" + }, + { + "event.code": "httpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 29 15:15:58 tali7803.www.localdomain its: httpd ender", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4413, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ender", + "rsa.internal.messageid": "httpd", + "rsa.misc.event_source": "tali7803.www.localdomain", + "rsa.time.day": "29", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum", + "file.name": "psum", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4476, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "frequency initialized from file", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "uradi6198.test", + "rsa.misc.result": "success", + "rsa.time.day": "12", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4563, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.counters.dclass_c1": 2836, + "rsa.internal.event_desc": "ntpd exiting on signal", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "umSe1918.local", + "rsa.time.day": "27", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog-ng", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4637, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tenim", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "odoconse228.mail.localdomain", + "rsa.time.day": "10", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "validate_dhcpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4709, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tetu", + "rsa.internal.messageid": "validate_dhcpd", + "rsa.misc.event_source": "cteturad4074.mail.host", + "rsa.time.day": "24", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug_mount", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4783, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "sequat", + "rsa.internal.messageid": "debug_mount", + "rsa.misc.event_source": "itation6137.home", + "rsa.time.day": "11", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "sshd: Sleep 60 seconds for slowing down ssh login", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4850, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "Sleep 60 seconds", + "rsa.internal.messageid": "sshd", + "rsa.misc.result": "slowing down ssh login", + "rsa.time.day": "Sleep", + "rsa.time.month": "sshd:", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4900, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "dun1276.api.localdomain", + "rsa.misc.result": "failure", + "rsa.time.day": "8", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "smart_check_io", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4974, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "oreetd", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "iquidexe304.mail.test", + "rsa.time.day": "22", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "captured_dns_uploader", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui", + "event.outcome": "failure", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5049, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "mac", + "rsa.internal.event_desc": "qui", + "rsa.internal.messageid": "captured_dns_uploader", + "rsa.investigations.ec_outcome": "Failure", + "rsa.misc.event_source": "preh2690.api.localdomain", + "rsa.time.day": "07", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5122, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.7214", + "rsa.email.email_src": "ica", + "rsa.internal.messageid": "kernel", + "rsa.misc.event_source": "rem3032.mail.domain", + "rsa.misc.version": "1.7214", + "rsa.time.day": "21", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5223, + "network.protocol": "ipv6-icmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.7727", + "rsa.db.index": "itinv", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "tetur2694.mail.local", + "rsa.misc.version": "1.7727", + "rsa.time.day": "4", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5321, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "can't read sid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "oremi", + "rsa.misc.event_source": "utaliqu6138.mail.localhost", + "rsa.time.day": "19", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "restarting", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5406, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "prehen", + "rsa.internal.event_desc": "ntutlabo", + "rsa.internal.messageid": "restarting", + "rsa.misc.event_source": "tame4953.mail.localhost", + "rsa.time.day": "3", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima", + "file.name": "adminima", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5474, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "deserun", + "rsa.internal.messageid": "scheduled_backups", + "rsa.misc.device_name": "esseq", + "rsa.misc.event_source": "loi7596.www5.home", + "rsa.time.day": "17", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ErrorMsg", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5605, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "atu", + "rsa.internal.messageid": "ErrorMsg", + "rsa.misc.event_source": "mmodoc4947.internal.test", + "rsa.misc.result": "unknown", + "rsa.time.day": "01", + "rsa.time.month": "Aug", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd_initres", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5669, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "olorem2760.www5.test", + "rsa.time.day": "15", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_ftp_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown.", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5755, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "olorese", + "rsa.internal.event_desc": "Scheduled backup to the FTP server failed", + "rsa.internal.messageid": "scheduled_ftp_backups", + "rsa.misc.device_name": "ori", + "rsa.misc.event_source": "dol3346.www.lan", + "rsa.misc.result": "unknown", + "rsa.time.day": "29", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_scp_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 12 22:02:15 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun", + "file.name": "dictasun", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5868, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful", + "rsa.internal.messageid": "scheduled_scp_backups", + "rsa.misc.device_name": "midestl", + "rsa.misc.event_source": "ercit6496.api.local", + "rsa.time.day": "12", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6010, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "", + "rsa.time.day": "27", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sSMTP", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 ", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6096, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.email.email_dst": "tsed", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.event_source": "col3570.www.invalid", + "rsa.misc.space": "", + "rsa.time.day": "11", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "init", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6216, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "oreveri", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "mipsamvo4282.api.home", + "rsa.time.day": "25", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Nov 9 02:12:32 umq1309.api.test uae: debug mve", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6279, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "mve", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "umq1309.api.test", + "rsa.time.day": "9", + "rsa.time.month": "Nov", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6326, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "asnu", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "hitec", + "rsa.misc.event_source": "ugit5828.www5.test", + "rsa.time.day": "23", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6398, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "", + "rsa.time.day": "7", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "radiusd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 21 23:20:14 archite1843.mail.home isqua: radiusd uta", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6491, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "uta", + "rsa.internal.messageid": "radiusd", + "rsa.misc.event_source": "archite1843.mail.home", + "rsa.time.day": "21", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6553, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ntexpl", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "derit5270.mail.local", + "rsa.time.day": "5", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpdate", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6625, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.156.34.19" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.misc.event_source": "itanim4024.api.example", + "rsa.time.day": "19", + "rsa.time.duration_time": 98.036, + "rsa.time.month": "January", + "service.type": "infoblox", + "source.ip": [ + "10.156.34.19" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "sshd[saquaea]: Did not receive identification string from 10.222.251.114", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6745, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.222.251.114" + ], + "rsa.internal.data": "saquaea", + "rsa.internal.event_desc": "Did not receive identification string from peer", + "rsa.internal.messageid": "sshd", + "rsa.misc.result": "no identification string", + "rsa.time.day": "Did", + "rsa.time.month": "sshd[saquaea]:", + "service.type": "infoblox", + "source.ip": [ + "10.222.251.114" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "in.tftpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6818, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.17.87.79" + ], + "rsa.internal.messageid": "in.tftpd", + "rsa.misc.event_source": "ataevi1984.internal.host", + "rsa.time.day": "17", + "rsa.time.month": "February", + "service.type": "infoblox", + "source.ip": [ + "10.17.87.79" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd_initres", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6915, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "idolor", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "tionula1586.host", + "rsa.time.day": "3", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6997, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "llam1884.www.corp", + "rsa.misc.result": "success", + "rsa.time.day": "17", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7066, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "edolorin", + "rsa.internal.event_desc": "dolorem", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "ore5643.api.lan", + "rsa.time.day": "1", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc3", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7139, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "mides", + "rsa.internal.event_desc": "ciun", + "rsa.internal.messageid": "rc3", + "rsa.misc.event_source": "exeacomm79.api.corp", + "rsa.time.day": "15", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr", + "file.name": "lupta", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7194, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "lorsita6602.mail.local", + "rsa.misc.result_code": "npr", + "rsa.time.day": "29", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "speedstep_control", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7288, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "tali", + "rsa.internal.event_desc": "BCS", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "ratv2649.www.host", + "rsa.time.day": "13", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "python", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 28 04:48:31 abor4353.www5.host ame: python tesseq", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7351, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tesseq", + "rsa.internal.messageid": "python", + "rsa.misc.event_source": "abor4353.www5.host", + "rsa.time.day": "28", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7405, + "network.protocol": "icmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.388", + "rsa.db.index": "sinto", + "rsa.internal.data": "tdolore", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "rerepre6748.internal.domain", + "rsa.misc.version": "1.388", + "rsa.time.day": "11", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7521, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "amvolu", + "rsa.misc.event_source": "qui3176.internal.example", + "rsa.time.day": "25", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "monitor", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod.", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7602, + "network.protocol": "igmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "eiusmod", + "rsa.internal.messageid": "monitor", + "rsa.misc.event_source": "der7349.invalid", + "rsa.misc.event_state": "diduntu", + "rsa.time.day": "10", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7703, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "iusmodt", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "veleum3833.internal.test", + "rsa.time.day": "24", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc6", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7772, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "aquio", + "rsa.internal.event_desc": "riatu", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "aquio6685.internal.test", + "rsa.time.day": "7", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7846, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "abor", + "rsa.internal.event_desc": "nBCSe", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "tanimid4871.internal.domain", + "rsa.time.day": "21", + "rsa.time.month": "Aug", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7909, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "uei", + "rsa.internal.event_desc": "can't read sid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "Nequepo", + "rsa.misc.event_source": "icta82.internal.lan", + "rsa.time.day": "5", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "speedstep_control", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8005, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "inBCSe", + "rsa.internal.event_desc": "otamrem", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "dol6197.mail.localdomain", + "rsa.time.day": "19", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8087, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "lumqu617.www.test", + "rsa.misc.result": "success", + "rsa.time.day": "3", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8161, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "uid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "snostrum", + "rsa.misc.event_source": "uido492.www5.home", + "rsa.time.day": "18", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8248, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.6198", + "rsa.internal.event_desc": "ommo", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "reseosqu1629.mail.lan", + "rsa.misc.version": "1.6198", + "rsa.time.day": "1", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "smart_check_io", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8343, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "ehende", + "rsa.internal.event_desc": "tutla", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "itseddoe5595.internal.localhost", + "rsa.time.day": "15", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8441, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "dolor", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "olu5333.www.domain", + "rsa.time.day": "30", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "init", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 14 07:24:31 dtemp1362.internal.example mips: init itae", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8505, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "itae", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "dtemp1362.internal.example", + "rsa.time.day": "14", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md new file mode 100644 index 00000000000..677bfacd448 --- /dev/null +++ b/x-pack/filebeat/module/juniper/README.md @@ -0,0 +1,7 @@ +# juniper module + +This is a module for Juniper JUNOS logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 +at 2020-07-13 17:55:37.979403 +0000 UTC. + diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml new file mode 100644 index 00000000000..12ec5964e29 --- /dev/null +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -0,0 +1,19 @@ +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc new file mode 100644 index 00000000000..1c14aa17126 --- /dev/null +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: juniper +:has-dashboards: false + +== Juniper module + +experimental[] + +This is a module for receiving Juniper JUNOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: junos + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `junos` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9513` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/juniper/_meta/fields.yml b/x-pack/filebeat/module/juniper/_meta/fields.yml new file mode 100644 index 00000000000..f8303d0dc88 --- /dev/null +++ b/x-pack/filebeat/module/juniper/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: juniper + title: Juniper JUNOS + description: > + juniper fields. + fields: diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go new file mode 100644 index 00000000000..392e80bb2ab --- /dev/null +++ b/x-pack/filebeat/module/juniper/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package juniper + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "juniper", asset.ModuleFieldsPri, AssetJuniper); err != nil { + panic(err) + } +} + +// AssetJuniper returns asset data. +// This is the base64 encoded gzipped contents of module/juniper. +func AssetJuniper() string { + return "eJzsvf9zGzeSKP77/hX45IeP7ZRDJ07ie+u3d698knLRru3oLNu5erVVUyCmSSLCAGMAQ4r561+hgRkOORhKogBKvvf2h61YJBvdDaDR3/s7cgXr1+SPRvIa9F8IsdwKeE3+7v9A/v7p/W+XfyGkBMM0ry1X8jX5t78QQtrfkBkHUZrJX0j4r9f4qfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHY4rpcve30uY0UbYApd8TWZUGNj6eIBu+7/3tAKiZsQuoEWMdIiR1QI04GdW09mMM7KghkwBJFFTA3oJ5WRAnzb0DsTMtWrq25Oyy9TNsoi1pGKLvPHVx9aPLbFZpDLzrb/vX2F8wwa78nHBjfse4YY0BkpiFWG0tk3gv6YrUoExdO7+TS1hqgLjiFbu8x3QhLxVc3IKTJV4jCOEeFh8F6lDyWnhwhKkLRxpiQEHhDNzP7DcIM+ZkhakNe5+cGkslbZFw0RxtLw6BMGS2t0Phthxj5NbglBLVgvOFoQSA8ZwJcmCW0MoeQ/2d24lGNPu/mRwNDpizUI1oiQSlqDJFLpzV1NtgLwDSx1qlMy0qnpLPX2r5ubFBWVXYM2zAfhTroFZsX5ObMCbkg/ghYU/4bKH5iTKSAFLEAdwUii5ez+3OHkKtQZGbcCkhBmXUBIlBaJl6VQAqWgdx6oy8yLZhdmzx+/CPT8//YEsqWjCjeclSMtnPJxOuKbMEqHmfr/0YCOQOu7Ah9OC33PbUVNtOWsE1fj7sLGT0ZMxAH3QSYmdjAHk8ZMyuiXL4+7Jy/+3J/v3xK2aZ0Pud33V9I8CCdndlkeD3ZIeIvSyo6bBqEazTG/v/dmW6/7fDzNjqYUKpH2MyNGm5LZggu7c4UeCHkir148RsYXTqR4jYlwehlhejamVHI/3pJVAD5Eeedk2AyhT2lAjek3Mzux9sXULOGwGeshASbifFbGjhwyg32BFjHNxx7VyJC7Knlclyj7PrgGZidhHIhy8M/vYMdTqRvIvDWzUaN3RH/603jZqT5Rk7nGgVj12y3ZE3Cx5XnHY5+6JW4bPOKP9+/xWzcnZEqQllyicSSNL0M4E0RAE1YD0Gb+GkhiwDsjWj7fXMOMGS7sJA9j3Nli6TRiAvtOmDD2B6f1Lhx3MAV134MndeLBQJpO+2j+Xvypj+yJS7J5IA7Lkct5+aGLHpudD+nr4yw85YIMfjTL2/GL5E6FlqZ2sHLvuu8wdUG/V18rc5avc7H31fy97Hbfyy4ZdueAdaX1vWUkomfMlyM5J9vUqAo5Fh/kv8log5WNU/r6OiMaoQ0PV60LDlwx73Q8e4gYj3dM1cvnML00u8CI9D95sS8nHdQ2E0aEEmQIBbhegyadzaX94RZQmvwhF7Y8vyZQaPEVtgGzG541G1e8Gug9Rd79iujEMms/4TOBfcL+eq1xutn3WcbvyV+9gUHpFdZlNqetJtB7ZfU6eX3ze0vco0SDo7pYSYtbGQhUe0YC2g7YAf1KNZ577t9J8ziUV7W+2tZUb+JBL/9qTGHF+8flVhAUB/QEn7s+CDqMhl1O8PpuDOlQcD319FkBL0EeJXf+KS5Hz0/tEST2+/WApgjksVvqonWyCFdn9bLRVtM43ihZeFGe6nCghgFmlv0YB7Lj3ADk37sxxQ5hnHZQO0y1F9a3aVVvIHkY/QouvYtPHoqpWymCyW6Ukma4Hm0aIhi8NGOsAGl7VYh32yX3ZCXoClC2I4SWQp98Tu9ANefnzz8/IihpiAGS3yh5OPArl9RacMLWSBvKxgn01p4KpRtrOp9BUUy/03FU2UQjkKZ2qJfSYwWU0s7IVb8ZqoNXo/WFfzbF5YFZByZtdPS0Fo76JaY6dY4HPCLf/bF5+/8NfjRfpL2oUoC3S/xxQ809nD76la9DkJTmTjNamET6y4kzKO8n1GPR7Bj8iuZWxVX58Sf7Vkfuc/Pgj+VfClHb6MlIRFn1O/n9h/6f7IjdkmynfRLdQqhIera0rV1AwKsSUsqu8GrBHTiqL14Zab1c4JoIsa8WlRdPEQjzBGQ9HAVqrTPlpG33Q1MA4FYgxYmqs0k6zlmuvdbgPllTw0h+MGFKEzFQjS/fCCEDkuZwH5ejG5MXtGzGAnCIWGK7DnrDRyC6shaLlY3nnAjrE8D+BVGA1ZxGrI5jC/S+jLeyf+1YIu2ef2o1Gq2bttk3Ir2rltmZoc3JJlHbGmFXkCqC+gWmP4sX7SpimFQNjiiUvizJX1PWslTxzkKCpxUteOg727MIl17ahwhntW753GXFx8Io7sxtj5cgMT0W46uenRDtpbdChgkyjeg62+9qNnDA6U9LTg3PCZ8Lt54TOEgoaCv7z09b3+gEqZYFchvPONOBDO12PCUr3vzYQ8xUEXsJKhakFz5nZ8KjNecMHav+j0M2czM143vHWuTcgnPX21LVWS3hC/ntEGL14mXHxADF6t6ozji5O3lwE3ZdR6djDq1rpXY2X4BP51aVBNI/D/fHJP1VoiKPpHnOlbpvyzeYnG4Pd6zlomU/Iy59fkRXyvQIqCRUi7itApz6qSRv/EVmBBg+WWiKAGkuU3CkX2Wbig6uJXzcTI3c1R9g28O53pUtkHGY1AVtIJdR8vRuIm3E90GIJ+ZmwBdWUWc9Ed6nXiD86zSVpZMjpEVs+89GK2tQF3T5QnzOIsCd2iRZF5ZRMJdswgqarUZmGknVHraQMNVYfo5DB56AYa3QL0VgqS6pLIpWuqOB/xvJ7la6i/ClDlsPBLFLNdPAk3YlJG6w7ZF4IPgOkOGLgG2BKliMK9ma7C2Nz+ln2EMQlU1UtwEYPwKgTlaICbzXfEYO9ejNtH+ggX7q1o8d57Chvn8zR41cpaReJtmlTn5oq52WT5VQ+EOPPZJmD7Q7kn0rm7rawRyy61VsV06fXftzl8EBEZbvRb4iFaxsuH1mCNr1yinJfHlhkf+972NZAU5G5KdNjSpdQ5nsHQ5JNeKZMt2KrY7SZNt0X+/H14WulVTVBqA0W5RsGkmquvFpfNcLy7ywHTWhdi7b6ZdPLpqKSzmOluYQIDO+09qJHyuNqCLdPDFEr6SNjllb1rmcwYOxWcygOb581hC24s25UCWZC3jXGopnUB+puJbUjebnUwoGbtFeAzWYO7yUcQxPCTW4X9LzTMAMNkvkDQZ1qXfIlL51mg+chLsguW0H2cYd5cSKva66PRuFmP30s6NqdRG7F2hNrnNBz+ppDCg/oft9owk0fdeE8d9K4k2eTwZJdOplqUkugaqDI3Rdix//UVwU1yC8NNEc7Su50+1O0kY8raggiUY6cG0Tuh9RMTagUbDE0g0ybVzbD6zuvcuBaFxlQrYsc2nOdUhRtA32ZHGoGXan3ijyMCbljPkbfmMFzeac351CxeZNcOyRYsHkgdrohpHYEUTZQ4lMo1qYRucNOI1aUaixTFbzwOHTGC2Zlq9nghFAZWLBlQI4cEFiC5jZn6cgewtrVQxFgL7Kzz+WTt3hx0DvQv9JdpYuDhnGnGhif8Y3hE9dufTBnrKdK0JXzZzNFNqBzMfJyUzDRuqjKEGSJ4h3M5mNtwudtK71vCSpNfrsMqbHctAkBu341XL/dobEqSVMrwxMKjludLTSnZek7TGEqf3t3R7vwNMIW+VoX3VEUyaYCzdldZVGUtiNUse0hrF/J1t0ML5b8/R6QtgRZKh0SZvdSpqZ/PED3mja0q6Z/AIvb0Q6x/LXgA3Y7CbofMS/pc/aq+2Z4IUPVfxAzwcu1oF1usVSWULIIHS/iCbRCzYs2UeVBhHp7EO8s1I/RM2VL9v0Hplth12oUH3HFXwnO1rlvzx65cIEIhObaUqxH5HIjcuZNxxn4oRGAiMXFqZIWrnNrrB1C59L76zb9UGlZGvd/+KhS0SIUawBzw+PMFlTOoZCwyi0LxgKXsOqF+lEJsVbzaWOhJyGGOfrGo+609f7zFxcdpqbJhF3HOcGzta3cxzQ0BHfzizwyff0tYtxiBZhjWNtw0GxyvvQS9IRcgt+UxoCe0DlgK++Q6T5TusVhALsF4/V2hr8n/ve9vhVKk6lWK/dZ+9ega3qza7Sf9Hl5QbVN7abrAKf2qIQ7pQbVoce6U0qUndqY60qpGkJAMddb/EYSKkDbLrtIbxYNf/PhrSA+ek0AMAkpojCXRCr5nYYa0JLZl/2AZsMxnxzWaO0uTGev4E6iHveC+whbG/4ZULbidhGUZS/rySkuOMVqE0mU/G6u3H/veQlQSSkiimNGumkvGPgCEXBIqhlx0sFyMBNyuZEpu4MN+pVVeTA+8eV8jXFGjC8Z9ck2ZRC/gfGUMNEY2x7I8I/BNuFPuHE7GWqig3/DKb746bgKdHTtx9+wuEXv2zLlU8qe3GR4OSxPEQtCjVGMo7/U7UbUnsQNe8uv4DWhpF6sDWdUkJKbq+ek1jgT5TkBy57EFWWq6SG1l3d86H2djaYVWNCG1NRgFy+DjRx8LwKmqspJMbUVtB+W1oBle9U9/x48lMbX28MMD5MX30xVdTO8gxm2jZIVl6VahXxapiSD2j7vMilGmTEgc9YIsSZfGiq887NUFeUySA3ZW0iokaer7/VMpS7tId2phG+5vIIy1AK1iejUoHcqGCjuk2861Ca83LdxYtAVIquo60928m6JXQRa9HCk1YPg9VsdPK/kctiupws6g6747mCn3C7WsCZi68//fk37x8Sa9oyL/He8I/kXXK27xhrKhgFpI0cQd7cZ0JyKIvKaZntELnHJVm3efR97D6B7YUb9AsCuzEEtB1J4jMPq7qFbULPobqhTCyNVhg1b+MzftsamKzM8aSHttAhzhHTLTIxm7lfdv4eVpsTJc0k45tw1kgmg2v0JG+FtUAsFhMHbqdvCzpujD174NcM+T4/6xWKqmnLZ9c3uP1ihbFTf4fVact2YY3v6+toIIjDu8TtOgDRyJU786r4n47in1Ftw2V3jHfu8l/n8lLz3kuZpaNxA/LS9UPTrcHsW16u9A/ohfPk99/P5KbI0lLx1YmLoPdiOyPk0QE/CxB8iJwtW3MSN1KVZ5+xlvx3VDQXaXl3Y68eW3vg+4qlxrD/pFibnpzdqsqn8czdosg6xl7LcaLQTcuLrM0O/U+E/2K/NIoJ6+xs/fBPccdPGdpWbynaPUSMFGM8Z5R+UlSJLqjmdikEVoG/KwCWpBR0RBAakydofZWtD+6qqX3niJJXTMNr6Qu72+fLF+cWuDk1Cy1jvURiryz5woOCtayE3kRaPJDmXllzyuaQoLEaOaK10zua1Twbyyx3Si1Z3U9jVEf/TIdK7y3jKShU5OO9/+0i4ZKIpwYmzMMjW/XxCnp5d06oW8JpceIeIB4vSexL3i2Bk7uixTXRObZ6WOGbcXDmV+wC87lCK13Njvg9PwwdurvaEXK3m8znofCPs4iz73I8FBBxQO11oMAslSnd6vK0+Mml0K/R+BM/CMPYepPLTD17HeNY14zg/jZeR3Do6z1RVF0fOu8JdCblXOMbV+/dMM/3OoaMk1qfOcNyMKhs2ZqUFtfSBssb6mHfSUmnsPODkeovfyJQ4qssV1Q+ToTfsqu+kKw0PkSNipDXyUydEKXlHWdtPOa7cOhF0VDtGye9aBVXvl0Le1kw+1FoDNclzg42ltkmlOHf+KMrFg5kdbvGpuia8fDH+frmXtTkGhg6jT4PGx/4uOCziV7d9xzJP3xsc8tPh3L1DnjMuVZMqxtmrIzHz5HfKSdKUToeBR/anxIBzd2bcOhJvhHByj5iGMTBm1ghy5tYnTJVg3JFom/3GLQsuS7hOzADBjT1M87ynbMGF0RTTLRJT0BjfrKjmAjN4Ih48H3+Xc0KRid+530YpkxnOoZr65kIPpBGH1cnTLp+zBm3qUHTrJcyAZUFF2CTEtx2eno0UGXo31/A9zp1Q4pWvLskr+Kr8t92HlEtDSrCUi4iTYaoa2/vdCGlKHD03s/XY0i6PDfEYf0gtVLXIls3zhpQwoyEEFDpftjH8kK3ptOIlaEHXWMhlVXhcydPIjXQfoNUdfg2ztgrc++qN5bbBxowkStjGNhg2bLrvdU0axer5dxhNjWkGWcVUVbn7lOcYnXjohPeSfWutlrz0/rO2i1wFZjQRqlTs8EDj3b1lv3Cx0RpZPy8vrhpc15j09DCyvl09r6z/Q00P9DsdTN7f1TQEYOK3q+b5GueeYkKx3/nLi3NyPlCo+mhk61obqkv2Y5CwsKurhp0nNaTv4g8LudVx5d6LiGKqytwVX4OKu12lI+BCHC4j6tEifbcEHzI4QuV5zwUcSod9Am0XD+FzXnahnBEnXpXaahyUgSd4+dMpeR3ddZPzmWqne1988t1z2kAUJmtcA2v6XgSf+jWFWHlr24VpX+LGERwhUa94ue0Q6aor6ZJyQYeBDNK5wgnWV85A65FJC/4OHeLrTxd3C8ZKFRpA+QDsgKSQbmD4fDIiEXlVTJuyXCf3z/CqSFoH1IPbGDis0fleL1V6iJqrhF0OdkrsCtMcoyCBm372qu+5SpuS266ybtMXLWAUG2y3qdjwomQTXthPpM8SS83B5dGs8pPPZ+RpqJX43AinK0+5wAIOzAM7u66Vcd98Rr4bOhrkbhTmSqqV3DKEDLAGm1kst6GPTNpk9AguuN200JO2yv19KE16C3PK1uTTqLkm+FTThyjKDwtvsZhLUlEuZ5pWsDcdo6Yap/bm75OwpVxe4LLkvSp9cvSmLWAv6yyCFLlB+8JUAceIXBbSdt+497AivzYSTcl3qgRBnnK5nHz7nHDFnpOp+z9w/0clFWvDzeTbeHzRsrqYCTqYnJ9ah9rW8E8uCC6Kvi6Uk+t2+JWa7W3UYFVWTP1fpwHPtg2CAe0OchShZZVW7u5g9vnd71QD+egTgL/99vO73998OPv2W59zu6Sa8tEzuVL6KmXJ8o0X7Pd2wX6EbdQJRmVqJSLU7KTtUtI9B5S552KdwYSZKQ3ScJZSgPRcSRkwrtJ7QSLxgVRAixXlw+HE9/YOYO/z1EDd9Uldom6aaaZLYaelsTp15TvWa2dziPXf0mTvaFvzkc9Jemixy2Yw2EClCcUmm7qXUO/iQMz4qKOpJTWbI/ZQUqPdiCJk7pb3xIXywf0E7+64cMgH/f/DcNWNyuwn/z3IESt7PvqAyF4kH+RwtHHcffgpdYSkra2d7dmlT22X0d5m2WGfzGfodhuc3Jsj023Lan6MeBgWfc0oF47XbTOXiyAzzk/7tW3YicuZgxbmkRYG41mFbc514VTEA+g5JPEa061D9dGJqqpG7nqiBtjJwxo33Re793Bt/wPiOnWHmzlMs74vbpdUlv+u4lGzDW6WWn6IZLg3dsOFt5Azjak54ypZluixLHjEfkW1HAYdHjvqRlZ1oXIJ48v37y7Ib96PuklKjSPy5aipBJf/+ZZ8aUCP9G5thCw07HbqzJvc0HOIrsmHtugsmtbVaeks4UPaB6pSjxFwQOuDHEc3QbWR4Ni94ZbpBzRQQXWVYbcc2AzuBVonLEDugDZlsqm0WzDTdrvaAl1Su6sV3hfuFCRbVFSnKivp4K5rOhhffO/oE2WDdKokMItF8rPAYJa2gKoDPJtjq6UMYNX0jwxQa5p8EobvOJX8eGHQveCpH5zQua0Cp3omR1oWlOFglPTlJw62kQmN9x7g6bxe/iSv7SL5+85kwawuSpO073oPuoN8WOTpFoCXgiaXGLIAOecyYVHkEHSO3GhZzAqz4pYllx+ymAm1MrRKn7vShy3tMh/0DFEXJgsuc4oTLmvQ1XSdLOF9ALtmV3mAL6nIcVZ4XdRaWVWkD0kh9OVPBXoc08MW2e6mUPOizMFsBzh9/huTRUWvC2tTuQ22AbsTLSDDo1BxmQlpLvMhXQtTiKkoUodFt2B/nxF48s7gPdipeyH2Yaeu6u3D/jkj7FcZYf9LRtj/IyPsv+aBbVUt6BRyiJQOenrzTBZVI1D5nq4zvJMt8Poqg15SNYLPqzqP9u20TCrmqZOQAmSeQykx8IWl943IwviExAw7aDTLY006wHmsSbM2TZ1hFimTXVl1FlPVKutMD7jOIEKsss4wywUbzZoswBvJryWVygDLcAiXrxxXMj0Ky1eqtgugZQa3mqrqgokMPmwHOEOQBOHq6dqmd4s6yCYL5LopMsQ0mOaWMyoyFBCZgs5BsnXCrKs+bEnF+k8opznwXhbYBjQLZN8OJg/WPrE2C/TpvF6+yuODNsWU279maTTGTJF2VtwOYK2Si2qT5ZojVGA6fZWb8T7+ZLO2eoDBLryfP71zxANHtS8LcN9NPl0HuR7sGReQw4YxxSzHJvJZyuLsbcA5dANT8BqTFIssoo7Xy59KY+tBM/9EsI1mWWALPoMcZoxBR3MFJU9WMLoNm8s8p6RSZSPAMJWD2wE4n2eQTao2K2qTzvzvQY9lkCcBrGHOjdU0vSdkAzuDxqehzsVqnY3XBjuR60zy1Wfm+yOeAbrVQKsMiqQvBcqFdj7lerVQ3BR+wmx66GuqaZYDXo4UwqaAvPTz7VPD5cZSmXzOcWnstNGphgW2UMHPCsoBtUmOa3o9uq1JTg0WJzfM0g+7PrTTwD6Yc1qWqe8AL1OHVdvWQRneIl4VTCtVZelK5ABnMNN4VeRJjgwdj3Kwub5K3p6pNulblvLa1JonBiqo5bZJnn0muIR0LXY2UE3SiTodXCy+Te/WEsp3PS1mQiV/zjvgGVL+nc2bXOo4oBkkjrOhM6CaPDdBqHmWoyvnWS5wrXRqAVZNm3mOa1Zxw3KIhcpkObA55kBIsNhcKTnc5DLcN4BOnfHnoaZOx5OrVWoLJEtFmfIDoJNboiq9ZqQ0nxeReVz3hruSoNO/WXXhh/ImB5t0MvUGrB/xmuWQZSjcDDNxUguDADa1NKgL70hKji41xn1YsEWqOv8BaLiuefJAQA26mmsq7aDnbgrIqyyA0z+9vhPZp087U0ATANZqXlBTJxwY0AetaWqoGqjIod9pYMgH33U0E/D0THaQ07Zw7UFWusyAcXpHpsngGzbeN5whH8BA6kQAP/A4g3Fi4Ev6AxBr0JoMagZTyvB5BsFr6tReNqNZjnugWZlckTaaxbriJgBs043Y6sNsTPKumksmUxdKRKfF3heob9KZmnw7t+mPlQeaPqLXzfRMDXddJ+/W2pTTLHnojRYZ3sLGgC5KnrrqPcvYijYylIMNlhlLq9Te4GXBpbF0lkEzWHJtc6jhy1pmaN1klW5kSjdrrC1apKPom8Yq8qGRZLB0lz2ScVjeZyp4SU40lNySE6rL0M3QYPv3ODp+clZGLo1NCEUwOESfYH8DpgSJlep0+RBc5uPcWVULtYbBYMEb+TdTTbKm3rc8Y46H3meE8840zOGaVHS30cImFivnze4wkOxICm5wOEO7eth6bKBETFPXSlsybDxKyGpBLeGW1BpmY0fhHmm5dxlCEWN8sDo6FAiXobP7SF9owWXuifw9VN1qfTwNsWoOdgF6svm+Wahm8KIRImEJuhtHZBWpqTZA3oGlOBHc31XaseDpWzU3Ly582eszchpGfD0ndhGZUoTNgD9AGH2MaEvyHuzv3Eow8X0eHuoszJvhyO7uFuHinlgDVLPFhEsexQ9n7h6hv/aO+MRZGJgM8ULQRuKs33mDc1zbJu7xBu47/dr30JS/HXdHU9eEO8wvHjH23UYUCWuabtd5FZclH+Ha4q0YcxccYxr1iEDaDK57jxOqpRiZeIndczOOA8f+uQYs0fClAWP3NO0+PFv57r3yvcqAY3n8ql5i73qkurzTbXfKPpw8Rhgb2/o7dmg3r6OUp5z9f/N8Q7fY+WkrFHDt+NlAqyFdEu8dj7B7XKbUAPHp2h02ZHCrul0Kv3gYfGU3Cr7DXGnfvj7KRkKoIQYAx53R/fOqNJWGsiOM9x10mPZLS1R7N4eGNRonoO1DugZdca9uHAvpzZJ+MAdfcgFzIAKWIAg1hs+l37jNvP740ceWzA8ov3H9PSd9+iCTnh1mjeRfGtgdk0jjl6+H72EdEw+bgtJqNLz0F5IpKQFzK8iK28WYoCAkUhnSaewaDiovurNp4diJ8qR7ooSac0YFcRiMmD6IxcNih0uNjGl8ON7Vi7WJo9dLZ1upnazW1A88FZyaYqGy2wTeiOvMNZylshlq5KRifwRPvB8A8ZfGYYtvWhjEwgRQPXkjjHKG+NZ9O8VgOfk1/GJC3sh1968BdIu2vJGW0HLCVFU3FnRcDGdx4zvC8pln3+zuBc5Y3NoQbv/ZvPz+h7862/e0tx0tx76Joh3OaZE2YnZbxw1dgyb/0vnkzIuABiIXv/Wp63/yn3m5wXnr1O/djwOTl2+SbU92B6a4dSbk/W8fzxztoME7T9BfWnLDNNRUsrXTKoN6JnZzQQhy6Dn5+O41OZf2x5fPyfn707P/ek0+nUv76ifydLVYEwncLkATtlAmjEpTWgOz+K0fXv2v/+/ZkyhHwC4yyrhdfqBMnVQ0Po7HZD59d7zml/4snrdIxa94+biQ7sumGzA/sGHcrR/4GL47iunGOvnMtW2oIG/fvI8i+6eSkM+XddjJ+N9KwiTOW4fuVyNCkZCbhSduwWN8g/fsw5xaWNEHGJGOp/uCvClLjX5af8pj6HRPL6vqQ+Oc942FnJ+8u/Cv0mh4rKLmiNGPLaeS11TD203OLxwqI94vx8MDJ0Ek4aFbe5yHrSZW+OlaxxUQPXRpWXL3ZSo2AdveLP/4O3fEA+BMQrzgKtzw0+0jMEBlk2udRa+77ZNGyfuA4YXSthPJA6FbYoANN4Db9c2S1xyZ954eLuftY9KS9W6M8RJiduOxvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrD1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwABrsmV2AlmDJx3UNz8mn9hl7iw6wH8lF6wAbvAS/jWlq7aieIygTI6Zxi3Twiz8nVIioMlFvvogJblRjYt4StHsDubSKGIuPOZfk0/moQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwnnxSJODvlI6MWOqKBepWHil4ARhKG6QQzQskvSq+oLodzugl5M8dkL02ou/HXmEs3BbsCkHHVM3HXxLvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxGHP8WDso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eBuF7Gn2nLWCKoJ9osmLRJPz65fv1VzNZvFp78DK+wCsm/vFrIf3YL+NvbwPnN4O3TfNHYB0oZk8VG0TZOyc8LtEnr8kuOofzKgRxFWjWXquJwOS44jfNkwBsaM4Iydxw9rjnZY4gniRZyKO1d6TSKFCQPcjiGctnCEHRydVMIAn6mVdO+Kk1sx5bD7IRkoSttULdP1oxt5NynxXUuxZkBwKDt6gh9mRx/mkhhum4j8JFhcAEFEB6gLaggtVe1eF7sArolayc2WecZZeq2kqkbyanEmh+G+Rf1xlQin3HNZOvmjtOkYQMkvXAB5ExCbDNhwG2ev7Ajzd3I0Ybyj/0HSFUZZcBmyFtJyIUZjhBEp693vwQifr3cZ6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIhwbuTNJpwKLyGbkZD9uXC47sZMRyV0Mt7ROEkVgC8Okw2UOQDCyfodf7t3tvbKb+zZ67DZllo20u+VsqTX6EsvAC3aIWX8rLQjf4zlI0Jy1JCFDMNFvN7WA2wU+tbHZbiQgO2E/TIzV48HPlqZD2m49GE0v99MU1Au/Vka6oqZpZ4RbXoFxct1rexpqGA0ihV1I1hTixo3AxoP33AZ9y6N1SO/uBztaP96Oph8Kk2zI6a1JCw7jmygc0IYUbwTCLYTB10vdyxup00fdO3/RktCmb965ZL1UjyNAbpDjnQD5eo/jjzdvWarRBsfZstvJR31UCZLyjt1Cfhz1OKakbXAYO6UeS9B2/NTJK3cauygqsAv1AFESuuVJJh6N8LXRDcdeSlpl9Trtiep8UCL4ax0ie85lJk/If01+/v578vTt6ZuLZ+SUG8vlvOFmASWWwkdxEWqusvcF2hcJw2zZmccjbDN+cSRjTKvMXsV99Z9uV2MYdDcGPfLJhj7f5bowTPvv6n57jj/EKRYzpTLWJn2TKUZFqu50O4R8oCVvjF+BKE0Mr7ig2osnJzbdHWL4rsfLq/CeG14es9NIP1P+kzsIrRdxpy/m5pLnq7N4I/fddQxrhErDnv83OInwk8FZCI4b6JVllHFXptI5EwMGIRtktdJzKvmfe7KqZb6jcFtmH8Dp/pkaYfeM62gtaaauP7+45fC18C2+fO+irazmX4EKu2BUA6k1lKrikkYL7nri6YJaDtKaG9PjBT0mtW/pgxLrWz9CnenguqvzxAmummqLzZA2pO4Xq0dsdhSEzW0k6gxK0NRCWSRLKttzPpzw+aVdsQueXWi15GXXPCx8j9a1CJrq4GCE5j/uWdvWaeMKzoZIXh6Jym7J0OvPrkfIjA4PxczJJffR88Wu4j7SAq5TOlMOBb+r5gnXqDP1ftSrhJ5HCPU6Kmqs1BBjlfYS30GrwFJc7Ql+a+K+9SROfcXLUsDxpNw7XO+2ci6yvT25d5Cca8djHIfci7Bar8OQXLfR2eekFtRtmXuflSYgmV7XY15+TIU8gj15iww63dmWvypjyTvKFlyOmHQlzSQ5vtnl9SeJmf61Bic+nH7km5yZCXlb0pp8xn94/ahU0ted/nP4eJIFXYLTnARQTb40oNcEexCaWkkDrUYVL0519Bb4m+PIy9ADjznImrddIKUn3/flG8ezJekIqG4O0IfQHPW2mOKUp7wOs90z3raW3mpi5GzD8PByQ3QjZdSONc+7l8dHnn0bqZEauwCxCBZm/o2gZMVlqVaGmBoYn3HmPnkeqxMMebLDC+LI8/hucm7IU+wIC5JtniEMXT7rcYs0Et/xtzCnbE0+me3Gt10EttotpE2eXetWOILBPvLa900tRAVr1fCQuRdxwPGuD0Ck+n+r0hTLeYbs2yY7v0I91p3Xq9cRipHC6EELvzmA2OPk9Y6RGjJ8g+u9lXVnSPp4F9AhNcdx2HUBg+292SRk+m0Y7FC8IcXNxc9YNpByJOBohRuSXMKMy+CrR+GEXf0qWo80HUTsDioUy4TbxgGzo/6lFoydzzY37aGX0khvys6HbS1li+rILfA3qyLDycA66m9HliEvUy7TTRBLejccyVhUmPfxjAipftkObotvo70p749M7RxgnfftuwHrmur2TLk/P9+QslrwQSt14m6Hs2V98vutyLPJZ5b4thZKr/Nt+N9MTeW/3dgxpkVku4t6q57HnibHlr+9QOg30PZgKtGAqrbf+n6qRk9BAdJqVR8iOkrVTAfOhVud8bCms7bhhnIExNFXdxz3Hp6oqqZy3d1HvHY4Tt/bK0vQ7hkquJypuFJAzVXuGqEb5MeOFdlitoK8XdFnX3LlCPzSCLEm/9lQwWccSnKKdc/eORhFZQXTgil1xR8o6P47TIlff2M/UzGmzSfvNrsJh9eNRZX7wBGmN9/1D90SYcpOcEd7n/yEfFzXnvSN58Axx+/g+OZpmBVJm8nuoO1w8I4I/cTE2tbuInMMV12nXG5j5z2LtdKttx9DzB/ejmx5r1dO4uPU8qLOO4doDyvcyjd67ls0tVKZNJFtpNw6bj9ITW3cNclkQU3KaH8PsA7l9IkhN1ok3OYe1IS70hmjRaNTeUN6MA3ogs7T2ZQb0Mmfp23QSdMft0GHU59BsMC1BYmqVXrjxMFPdpo7RW+hYSdVJrVG5Zc4Ri3hlsz9iMuievUi/PdJQOFF+I+Q1xRz+1MBOp6dF8h5wOi5J6YfPEePa2/U2oCcMgxEcyYVlzPQeiTuOqT7KHT1Ff8bWR91zx4BybYv8ay3DZErhWFtlfVKRZY42vE783F7d+w+Ygax7v/pHzBM0Bof+MnrBejj+COczh4ynp6e4OjHZ+QE14+jBtoeqVnKCJ9PQIfhn7CVhbmnOS9kDR33GNnbcLfoE9PrFL13p/mfh3ol794aJb7b5JL/GffW8KtMMuX8H2dEwlxZ7jewXlAzMgHKsGO3FeptpV98fLig2+psE6AGCS47Z6xtnN7W38QTUgyfH6OiYru/UTf18OPooGUnTbgxTXKlEyFjslQ+b939YiiIIWid1Qc62JS+9Dxzi5NLDE7vk05HyZDoOoOHKPLTS0zt3P8Y9aTnYUjeXXruwXFchBojimXOF303pBoc2VFkysIdPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KU/iBEkdgXh0bpa7xOEyLErWJtdsZ3o5LcJpIlhL6ytTcFxBm0W0LiVORjC6CO4TXwu28oXpbld33CjmKqqrH3ibom3xyM4hOIl+CuuQexamqldLCtBZWHMQw28dSt7Gf57oLat0Ypi60uNi1rxY6RVxxD2GBDEAJGKWwPIVragUg4aZ+RuNxVWRURGYrZHatvcPSxh5uHvb9+8D+/ei53luwfFKr3r+0/es42bq2KpRJOLAW/aOc4yzLnpJmO343wbya0hTz0S5hl268DC3nai7g54gkhHqRFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/R6OtFdYrXJKX894Z7C3I7QdorXSlijH31///U0sBTfK9tTnTun58RMsdwsMtlysU+qbnUQbxfzH2W8X5xfkHb2uuCy7sd7xbXW0HT0Nc2uI4ghZgYwBdfvI6tSneMli8vRsX+VYzI5XsPnQRfgtydnVji1nWZDK56ehS2/AYi+G4nib8sC9AlqKq//2dcNdYY4sh5pk6tuN/hJnQj9QdmMYV41WfBfUrXxx73NimkiKOjXkb8ZqJef/NhWUXQluLJR/exH+9rz7lMsZsPhHM65hRUVUkaFT0fsNobIkRpGRY6lhzo3Va2fZH1NY1NQuQrP+Dgeyi8MASXRKHQtNXwjt67WY0r0u5J0+2WEO0ur1X/5PAAAA///7GLnI" +} diff --git a/x-pack/filebeat/module/juniper/junos/_meta/fields.yml b/x-pack/filebeat/module/juniper/junos/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml new file mode 100644 index 00000000000..95d8bf8a477 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Junos" + type: "Routers" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/juniper/junos/config/liblogparser.js + - ${path.home}/module/juniper/junos/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{p0}"); + +var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + +var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + +var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + +var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + +var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + +var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + +var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + +var dup9 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup10 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup11 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup12 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + +var dup13 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + +var dup14 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + +var dup15 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + +var dup16 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); + +var dup17 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + +var dup18 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("pid"), + constant("]: "), + field("payload"), + ], +}); + +var dup19 = setc("messageid","JUNOSROUTER_GENERIC"); + +var dup20 = setc("eventcategory","1605000000"); + +var dup21 = setf("msg","$MSG"); + +var dup22 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup23 = setf("hostname","hhost"); + +var dup24 = setc("event_description","AUDIT"); + +var dup25 = setc("event_description","CRON command"); + +var dup26 = setc("eventcategory","1801030000"); + +var dup27 = setc("eventcategory","1801020000"); + +var dup28 = setc("eventcategory","1605010000"); + +var dup29 = setc("eventcategory","1603000000"); + +var dup30 = setc("event_description","Process mode"); + +var dup31 = setc("event_description","NTP Server Unreachable"); + +var dup32 = setc("eventcategory","1401060000"); + +var dup33 = setc("ec_theme","Authentication"); + +var dup34 = setc("ec_subject","User"); + +var dup35 = setc("ec_activity","Logon"); + +var dup36 = setc("ec_outcome","Success"); + +var dup37 = setc("event_description","rpd proceeding"); + +var dup38 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + +var dup39 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + +var dup40 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + +var dup41 = setc("eventcategory","1701010000"); + +var dup42 = setc("ec_outcome","Failure"); + +var dup43 = setc("eventcategory","1401030000"); + +var dup44 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); + +var dup45 = setc("eventcategory","1803000000"); + +var dup46 = setc("event_type","VPN"); + +var dup47 = setc("eventcategory","1605020000"); + +var dup48 = setc("eventcategory","1602020000"); + +var dup49 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + +var dup50 = setc("eventcategory","1603020000"); + +var dup51 = date_time({ + dest: "event_time", + args: ["hfld32"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup52 = setc("ec_subject","NetworkComm"); + +var dup53 = setc("ec_activity","Create"); + +var dup54 = setc("ec_activity","Stop"); + +var dup55 = setc("event_description","Trap state change"); + +var dup56 = setc("event_description","peer NLRI mismatch"); + +var dup57 = setc("eventcategory","1605030000"); + +var dup58 = setc("eventcategory","1603010000"); + +var dup59 = setc("eventcategory","1606000000"); + +var dup60 = setf("hostname","hhostname"); + +var dup61 = date_time({ + dest: "event_time", + args: ["hfld6"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup62 = setc("eventcategory","1401050200"); + +var dup63 = setc("event_description","Memory allocation failed during initialization for configuration load"); + +var dup64 = setc("event_description","unable to run in the background as a daemon"); + +var dup65 = setc("event_description","Another copy of this program is running"); + +var dup66 = setc("event_description","Unable to lock PID file"); + +var dup67 = setc("event_description","Unable to update process PID file"); + +var dup68 = setc("eventcategory","1301000000"); + +var dup69 = setc("event_description","Command stopped"); + +var dup70 = setc("event_description","Unable to create pipes for command"); + +var dup71 = setc("event_description","Command exited"); + +var dup72 = setc("eventcategory","1603050000"); + +var dup73 = setc("eventcategory","1801010000"); + +var dup74 = setc("event_description","Login failure"); + +var dup75 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + +var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + +var dup77 = setc("event_description","Unable to open file"); + +var dup78 = setc("event_description","SNMP index assigned changed"); + +var dup79 = setc("eventcategory","1302000000"); + +var dup80 = setc("eventcategory","1001020300"); + +var dup81 = setc("event_description","PFE FW SYSLOG_IP"); + +var dup82 = setc("event_description","process_mode"); + +var dup83 = setc("event_description","Logical interface collision"); + +var dup84 = setc("event_description","excessive runtime time during action of module"); + +var dup85 = setc("event_description","Reinitializing"); + +var dup86 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); + +var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); + +var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + +var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); + +var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); + +var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + +var dup93 = setc("eventcategory","1803010000"); + +var dup94 = setc("ec_activity","Deny"); + +var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); + +var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); + +var dup97 = setc("event_description","session denied"); + +var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); + +var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + +var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + +var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); + +var dup103 = setc("dclass_counter1_string","No.of packets from client"); + +var dup104 = setc("event_description","SNMPD AUTH FAILURE"); + +var dup105 = setc("event_description","send send-type (index1) failure"); + +var dup106 = setc("event_description","SNMP trap error"); + +var dup107 = setc("event_description","SNMP TRAP LINK DOWN"); + +var dup108 = setc("event_description","SNMP TRAP LINK UP"); + +var dup109 = setc("event_description","Login Failure"); + +var dup110 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + +var dup111 = setc("eventcategory","1701020000"); + +var dup112 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + +var dup113 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); + +var dup114 = setc("event_description","User set command"); + +var dup115 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + +var dup116 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + +var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + +var dup118 = setc("event_description","User set groups to secret"); + +var dup119 = setc("event_description","UI CMDLINE READ LINE"); + +var dup120 = setc("event_description","User commit"); + +var dup121 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + +var dup122 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + +var dup123 = setc("eventcategory","1401070000"); + +var dup124 = setc("ec_activity","Logoff"); + +var dup125 = setc("event_description","Successful login"); + +var dup126 = setf("hostname","hostip"); + +var dup127 = setc("event_description","TACACS+ failure"); + +var dup128 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + +var dup129 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + +var dup130 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + +var dup131 = setc("eventcategory","1003010000"); + +var dup132 = setc("eventcategory","1901000000"); + +var dup133 = linear_select([ + dup12, + dup13, + dup14, + dup15, +]); + +var dup134 = linear_select([ + dup39, + dup40, +]); + +var dup135 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup20, + dup21, + dup55, + dup22, +])); + +var dup136 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup50, + dup21, + dup63, + dup22, +])); + +var dup137 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup29, + dup21, + dup64, + dup22, +])); + +var dup138 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup29, + dup21, + dup65, + dup22, +])); + +var dup139 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup29, + dup21, + dup66, + dup22, +])); + +var dup140 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup29, + dup21, + dup67, + dup22, +])); + +var dup141 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + dup70, + dup22, +])); + +var dup142 = linear_select([ + dup75, + dup76, +]); + +var dup143 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup29, + dup21, + dup78, + dup22, +])); + +var dup144 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup29, + dup21, + dup83, + dup22, +])); + +var dup145 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup29, + dup21, + dup84, + dup22, +])); + +var dup146 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup20, + dup21, + dup85, + dup22, +])); + +var dup147 = linear_select([ + dup87, + dup88, +]); + +var dup148 = linear_select([ + dup89, + dup90, +]); + +var dup149 = linear_select([ + dup95, + dup96, +]); + +var dup150 = linear_select([ + dup101, + dup102, +]); + +var dup151 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var dup152 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup26, + dup21, + dup51, +])); + +var dup153 = linear_select([ + dup116, + dup117, +]); + +var dup154 = linear_select([ + dup121, + dup122, +]); + +var dup155 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var dup156 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ + dup47, + dup46, + dup22, + dup21, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": restart "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" message repeated "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("("), + field("hfld1"), + constant("): "), + field("payload"), + ], + }), +])); + +var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); + +var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); + +var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); + +var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); + +var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); + +var select1 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + part1, + part2, + part3, + part4, + part5, + dup8, +]); + +var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{payload}"); + +var all1 = all_match({ + processors: [ + dup1, + select1, + part6, + ], + on_success: processor_chain([ + setc("header_id","0004"), + ]), +}); + +var select2 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, +]); + +var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{payload}"); + +var all2 = all_match({ + processors: [ + dup1, + select2, + part7, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), +}); + +var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0007"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("["), + field("hpid"), + constant("]: "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{payload}", processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{payload}", processor_chain([ + setc("header_id","0009"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" IFP trace> "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0010"), + dup9, +])); + +var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0029"), + dup10, +])); + +var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0015"), + dup10, +])); + +var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0011"), + dup9, +])); + +var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0027"), + dup11, +])); + +var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0012"), + dup11, +])); + +var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{payload}", processor_chain([ + setc("header_id","0013"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" ["), + field("payload"), + ], + }), +])); + +var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + +var all3 = all_match({ + processors: [ + hdr14, + dup133, + dup16, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.a"), + ]), +}); + +var all4 = all_match({ + processors: [ + dup17, + dup133, + dup16, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.b"), + ]), +}); + +var all5 = all_match({ + processors: [ + dup17, + dup133, + dup16, + ], + on_success: processor_chain([ + setc("header_id","0026"), + ]), +}); + +var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{payload}", processor_chain([ + setc("header_id","0014"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0016"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(": "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0017"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0018"), + dup18, +])); + +var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0028"), + dup18, +])); + +var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0019"), + dup11, +])); + +var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0020"), + dup18, +])); + +var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{payload}", processor_chain([ + setc("header_id","0021"), + dup11, +])); + +var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0022"), + dup11, +])); + +var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0023"), + dup18, +])); + +var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0024"), + dup11, +])); + +var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0025"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0031"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0032"), + dup18, +])); + +var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0033"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","3336"), +])); + +var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","3339"), +])); + +var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","3337"), +])); + +var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","3341"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","3338"), +])); + +var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{p0}"); + +var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld1}.fpc%{hfld2}.pic%{hfld3->} %{p0}"); + +var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld1}.fpc%{hfld2->} %{p0}"); + +var select3 = linear_select([ + part8, + part9, +]); + +var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{payload}"); + +var all6 = all_match({ + processors: [ + hdr35, + select3, + part10, + ], + on_success: processor_chain([ + setc("header_id","3340"), + setc("messageid","node"), + ]), +}); + +var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); + +var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); + +var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); + +var select4 = linear_select([ + hdr36, + hdr37, + hdr38, +]); + +var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); + +var all7 = all_match({ + processors: [ + select4, + part11, + ], + on_success: processor_chain([ + setc("header_id","9997"), + dup19, + ]), +}); + +var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([ + setc("header_id","9995"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("payload"), + ], + }), +])); + +var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{payload}", processor_chain([ + setc("header_id","9994"), + setc("messageid","qsfp"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld1"), + constant(" qsfp "), + field("payload"), + ], + }), +])); + +var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{payload}", processor_chain([ + setc("header_id","9999"), + dup19, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hevent_type"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{payload}", processor_chain([ + setc("header_id","9998"), + dup19, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("process"), + constant(": "), + field("payload"), + ], + }), +])); + +var select5 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, + all2, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + all3, + all4, + all5, + hdr15, + hdr16, + hdr17, + hdr18, + hdr19, + hdr20, + hdr21, + hdr22, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + hdr28, + hdr29, + hdr30, + hdr31, + hdr32, + hdr33, + hdr34, + all6, + all7, + hdr39, + hdr40, + hdr41, + hdr42, +]); + +var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","sshd exit status"), + dup22, +])); + +var msg1 = msg("/usr/sbin/sshd", part12); + +var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","telnetd exit status"), + dup22, +])); + +var msg2 = msg("/usr/libexec/telnetd", part13); + +var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Alarm Set or Cleared"), + dup22, +])); + +var msg3 = msg("alarmd", part14); + +var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ + dup20, + dup21, + setc("event_description","Node detected UP"), + dup22, +])); + +var msg4 = msg("bigd", part15); + +var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ + dup20, + dup21, + setc("event_description","Monitor template id"), + dup22, +])); + +var msg5 = msg("bigd:01", part16); + +var select6 = linear_select([ + msg4, + msg5, +]); + +var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","Loading configuration file"), + dup22, +])); + +var msg6 = msg("bigpipe", part17); + +var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","Begin config install operation"), + dup22, +])); + +var msg7 = msg("bigpipe:01", part18); + +var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup20, + dup21, + setc("event_description","Audit"), + dup22, +])); + +var msg8 = msg("bigpipe:02", part19); + +var select7 = linear_select([ + msg6, + msg7, + msg8, +]); + +var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ + dup20, + dup21, + setc("event_description","portal shutdown"), + dup22, +])); + +var msg9 = msg("bigstart", part20); + +var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","cga address genration"), + dup22, +])); + +var msg10 = msg("cgatool", part21); + +var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ + dup20, + dup21, + dup22, + dup23, +])); + +var msg11 = msg("chassisd:01", part22); + +var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup20, + dup21, + dup24, + dup22, +])); + +var msg12 = msg("checkd", part23); + +var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ + dup20, + dup21, + setc("event_description","checkd exiting"), + dup22, +])); + +var msg13 = msg("checkd:01", part24); + +var select8 = linear_select([ + msg12, + msg13, +]); + +var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","link protection for interface"), + dup22, +])); + +var msg14 = msg("cosd", part25); + +var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","License expiration warning"), + dup22, +])); + +var msg15 = msg("craftd", part26); + +var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); + +var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result}) "); + +var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}' "); + +var select9 = linear_select([ + part28, + part29, +]); + +var all8 = all_match({ + processors: [ + part27, + select9, + ], + on_success: processor_chain([ + dup20, + dup21, + dup25, + dup22, + ]), +}); + +var msg16 = msg("CRON", all8); + +var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); + +var part31 = match("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "%{fld2}"); + +var select10 = linear_select([ + part30, + part31, +]); + +var all9 = all_match({ + processors: [ + select10, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + ]), +}); + +var msg17 = msg("Cmerror", all9); + +var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ + dup20, + dup21, + setc("event_description","cron RELOAD"), + dup22, +])); + +var msg18 = msg("cron", part32); + +var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup20, + dup21, + dup22, + dup23, +])); + +var msg19 = msg("CROND", part33); + +var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ + dup26, + dup21, + dup22, + dup23, +])); + +var msg20 = msg("CROND:02", part34); + +var select11 = linear_select([ + msg19, + msg20, +]); + +var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ + dup27, + dup21, + dup22, + dup23, +])); + +var msg21 = msg("crond:01", part35); + +var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Setting ignored"), + dup22, +])); + +var msg22 = msg("dcd", part36); + +var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); + +var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{result}> "); + +var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{result}> "); + +var select12 = linear_select([ + part38, + part39, +]); + +var all10 = all_match({ + processors: [ + part37, + select12, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","EVENT"), + dup22, + ]), +}); + +var msg23 = msg("EVENT", all10); + +var part40 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ + setc("eventcategory","1802000000"), + dup21, + setc("event_description","ftpd connection"), + dup22, +])); + +var msg24 = msg("ftpd", part40); + +var part41 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ + dup28, + dup22, + dup21, +])); + +var msg25 = msg("ha_rto_stats_handler", part41); + +var part42 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","LDAP Connection not bound correctly"), + dup22, +])); + +var msg26 = msg("hostinit", part42); + +var part43 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","PIC_INFO debug - Added entry"), + dup22, +])); + +var msg27 = msg("ifinfo", part43); + +var part44 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","PIC_INFO debug Initializing spu"), + dup22, +])); + +var msg28 = msg("ifinfo:01", part44); + +var part45 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","PIC_INFO debug delete from list"), + dup22, +])); + +var msg29 = msg("ifinfo:02", part45); + +var select13 = linear_select([ + msg27, + msg28, + msg29, +]); + +var part46 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ + dup20, + dup21, + setc("event_description","IFL anydown change event"), + dup22, +])); + +var msg30 = msg("ifp_ifl_anydown_change_event", part46); + +var part47 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ + dup20, + dup21, + setc("event_description","ifp ifl config_event"), + dup22, +])); + +var msg31 = msg("ifp_ifl_config_event", part47); + +var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ + dup20, + dup21, + setc("event_description","ifp_ifl_ext_chg"), + dup22, +])); + +var msg32 = msg("ifp_ifl_ext_chg", part48); + +var part49 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","connection exceeded count limit"), + dup22, +])); + +var msg33 = msg("inetd", part49); + +var part50 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","exited"), + dup22, +])); + +var msg34 = msg("inetd:01", part50); + +var select14 = linear_select([ + msg33, + msg34, +]); + +var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup20, + dup21, + dup30, + dup22, +])); + +var msg35 = msg("init:04", part51); + +var part52 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ + dup20, + dup21, + dup30, + dup22, +])); + +var msg36 = msg("init", part52); + +var part53 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","failure target for routing set"), + dup22, +])); + +var msg37 = msg("init:01", part53); + +var part54 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ + dup20, + dup21, + setc("event_description","ntp started"), + dup22, +])); + +var msg38 = msg("init:02", part54); + +var part55 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ + dup20, + dup21, + setc("event_description","product mask and model info"), + dup22, +])); + +var msg39 = msg("init:03", part55); + +var select15 = linear_select([ + msg35, + msg36, + msg37, + msg38, + msg39, +]); + +var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","IPC message exceeds MTU"), + dup22, +])); + +var msg40 = msg("ipc_msg_write", part56); + +var part57 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ + dup27, + dup21, + setc("event_description","listener connection established"), + dup22, +])); + +var msg41 = msg("connection_established", part57); + +var part58 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); + +var part59 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport->} "); + +var part60 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2->} "); + +var select16 = linear_select([ + part59, + part60, +]); + +var all11 = all_match({ + processors: [ + part58, + select16, + ], + on_success: processor_chain([ + dup26, + dup21, + setc("event_description","connection dropped"), + dup22, + ]), +}); + +var msg42 = msg("connection_dropped", all11); + +var part61 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Asserting SONET alarm(s)"), + dup22, +])); + +var msg43 = msg("kernel", part61); + +var part62 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ + dup20, + dup21, + setc("event_description","interface down"), + dup22, +])); + +var msg44 = msg("kernel:01", part62); + +var part63 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","loopback suspected om interface"), + dup22, +])); + +var msg45 = msg("kernel:02", part63); + +var part64 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","soreceive error"), + dup22, +])); + +var msg46 = msg("kernel:03", part64); + +var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ + dup20, + dup21, + setc("event_description","pfe_peer_alloc state 4"), + dup22, +])); + +var msg47 = msg("kernel:04", part65); + +var part66 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup20, + dup21, + dup31, + dup22, +])); + +var msg48 = msg("kernel:05", part66); + +var part67 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup20, + dup21, + dup31, + dup22, +])); + +var msg49 = msg("kernel:06", part67); + +var select17 = linear_select([ + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, +]); + +var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","successful user login"), + dup22, +])); + +var msg50 = msg("successful_login", part68); + +var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup21, + setc("event_description","user login attempt"), + dup22, +])); + +var msg51 = msg("login_attempt", part69); + +var part70 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup32, + dup33, + dup36, + dup21, + setc("event_description","PAM module return from login"), + dup22, +])); + +var msg52 = msg("login", part70); + +var select18 = linear_select([ + msg50, + msg51, + msg52, +]); + +var part71 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","processing lsys root-logical-system"), + dup22, +])); + +var msg53 = msg("lsys_ssam_handler", part71); + +var part72 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Removing mif from group"), + dup22, +])); + +var msg54 = msg("mcsn", part72); + +var part73 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ + dup29, + dup21, + setc("event_description","Firewall rows could not be redirected on device"), + dup22, +])); + +var msg55 = msg("mrvl_dfw_log_effuse_status", part73); + +var part74 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ + dup29, + dup21, + setc("event_description","mfilter already exists for add"), + dup22, +])); + +var msg56 = msg("MRVL-L2", part74); + +var part75 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","processing profile SP-root"), + dup22, +])); + +var msg57 = msg("profile_ssam_handler", part75); + +var part76 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","can't get resource bucket"), + dup22, +])); + +var msg58 = msg("pst_nat_binding_set_profile", part76); + +var part77 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","reinitializing done"), + dup22, +])); + +var msg59 = msg("task_reconfigure", part77); + +var part78 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode->} "); + +var part79 = match("MESSAGE#59:tnetd/0_1", "nwparser.payload", "%{fld3}"); + +var select19 = linear_select([ + part78, + part79, +]); + +var all12 = all_match({ + processors: [ + select19, + ], + on_success: processor_chain([ + dup20, + dup21, + dup22, + dup23, + ]), +}); + +var msg60 = msg("tnetd", all12); + +var part80 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ + dup20, + dup21, + setc("event_description","Session manager active"), + dup22, +])); + +var msg61 = msg("PFEMAN", part80); + +var part81 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ + dup29, + dup21, + setc("event_description","Could not send message to service"), + dup22, +])); + +var msg62 = msg("mgd", part81); + +var part82 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Resolve request came for an address matching on Wrong nh"), + dup22, +])); + +var msg63 = msg("Resolve", part82); + +var part83 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","service exited with status"), + dup22, +])); + +var msg64 = msg("respawn", part83); + +var part84 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ + dup29, + dup21, + setc("event_description","system does not have 3-DNS or Link Controller enabled"), + dup22, +])); + +var msg65 = msg("root", part84); + +var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","Received data for interface"), + dup22, +])); + +var msg66 = msg("rpd", part85); + +var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","RSVP neighbor up on interface "), + dup22, +])); + +var msg67 = msg("rpd:01", part86); + +var part87 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ + dup20, + dup21, + setc("event_description","reseting pending active connection"), + dup22, +])); + +var msg68 = msg("rpd:02", part87); + +var part88 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ + dup20, + dup21, + dup37, + dup22, +])); + +var msg69 = msg("rpd_proceeding", part88); + +var select20 = linear_select([ + msg66, + msg67, + msg68, + msg69, +]); + +var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ + dup20, + dup21, + setc("event_description","user issuing command as root"), + dup22, +])); + +var msg70 = msg("rshd", part89); + +var part90 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ + dup20, + dup21, + setc("event_description","sfd waiting on accept"), + dup22, +])); + +var msg71 = msg("sfd", part90); + +var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","Accepted password"), + dup22, +])); + +var msg72 = msg("sshd", part91); + +var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","Received disconnect"), + dup22, +])); + +var msg73 = msg("sshd:02", part92); + +var part93 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ + dup29, + dup21, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), + dup22, +])); + +var msg74 = msg("sshd:03", part93); + +var part94 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ + dup29, + dup21, + setc("event_description","Could not write ident string"), + dup22, +])); + +var msg75 = msg("sshd:04", part94); + +var part95 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ + dup20, + dup21, + setc("event_description","subsystem request for netconf"), + dup22, +])); + +var msg76 = msg("sshd:05", part95); + +var part96 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "%{}sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); + +var all13 = all_match({ + processors: [ + dup38, + dup134, + part96, + ], + on_success: processor_chain([ + dup28, + dup21, + setc("event_description","send message stats"), + dup22, + ]), +}); + +var msg77 = msg("sshd:06", all13); + +var part97 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "%{}Added radius server %{saddr}(%{shost})"); + +var all14 = all_match({ + processors: [ + dup38, + dup134, + part97, + ], + on_success: processor_chain([ + dup41, + setc("ec_theme","Configuration"), + setc("ec_activity","Modify"), + dup36, + dup21, + setc("event_description","Added radius server"), + dup22, + ]), +}); + +var msg78 = msg("sshd:07", all14); + +var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ + setc("eventcategory","1301020000"), + dup33, + dup42, + dup21, + setc("event_description","authentication error"), + dup22, +])); + +var msg79 = msg("sshd:08", part98); + +var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ + dup29, + dup21, + setc("event_description","unrecognized attribute in policy"), + dup22, +])); + +var msg80 = msg("sshd:09", part99); + +var part100 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup43, + dup33, + dup42, + dup21, + setc("event_description","PAM module return from sshd"), + dup22, +])); + +var msg81 = msg("sshd:10", part100); + +var part101 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup43, + dup33, + dup42, + dup21, + setc("event_description","PAM authentication chain return"), + dup22, +])); + +var msg82 = msg("sshd:11", part101); + +var part102 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","can't get client address"), + dup22, +])); + +var msg83 = msg("sshd:12", part102); + +var part103 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ + dup29, + dup21, + setc("event_description","auth server unresponsive"), + dup22, +])); + +var msg84 = msg("sshd:13", part103); + +var part104 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ + dup29, + dup21, + setc("event_description","No valid RADIUS responses received"), + dup22, +])); + +var msg85 = msg("sshd:14", part104); + +var part105 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ + dup20, + dup21, + setc("event_description","Moving to next server"), + dup22, +])); + +var msg86 = msg("sshd:15", part105); + +var part106 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ + dup43, + dup33, + dup42, + dup21, + setc("event_description","Login failed for user"), + dup22, +])); + +var msg87 = msg("sshd:16", part106); + +var select21 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, +]); + +var part107 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); + +var part108 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); + +var part109 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); + +var select22 = linear_select([ + part108, + part109, + dup44, +]); + +var part110 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{} %{username->} from %{saddr->} port %{sport->} %{protocol}"); + +var all15 = all_match({ + processors: [ + part107, + select22, + part110, + ], + on_success: processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + setc("event_description","authentication failure"), + dup22, + ]), +}); + +var msg88 = msg("Failed:05", all15); + +var part111 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); + +var part112 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); + +var part113 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); + +var select23 = linear_select([ + part112, + part113, +]); + +var part114 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); + +var all16 = all_match({ + processors: [ + part111, + select23, + part114, + ], + on_success: processor_chain([ + dup45, + dup46, + dup22, + dup21, + ]), +}); + +var msg89 = msg("Failed", all16); + +var part115 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ + dup45, + dup22, + dup21, +])); + +var msg90 = msg("Failed:01", part115); + +var part116 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice "); + +var part117 = match("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "%{fld10}"); + +var select24 = linear_select([ + part116, + part117, +]); + +var all17 = all_match({ + processors: [ + select24, + ], + on_success: processor_chain([ + dup45, + dup22, + dup21, + setf("hostname","hfld1"), + ]), +}); + +var msg91 = msg("Failed:02", all17); + +var select25 = linear_select([ + msg88, + msg89, + msg90, + msg91, +]); + +var part118 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ + dup20, + dup21, + setc("event_description","syslog daemon restart"), + dup22, +])); + +var msg92 = msg("syslogd", part118); + +var part119 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup20, + dup21, + dup24, + dup22, +])); + +var msg93 = msg("ucd-snmp", part119); + +var part120 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ + dup20, + dup21, + setc("event_description","Received TERM or STOP signal"), + dup22, +])); + +var msg94 = msg("ucd-snmp:01", part120); + +var select26 = linear_select([ + msg93, + msg94, +]); + +var part121 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ + dup26, + dup21, + setc("event_description","failed to connect to the server"), + dup22, +])); + +var msg95 = msg("usp_ipc_client_reconnect", part121); + +var part122 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","Trace client disconnected"), + dup22, +])); + +var msg96 = msg("usp_trace_ipc_disconnect", part122); + +var part123 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ + dup29, + dup21, + setc("event_description","USP trace client cannot reconnect to server"), + dup22, +])); + +var msg97 = msg("usp_trace_ipc_reconnect", part123); + +var part124 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","flow_print_session_summary_output received"), + dup22, +])); + +var msg98 = msg("uspinfo", part124); + +var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ + dup20, + dup21, + setc("event_description","Version build date"), + dup22, +])); + +var msg99 = msg("Version", part125); + +var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","frequency initialized from file"), + dup22, +])); + +var msg100 = msg("xntpd", part126); + +var part127 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ + dup20, + dup21, + setc("event_description","nptd version build"), + dup22, +])); + +var msg101 = msg("xntpd:01", part127); + +var part128 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","kernel time sync enabled"), + dup22, +])); + +var msg102 = msg("xntpd:02", part128); + +var part129 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup20, + dup21, + dup31, + dup22, +])); + +var msg103 = msg("xntpd:03", part129); + +var select27 = linear_select([ + msg100, + msg101, + msg102, + msg103, +]); + +var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ + dup20, + dup21, + setc("event_description","last message repeated"), + dup22, +])); + +var msg104 = msg("last", part130); + +var part131 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ + dup47, + dup46, + dup22, + dup21, + dup23, +])); + +var msg105 = msg("last:01", part131); + +var select28 = linear_select([ + msg104, + msg105, +]); + +var part132 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ + dup29, + dup21, + setc("event_description","cannot write ucode mask reg"), + dup22, +])); + +var msg106 = msg("BCHIP", part132); + +var part133 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ + dup20, + dup21, + setc("event_description","Slot on-line"), + dup22, +])); + +var msg107 = msg("CM", part133); + +var part134 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Received FC Q map"), + dup22, +])); + +var msg108 = msg("COS", part134); + +var part135 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","ifd error"), + dup22, +])); + +var msg109 = msg("COSFPC", part135); + +var part136 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","delete class to ifl link"), + dup22, +])); + +var msg110 = msg("COSMAN", part136); + +var part137 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","Keepalive timeout"), + dup22, +])); + +var msg111 = msg("RDP", part137); + +var part138 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ + dup29, + dup21, + setc("event_description","Initial time of day set"), + dup22, +])); + +var msg112 = msg("SNTPD", part138); + +var part139 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ + dup20, + dup21, + setc("event_description","Slot serial number"), + dup22, +])); + +var msg113 = msg("SSB", part139); + +var part140 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected error"), + dup22, +])); + +var msg114 = msg("ACCT_ACCOUNTING_FERROR", part140); + +var part141 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to open file"), + dup22, +])); + +var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part141); + +var part142 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ + dup48, + dup21, + setc("event_description","File size mismatch"), + dup22, +])); + +var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part142); + +var part143 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ + dup48, + dup21, + setc("event_description","Invalid statistics record"), + dup22, +])); + +var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part143); + +var part144 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ + dup48, + dup21, + setc("event_description","Class usage statistics error for interface"), + dup22, +])); + +var msg118 = msg("ACCT_CU_RTSLIB_error", part144); + +var part145 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); + +var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); + +var select29 = linear_select([ + part145, + part146, +]); + +var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "%{}to get hostname"); + +var all18 = all_match({ + processors: [ + dup49, + select29, + part147, + ], + on_success: processor_chain([ + dup48, + dup21, + setc("event_description","error trying to get hostname"), + dup22, + ]), +}); + +var msg119 = msg("ACCT_GETHOSTNAME_error", all18); + +var part148 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ + dup50, + dup21, + setc("event_description","Memory allocation failure"), + dup22, +])); + +var msg120 = msg("ACCT_MALLOC_FAILURE", part148); + +var part149 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ + dup29, + dup21, + setc("event_description","Accounting profile counter not defined in firewall"), + dup22, +])); + +var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part149); + +var part150 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ + dup29, + dup21, + setc("event_description","ACCT_XFER_FAILED"), + dup22, +])); + +var msg122 = msg("ACCT_XFER_FAILED", part150); + +var part151 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","POPEN FAIL invoking command command to transfer file"), + dup22, +])); + +var msg123 = msg("ACCT_XFER_POPEN_FAIL", part151); + +var part152 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ + dup27, + dup21, + dup51, +])); + +var msg124 = msg("APPQOS_LOG_EVENT", part152); + +var part153 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ + dup27, + dup52, + dup53, + dup21, + setc("result","AppTrack session created"), + dup22, +])); + +var msg125 = msg("APPTRACK_SESSION_CREATE", part153); + +var part154 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup52, + dup54, + dup21, + dup51, +])); + +var msg126 = msg("APPTRACK_SESSION_CLOSE", part154); + +var part155 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup27, + dup52, + dup54, + dup21, + dup22, +])); + +var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part155); + +var select30 = linear_select([ + msg126, + msg127, +]); + +var part156 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup52, + dup21, + dup51, +])); + +var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part156); + +var part157 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup27, + dup52, + dup21, + dup22, +])); + +var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part157); + +var select31 = linear_select([ + msg128, + msg129, +]); + +var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup135); + +var msg131 = msg("BFDD_TRAP_STATE_UP", dup135); + +var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","bgp connect error"), + dup22, +])); + +var msg132 = msg("bgp_connect_start", part158); + +var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ + dup20, + dup21, + setc("event_description","bgp peer state change"), + dup22, +])); + +var msg133 = msg("bgp_event", part159); + +var part160 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Connection attempt from unconfigured neighbor"), + dup22, +])); + +var msg134 = msg("bgp_listen_accept", part160); + +var part161 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","bgp reset"), + dup22, +])); + +var msg135 = msg("bgp_listen_reset", part161); + +var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","peer next hop local"), + dup22, +])); + +var msg136 = msg("bgp_nexthop_sanity", part162); + +var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ + dup29, + dup21, + setc("event_description","code RED error NOTIFICATION sent"), + dup22, +])); + +var msg137 = msg("bgp_process_caps", part163); + +var part164 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup29, + dup21, + dup56, + dup22, +])); + +var msg138 = msg("bgp_process_caps:01", part164); + +var select32 = linear_select([ + msg137, + msg138, +]); + +var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ + dup29, + dup21, + setc("event_description","connection collision"), + setc("result","dropping connection to peer"), + dup22, +])); + +var msg139 = msg("bgp_pp_recv", part165); + +var part166 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ + dup29, + dup21, + setc("event_description","peer received unexpected EOF"), + dup22, +])); + +var msg140 = msg("bgp_pp_recv:01", part166); + +var select33 = linear_select([ + msg139, + msg140, +]); + +var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","bgp send blocked error"), + dup22, +])); + +var msg141 = msg("bgp_send", part167); + +var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","bgp timeout NOTIFICATION sent"), + dup22, +])); + +var msg142 = msg("bgp_traffic_timeout", part168); + +var part169 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","boot argument error"), + dup22, +])); + +var msg143 = msg("BOOTPD_ARG_ERR", part169); + +var part170 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","boot unexpected Id value"), + dup22, +])); + +var msg144 = msg("BOOTPD_BAD_ID", part170); + +var part171 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","Invalid boot string"), + dup22, +])); + +var msg145 = msg("BOOTPD_BOOTSTRING", part171); + +var part172 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","configuration file error"), + dup22, +])); + +var msg146 = msg("BOOTPD_CONFIG_ERR", part172); + +var part173 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to open configuration file"), + dup22, +])); + +var msg147 = msg("BOOTPD_CONF_OPEN", part173); + +var part174 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ + dup29, + dup21, + setc("event_description","boot - Duplicate revision"), + dup22, +])); + +var msg148 = msg("BOOTPD_DUP_REV", part174); + +var part175 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ + dup29, + dup21, + setc("event_description","boot - duplicate slot"), + dup22, +])); + +var msg149 = msg("BOOTPD_DUP_SLOT", part175); + +var part176 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected ID for model"), + dup22, +])); + +var msg150 = msg("BOOTPD_MODEL_CHK", part176); + +var part177 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unsupported model"), + dup22, +])); + +var msg151 = msg("BOOTPD_MODEL_ERR", part177); + +var part178 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ + dup20, + dup21, + setc("event_description","New configuration installed"), + dup22, +])); + +var msg152 = msg("BOOTPD_NEW_CONF", part178); + +var part179 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","No boot string found"), + dup22, +])); + +var msg153 = msg("BOOTPD_NO_BOOTSTRING", part179); + +var part180 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","No configuration file found"), + dup22, +])); + +var msg154 = msg("BOOTPD_NO_CONFIG", part180); + +var part181 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ + dup29, + dup21, + setc("event_description","parse errors on SIGHUP"), + dup22, +])); + +var msg155 = msg("BOOTPD_PARSE_ERR", part181); + +var part182 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","Reparsing configuration file"), + dup22, +])); + +var msg156 = msg("BOOTPD_REPARSE", part182); + +var part183 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","select error"), + dup22, +])); + +var msg157 = msg("BOOTPD_SELECT_ERR", part183); + +var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ + dup29, + dup21, + setc("event_description","timeout unreasonable"), + dup22, +])); + +var msg158 = msg("BOOTPD_TIMEOUT", part184); + +var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ + dup20, + dup21, + setc("event_description","boot version built"), + dup22, +])); + +var msg159 = msg("BOOTPD_VERSION", part185); + +var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ + dup57, + dup21, + setc("event_description","CHASSISD release built"), + dup22, +])); + +var msg160 = msg("CHASSISD", part186); + +var part187 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD Unknown option"), + dup22, +])); + +var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part187); + +var part188 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ + dup20, + dup21, + setc("event_description","Fans and impellers are now running at normal speed"), + dup22, +])); + +var msg162 = msg("CHASSISD_BLOWERS_SPEED", part188); + +var part189 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ + dup20, + dup21, + setc("event_description","Fans and impellers being set to full speed"), + dup22, +])); + +var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part189); + +var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","reading midplane ID EEPROM"), + dup22, +])); + +var msg164 = msg("CHASSISD_CB_READ", part190); + +var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD COMMAND ACK ERROR"), + dup22, +])); + +var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part191); + +var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD COMMAND ACK SF ERROR"), + dup22, +])); + +var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part192); + +var part193 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Cannot set no-concatenated mode for FPC"), + dup22, +])); + +var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part193); + +var part194 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CONFIG File Problem"), + dup22, +])); + +var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part194); + +var part195 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD CONFIG WARNING"), + dup22, +])); + +var msg169 = msg("CHASSISD_CONFIG_WARNING", part195); + +var part196 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","chassisd already running"), + dup22, +])); + +var msg170 = msg("CHASSISD_EXISTS", part196); + +var part197 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ + dup20, + dup21, + setc("event_description","Killing existing chassisd and exiting"), + dup22, +])); + +var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part197); + +var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","file open error"), + dup22, +])); + +var msg172 = msg("CHASSISD_FILE_OPEN", part198); + +var part199 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD file statistics error"), + dup22, +])); + +var msg173 = msg("CHASSISD_FILE_STAT", part199); + +var part200 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD received restart EVENT"), + dup22, +])); + +var msg174 = msg("CHASSISD_FRU_EVENT", part200); + +var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD restart WRITE_ERROR"), + dup22, +])); + +var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part201); + +var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD FRU STEP ERROR"), + dup22, +])); + +var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part202); + +var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected error from gettimeofday"), + dup22, +])); + +var msg177 = msg("CHASSISD_GETTIMEOFDAY", part203); + +var part204 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ + dup20, + dup21, + setc("event_description","reading host temperature sensor"), + dup22, +])); + +var msg178 = msg("CHASSISD_HOST_TEMP_READ", part204); + +var part205 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup20, + dup21, + setc("event_description","detaching all pseudo devices"), + dup22, +])); + +var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part205); + +var part206 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup20, + dup21, + setc("event_description","CHASSISD IFDEV DETACH FPC"), + dup22, +])); + +var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part206); + +var part207 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup20, + dup21, + setc("event_description","CHASSISD IFDEV DETACH PIC"), + dup22, +])); + +var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part207); + +var part208 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup20, + dup21, + setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), + dup22, +])); + +var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part208); + +var part209 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), + dup22, +])); + +var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part209); + +var part210 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","rtslib_ifdm_get_by_index failed"), + dup22, +])); + +var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part210); + +var part211 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Message Queue full"), + dup22, +])); + +var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part211); + +var part212 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Received unexpected message"), + dup22, +])); + +var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part212); + +var part213 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FRU has no connection pipe"), + dup22, +])); + +var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part213); + +var part214 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FRU has no connection arguments"), + dup22, +])); + +var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part214); + +var part215 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ + dup29, + dup21, + setc("event_description","chassisd MAC address allocation error"), + dup22, +])); + +var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part215); + +var part216 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ + dup20, + dup21, + setc("event_description","Using default MAC address base"), + dup22, +])); + +var msg190 = msg("CHASSISD_MAC_DEFAULT", part216); + +var part217 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ + dup29, + dup21, + setc("event_description","management bus failed sanity test"), + dup22, +])); + +var msg191 = msg("CHASSISD_MBUS_ERROR", part217); + +var part218 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ + dup20, + dup21, + setc("event_description","Using new configuration"), + dup22, +])); + +var msg192 = msg("CHASSISD_PARSE_COMPLETE", part218); + +var part219 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD PARSE ERROR"), + dup22, +])); + +var msg193 = msg("CHASSISD_PARSE_ERROR", part219); + +var part220 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","Parsing configuration file"), + dup22, +])); + +var msg194 = msg("CHASSISD_PARSE_INIT", part220); + +var part221 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to open PID file"), + dup22, +])); + +var msg195 = msg("CHASSISD_PIDFILE_OPEN", part221); + +var part222 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Pipe error"), + dup22, +])); + +var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part222); + +var part223 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ + dup58, + dup21, + setc("event_description","device not powering up"), + dup22, +])); + +var msg197 = msg("CHASSISD_POWER_CHECK", part223); + +var part224 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ + dup20, + dup21, + setc("event_description","Successful reconnect on soft restart"), + dup22, +])); + +var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part224); + +var part225 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ + dup20, + dup21, + setc("event_description","Release mastership notification"), + dup22, +])); + +var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part225); + +var part226 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","re_init Invalid RE slot"), + dup22, +])); + +var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part226); + +var part227 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to determine mount point for root directory"), + dup22, +])); + +var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part227); + +var part228 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","ifmsg sequence gap"), + dup22, +])); + +var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part228); + +var part229 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + setc("eventcategory","1603040000"), + dup21, + setc("event_description","Version mismatch"), + dup22, +])); + +var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part229); + +var part230 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Serial ID read error"), + dup22, +])); + +var msg204 = msg("CHASSISD_SERIAL_ID", part230); + +var part231 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","fpga download not complete"), + dup22, +])); + +var msg205 = msg("CHASSISD_SMB_ERROR", part231); + +var part232 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ + dup57, + dup21, + setc("event_description","SNMP Trap6 generated"), + dup22, +])); + +var msg206 = msg("CHASSISD_SNMP_TRAP6", part232); + +var part233 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP Trap7 generated"), + dup22, +])); + +var msg207 = msg("CHASSISD_SNMP_TRAP7", part233); + +var part234 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP trap - FRU power on"), + dup22, +])); + +var msg208 = msg("CHASSISD_SNMP_TRAP10", part234); + +var part235 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ + dup59, + dup21, + setc("event_description","Received SIGTERM request"), + dup22, +])); + +var msg209 = msg("CHASSISD_TERM_SIGNAL", part235); + +var part236 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","Taking PIC offline"), + dup22, +])); + +var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part236); + +var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","UNEXPECTED EXIT"), + dup22, +])); + +var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part237); + +var part238 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ + dup58, + dup21, + setc("event_description","Model number unsupported with this version of chassisd"), + dup22, +])); + +var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part238); + +var part239 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + dup58, + dup21, + setc("event_description","Chassisd Version mismatch"), + dup22, +])); + +var msg213 = msg("CHASSISD_VERSION_MISMATCH", part239); + +var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ + dup58, + dup21, + setc("event_description","CHASSISD HIGH TEMP CONDITION"), + dup60, + dup61, +])); + +var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part240); + +var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ + dup20, + dup21, + setc("event_description","process RESTART mode"), + dup22, +])); + +var msg215 = msg("clean_process", part241); + +var part242 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ + dup20, + dup21, + setc("event_description","Chassis Linklocal to MAC"), + dup22, +])); + +var msg216 = msg("CM_JAVA", part242); + +var part243 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","DCD must be run as root"), + dup22, +])); + +var msg217 = msg("DCD_AS_ROOT", part243); + +var part244 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ + dup29, + dup21, + setc("event_description","Filter library initialization failed"), + dup22, +])); + +var msg218 = msg("DCD_FILTER_LIB_ERROR", part244); + +var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup136); + +var part245 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing configuration file"), + dup22, +])); + +var msg220 = msg("DCD_PARSE_EMERGENCY", part245); + +var part246 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing filter index file"), + dup22, +])); + +var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part246); + +var part247 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing configuration overlay"), + dup22, +])); + +var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part247); + +var part248 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ + dup29, + dup21, + setc("event_description","unhandled state was encountered during interface parsing"), + dup22, +])); + +var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part248); + +var part249 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing policer indexfile"), + dup22, +])); + +var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part249); + +var part250 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to pull file"), + dup22, +])); + +var msg225 = msg("DCD_PULL_LOG_FAILURE", part250); + +var part251 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","DFWD ARGUMENT ERROR"), + dup22, +])); + +var msg226 = msg("DFWD_ARGUMENT_ERROR", part251); + +var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup136); + +var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ + dup29, + dup21, + setc("event_description","errors encountered while parsing filter index file"), + dup22, +])); + +var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part252); + +var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ + dup29, + dup21, + setc("event_description","encountered unhandled state while parsing interface"), + dup22, +])); + +var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part253); + +var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup137); + +var msg231 = msg("ECCD_DUPLICATE", dup138); + +var part254 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ECCD LOOP EXIT FAILURE"), + dup22, +])); + +var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part254); + +var part255 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","ECCD Must be run as root"), + dup22, +])); + +var msg233 = msg("ECCD_NOT_ROOT", part255); + +var part256 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ECCD PCI FILE OPEN FAILED"), + dup22, +])); + +var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part256); + +var part257 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PCI read failure"), + dup22, +])); + +var msg235 = msg("ECCD_PCI_READ_FAILED", part257); + +var part258 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PCI write failure"), + dup22, +])); + +var msg236 = msg("ECCD_PCI_WRITE_FAILED", part258); + +var msg237 = msg("ECCD_PID_FILE_LOCK", dup139); + +var msg238 = msg("ECCD_PID_FILE_UPDATE", dup140); + +var part259 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ECCD TRACE FILE OPEN FAILURE"), + dup22, +])); + +var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part259); + +var part260 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","ECCD Usage"), + dup22, +])); + +var msg240 = msg("ECCD_usage", part260); + +var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ + dup20, + dup21, + setc("event_description","User viewed security audit log with arguments"), + dup22, +])); + +var msg241 = msg("EVENTD_AUDIT_SHOW", part261); + +var part262 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ + dup20, + dup21, + dup22, +])); + +var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part262); + +var part263 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to change owner of file"), + dup22, +])); + +var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part263); + +var part264 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FSAD CONFIG ERROR"), + dup22, +])); + +var msg244 = msg("FSAD_CONFIG_ERROR", part264); + +var part265 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ + dup29, + dup21, + setc("event_description","Connection timed out to client"), + dup22, +])); + +var msg245 = msg("FSAD_CONNTIMEDOUT", part265); + +var part266 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FSAD_FAILED"), + dup22, +])); + +var msg246 = msg("FSAD_FAILED", part266); + +var part267 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ + dup29, + dup21, + setc("event_description","Fetch to server to get file timed out"), + dup22, +])); + +var msg247 = msg("FSAD_FETCHTIMEDOUT", part267); + +var part268 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","fn failed for file"), + dup22, +])); + +var msg248 = msg("FSAD_FILE_FAILED", part268); + +var part269 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to remove file"), + dup22, +])); + +var msg249 = msg("FSAD_FILE_REMOVE", part269); + +var part270 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to rename file"), + dup22, +])); + +var msg250 = msg("FSAD_FILE_RENAME", part270); + +var part271 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","stat failed for file"), + dup22, +])); + +var msg251 = msg("FSAD_FILE_STAT", part271); + +var part272 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to sync file"), + dup22, +])); + +var msg252 = msg("FSAD_FILE_SYNC", part272); + +var part273 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ + dup29, + dup21, + setc("event_description","Upper limit reached in fsad"), + dup22, +])); + +var msg253 = msg("FSAD_MAXCONN", part273); + +var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ + dup50, + dup21, + setc("event_description","FSAD MEMORYALLOC FAILED"), + dup22, +])); + +var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part274); + +var part275 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","FSAD must be run as root"), + dup22, +])); + +var msg255 = msg("FSAD_NOT_ROOT", part275); + +var part276 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","invalid directory"), + dup22, +])); + +var msg256 = msg("FSAD_PARENT_DIRECTORY", part276); + +var part277 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ + dup29, + dup21, + setc("event_description","File path cannot be a directory"), + dup22, +])); + +var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part277); + +var part278 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ + dup29, + dup21, + setc("event_description","Not a regular file"), + dup22, +])); + +var msg258 = msg("FSAD_PATH_IS_SPECIAL", part278); + +var part279 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ + dup29, + dup21, + setc("event_description","fsad received error message from client"), + dup22, +])); + +var msg259 = msg("FSAD_RECVERROR", part279); + +var part280 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","FSAD TERMINATED CONNECTION"), + dup22, +])); + +var msg260 = msg("FSAD_TERMINATED_CONNECTION", part280); + +var part281 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Received terminating signal"), + dup22, +])); + +var msg261 = msg("FSAD_TERMINATING_SIGNAL", part281); + +var part282 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Open operation on trace file failed"), + dup22, +])); + +var msg262 = msg("FSAD_TRACEOPEN_FAILED", part282); + +var part283 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Incorrect FSAD usage"), + dup22, +])); + +var msg263 = msg("FSAD_USAGE", part283); + +var part284 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","GGSN ALARM TRAP FAILED"), + dup22, +])); + +var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part284); + +var part285 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","GGSN ALARM TRAP SEND FAILED"), + dup22, +])); + +var msg265 = msg("GGSN_ALARM_TRAP_SEND", part285); + +var part286 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ + dup29, + dup21, + setc("event_description","Unknown trap request type"), + dup22, +])); + +var msg266 = msg("GGSN_TRAP_SEND", part286); + +var part287 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ + dup68, + dup33, + setc("ec_subject","Service"), + dup42, + dup21, + setc("event_description","Authorization failed"), + dup22, +])); + +var msg267 = msg("JADE_AUTH_ERROR", part287); + +var part288 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","JADE EXEC ERROR"), + dup22, +])); + +var msg268 = msg("JADE_EXEC_ERROR", part288); + +var part289 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ + dup29, + dup21, + setc("event_description","Local user does not exist"), + dup22, +])); + +var msg269 = msg("JADE_NO_LOCAL_USER", part289); + +var part290 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","JADE PAM error"), + dup22, +])); + +var msg270 = msg("JADE_PAM_ERROR", part290); + +var part291 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to get local username from PAM"), + dup22, +])); + +var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part291); + +var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ + dup29, + dup21, + setc("event_description","arp info overwritten"), + dup22, +])); + +var msg272 = msg("KERN_ARP_ADDR_CHANGE", part292); + +var part293 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ + dup29, + dup21, + setc("event_description","security association has been established"), + dup22, +])); + +var msg273 = msg("KMD_PM_SA_ESTABLISHED", part293); + +var part294 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ + dup20, + dup21, + setc("event_description","Task Reinitialized"), + dup60, + dup22, +])); + +var msg274 = msg("L2CPD_TASK_REINIT", part294); + +var part295 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ + dup20, + dup21, + dup69, + dup22, +])); + +var msg275 = msg("LIBJNX_EXEC_EXITED", part295); + +var part296 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Child exec failed for command"), + dup22, +])); + +var msg276 = msg("LIBJNX_EXEC_FAILED", part296); + +var msg277 = msg("LIBJNX_EXEC_PIPE", dup141); + +var part297 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ + dup29, + dup21, + setc("event_description","Command received signal"), + dup22, +])); + +var msg278 = msg("LIBJNX_EXEC_SIGNALED", part297); + +var part298 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup20, + dup21, + dup71, + dup22, +])); + +var msg279 = msg("LIBJNX_EXEC_WEXIT", part298); + +var part299 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ + dup72, + dup21, + setc("event_description","copy_file_to_transfer_dir failed to copy"), + dup22, +])); + +var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part299); + +var part300 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","Unable to lower privilege level"), + dup22, +])); + +var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part300); + +var part301 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","Unable to raise privilege level"), + dup22, +])); + +var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part301); + +var part302 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","rcp failed"), + dup22, +])); + +var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part302); + +var part303 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","ROTATE COMPRESS EXEC FAILED"), + dup22, +])); + +var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part303); + +var part304 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ + dup73, + dup21, + setc("event_description","Client connection error"), + dup22, +])); + +var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part304); + +var part305 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","Outbound request failed for command"), + dup22, +])); + +var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part305); + +var part306 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ + dup26, + dup21, + setc("event_description","Connection closed while receiving from client"), + dup22, +])); + +var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part306); + +var part307 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unable to bind socket"), + dup22, +])); + +var msg288 = msg("LIBSERVICED_SOCKET_BIND", part307); + +var part308 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to attach socket to management routing instance"), + dup22, +])); + +var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part308); + +var part309 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LICENSE EXPIRED"), + dup22, +])); + +var msg290 = msg("LICENSE_EXPIRED", part309); + +var part310 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ + dup20, + dup21, + setc("event_description","License key has expired"), + dup22, +])); + +var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part310); + +var part311 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","License key expiration soon"), + dup22, +])); + +var msg292 = msg("LICENSE_NEARING_EXPIRY", part311); + +var part312 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ + dup29, + dup21, + setc("event_description","client aborted login"), + dup22, +])); + +var msg293 = msg("LOGIN_ABORTED", part312); + +var part313 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + dup22, +])); + +var msg294 = msg("LOGIN_FAILED", part313); + +var part314 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Incorrect password for user"), + dup22, +])); + +var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part314); + +var part315 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Failed to set context for user"), + dup22, +])); + +var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part315); + +var part316 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Failed to set login ID for user"), + dup22, +])); + +var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part316); + +var part317 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Unable to resolve hostname"), + dup22, +])); + +var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part317); + +var part318 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{} %{event_type}: %{p0}"); + +var part319 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{} %{username->} logged in from host %{dhost->} on %{p0}"); + +var part320 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); + +var select34 = linear_select([ + part320, + dup44, +]); + +var part321 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{} %{terminal}"); + +var all19 = all_match({ + processors: [ + dup38, + dup134, + part318, + dup142, + part319, + select34, + part321, + ], + on_success: processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","Successful Login"), + dup22, + ]), +}); + +var msg299 = msg("LOGIN_INFORMATION", all19); + +var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","No entry in local password file for user"), + dup22, +])); + +var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part322); + +var part323 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Invalid username"), + dup22, +])); + +var msg301 = msg("LOGIN_MALFORMED_USER", part323); + +var part324 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); + +var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); + +var select35 = linear_select([ + part324, + part325, +]); + +var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{} %{username}"); + +var all20 = all_match({ + processors: [ + dup49, + select35, + part326, + ], + on_success: processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","PAM authentication error for user"), + dup22, + ]), +}); + +var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); + +var part327 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + setc("event_description","PAM authentication failure"), + setc("result","Failure while authenticating user"), + dup22, +])); + +var msg303 = msg("LOGIN_PAM_ERROR", part327); + +var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Too many retries while authenticating user"), + dup22, +])); + +var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part328); + +var part329 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","User authenticated but has no local login ID"), + dup22, +])); + +var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part329); + +var part330 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ + setc("eventcategory","1303000000"), + dup33, + dup42, + dup21, + setc("event_description","Failed to end PAM session"), + dup22, +])); + +var msg306 = msg("LOGIN_PAM_STOP", part330); + +var part331 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Attempt to authenticate unknown user"), + dup22, +])); + +var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part331); + +var part332 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Forcing change of expired password for user"), + dup22, +])); + +var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part332); + +var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Login of user refused"), + dup22, +])); + +var msg309 = msg("LOGIN_REFUSED", part333); + +var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","successful login as root"), + setc("result","User logged in as root"), + dup22, +])); + +var msg310 = msg("LOGIN_ROOT", part334); + +var part335 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ + dup43, + dup33, + dup35, + dup42, + dup21, + dup74, + setc("result","Login attempt timed out"), + dup22, +])); + +var msg311 = msg("LOGIN_TIMED_OUT", part335); + +var part336 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D ATM ERROR"), + dup22, +])); + +var msg312 = msg("MIB2D_ATM_ERROR", part336); + +var part337 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CONFIG CHECK FAILED"), + dup22, +])); + +var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part337); + +var part338 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ + dup29, + dup21, + dup77, + dup22, +])); + +var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part338); + +var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup143); + +var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup143); + +var part339 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","mib2d initialization failure"), + dup22, +])); + +var msg317 = msg("MIB2D_INIT_FAILURE", part339); + +var part340 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D KVM FAILURE"), + dup22, +])); + +var msg318 = msg("MIB2D_KVM_FAILURE", part340); + +var part341 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D RTSLIB READ FAILURE"), + dup22, +])); + +var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part341); + +var part342 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ + dup29, + dup21, + setc("event_description","RTSLIB sequence mismatch"), + dup22, +])); + +var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part342); + +var part343 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D SYSCTL FAILURE"), + dup22, +])); + +var msg321 = msg("MIB2D_SYSCTL_FAILURE", part343); + +var part344 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ + dup29, + dup21, + setc("event_description","trap_request_header failed"), + dup22, +])); + +var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part344); + +var part345 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D TRAP SEND FAILURE"), + dup22, +])); + +var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part345); + +var part346 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ + dup20, + dup21, + setc("event_description","user sighupped"), + dup22, +])); + +var msg324 = msg("Multiuser", part346); + +var part347 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate authentication handle"), + dup22, +])); + +var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part347); + +var part348 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ + dup79, + dup33, + dup42, + dup21, + setc("event_description","authentication already in progress"), + dup22, +])); + +var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part348); + +var part349 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unable to obtain hostname for outgoing CHAP message"), + dup22, +])); + +var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part349); + +var part350 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), + dup22, +])); + +var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part350); + +var part351 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","CHAP INVALID OPCODE"), + dup22, +])); + +var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part351); + +var part352 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to determine value for username in outgoing CHAP packet"), + dup22, +])); + +var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part352); + +var part353 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","CHAP MESSAGE UNEXPECTED"), + dup22, +])); + +var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part353); + +var part354 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ + dup80, + dup21, + setc("event_description","CHAP REPLAY ATTACK DETECTED"), + dup22, +])); + +var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part354); + +var part355 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to determine last modified time of JUNOS configuration database"), + dup22, +])); + +var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part355); + +var msg334 = msg("NASD_DAEMONIZE_FAILED", dup137); + +var part356 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate database object"), + dup22, +])); + +var msg335 = msg("NASD_DB_ALLOC_FAILURE", part356); + +var part357 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","DB TABLE CREATE FAILURE"), + dup22, +])); + +var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part357); + +var msg337 = msg("NASD_DUPLICATE", dup138); + +var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","EVLIB CREATE FAILURE"), + dup22, +])); + +var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part358); + +var part359 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","EVLIB EXIT FAILURE"), + dup22, +])); + +var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part359); + +var part360 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate LOCAL module handle"), + dup22, +])); + +var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part360); + +var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","NASD must be run as root"), + dup22, +])); + +var msg341 = msg("NASD_NOT_ROOT", part361); + +var msg342 = msg("NASD_PID_FILE_LOCK", dup139); + +var msg343 = msg("NASD_PID_FILE_UPDATE", dup140); + +var part362 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","POST CONFIGURE EVENT FAILED"), + dup22, +])); + +var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part362); + +var part363 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PPP READ FAILURE"), + dup22, +])); + +var msg345 = msg("NASD_PPP_READ_FAILURE", part363); + +var part364 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to send message"), + dup22, +])); + +var msg346 = msg("NASD_PPP_SEND_FAILURE", part364); + +var part365 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to send all of message"), + dup22, +])); + +var msg347 = msg("NASD_PPP_SEND_PARTIAL", part365); + +var part366 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ + dup29, + dup21, + setc("event_description","Unrecognized authentication protocol"), + dup22, +])); + +var msg348 = msg("NASD_PPP_UNRECOGNIZED", part366); + +var part367 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS password allocation failure"), + dup22, +])); + +var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part367); + +var part368 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS CONFIG FAILED"), + dup22, +])); + +var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part368); + +var part369 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate RADIUS module handle"), + dup22, +])); + +var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part369); + +var part370 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS CREATE REQUEST FAILED"), + dup22, +])); + +var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part370); + +var part371 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), + dup22, +])); + +var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part371); + +var part372 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unknown response from RADIUS server"), + dup22, +])); + +var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part372); + +var part373 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS OPEN FAILED"), + dup22, +])); + +var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part373); + +var part374 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS SELECT FAILED"), + dup22, +])); + +var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part374); + +var part375 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS SET TIMER FAILED"), + dup22, +])); + +var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part375); + +var part376 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TRACE FILE OPEN FAILED"), + dup22, +])); + +var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part376); + +var part377 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","NASD Usage"), + dup22, +])); + +var msg359 = msg("NASD_usage", part377); + +var part378 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ + dup20, + dup21, + dup22, +])); + +var msg360 = msg("NOTICE", part378); + +var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup20, + dup21, + dup81, + dup22, +])); + +var msg361 = msg("PFE_FW_SYSLOG_IP", part379); + +var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup20, + dup21, + dup81, + dup22, +])); + +var msg362 = msg("PFE_FW_SYSLOG_IP:01", part380); + +var select36 = linear_select([ + msg361, + msg362, +]); + +var part381 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup20, + dup21, + setc("event_description","Next-hop resolution requests throttled"), + dup22, +])); + +var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part381); + +var part382 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","PING TEST COMPLETED"), + dup22, +])); + +var msg364 = msg("PING_TEST_COMPLETED", part382); + +var part383 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","PING TEST FAILED"), + dup22, +])); + +var msg365 = msg("PING_TEST_FAILED", part383); + +var part384 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{} %{p0}"); + +var part385 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); + +var part386 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); + +var select37 = linear_select([ + part385, + part386, +]); + +var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); + +var all21 = all_match({ + processors: [ + dup38, + dup134, + part384, + select37, + part387, + ], + on_success: processor_chain([ + dup20, + dup21, + dup82, + dup22, + ]), +}); + +var msg366 = msg("process_mode", all21); + +var part388 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup20, + dup21, + dup82, + dup22, +])); + +var msg367 = msg("process_mode:01", part388); + +var select38 = linear_select([ + msg366, + msg367, +]); + +var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","process exit with status"), + dup22, +])); + +var msg368 = msg("PWC_EXIT", part389); + +var part390 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ + dup20, + dup21, + setc("event_description","Process released child from state"), + dup22, +])); + +var msg369 = msg("PWC_HOLD_RELEASE", part390); + +var part391 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","invalid runs argument"), + dup22, +])); + +var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part391); + +var part392 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","INVALID TIMEOUT ARGUMENT"), + dup22, +])); + +var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part392); + +var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ + dup20, + dup21, + setc("event_description","pwc process received terminating signal"), + dup22, +])); + +var msg372 = msg("PWC_KILLED_BY_SIGNAL", part393); + +var part394 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ + dup29, + dup21, + setc("event_description","pwc is sending kill event to child"), + dup22, +])); + +var msg373 = msg("PWC_KILL_EVENT", part394); + +var part395 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to kill process"), + dup22, +])); + +var msg374 = msg("PWC_KILL_FAILED", part395); + +var part396 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","kevent failed"), + dup22, +])); + +var msg375 = msg("PWC_KQUEUE_ERROR", part396); + +var part397 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to create kqueue"), + dup22, +])); + +var msg376 = msg("PWC_KQUEUE_INIT", part397); + +var part398 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to register kqueue filter"), + dup22, +])); + +var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part398); + +var part399 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file has bad format"), + dup22, +])); + +var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part399); + +var part400 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file error"), + dup22, +])); + +var msg379 = msg("PWC_LOCKFILE_ERROR", part400); + +var part401 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file not found"), + dup22, +])); + +var msg380 = msg("PWC_LOCKFILE_MISSING", part401); + +var part402 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file not locked"), + dup22, +])); + +var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part402); + +var part403 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ + dup29, + dup21, + setc("event_description","No process specified for PWC"), + dup22, +])); + +var msg382 = msg("PWC_NO_PROCESS", part403); + +var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","pwc process exited with status"), + dup22, +])); + +var msg383 = msg("PWC_PROCESS_EXIT", part404); + +var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ + dup20, + dup21, + setc("event_description","Process forcing hold down of child until signalled"), + dup22, +])); + +var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part405); + +var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ + dup20, + dup21, + setc("event_description","Process holding down child until signalled"), + dup22, +])); + +var msg385 = msg("PWC_PROCESS_HOLD", part406); + +var part407 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Process not holding down child"), + dup22, +])); + +var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part407); + +var part408 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to create child process with pidpopen"), + dup22, +])); + +var msg387 = msg("PWC_PROCESS_OPEN", part408); + +var part409 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Process holding down child"), + dup22, +])); + +var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part409); + +var part410 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Child process timed out"), + dup22, +])); + +var msg389 = msg("PWC_PROCESS_TIMEOUT", part410); + +var part411 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","signal failure"), + dup22, +])); + +var msg390 = msg("PWC_SIGNAL_INIT", part411); + +var part412 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to connect socket to service"), + dup22, +])); + +var msg391 = msg("PWC_SOCKET_CONNECT", part412); + +var part413 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to create socket"), + dup22, +])); + +var msg392 = msg("PWC_SOCKET_CREATE", part413); + +var part414 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to set socket option"), + dup22, +])); + +var msg393 = msg("PWC_SOCKET_OPTION", part414); + +var part415 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Write to stdout failed"), + dup22, +])); + +var msg394 = msg("PWC_STDOUT_WRITE", part415); + +var part416 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","PWC SYSTEM CALL"), + dup22, +])); + +var msg395 = msg("PWC_SYSTEM_CALL", part416); + +var part417 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ + dup29, + dup21, + setc("event_description","Unknown kill option"), + dup22, +])); + +var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part417); + +var part418 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ + dup29, + dup21, + setc("event_description","Multicast address not allowed"), + dup22, +])); + +var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part418); + +var part419 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RMOPD ADDRESS SOURCE INVALID"), + dup22, +])); + +var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part419); + +var part420 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to convert numeric address to string"), + dup22, +])); + +var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part420); + +var part421 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","rmop_util_set_address status message invalid"), + dup22, +])); + +var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part421); + +var msg401 = msg("RMOPD_DUPLICATE", dup138); + +var part422 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ + dup29, + dup21, + setc("event_description","Only IPv4 source address is supported"), + dup22, +])); + +var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part422); + +var part423 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ + dup29, + dup21, + setc("event_description","No route to host"), + dup22, +])); + +var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part423); + +var part424 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","IFINDEX NOT ACTIVE"), + dup22, +])); + +var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part424); + +var part425 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","IFINDEX NO INFO"), + dup22, +])); + +var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part425); + +var part426 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","RMOPD IFNAME NOT ACTIVE"), + dup22, +])); + +var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part426); + +var part427 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","IFNAME NO INFO"), + dup22, +])); + +var msg407 = msg("RMOPD_IFNAME_NO_INFO", part427); + +var part428 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","RMOPD Must be run as root"), + dup22, +])); + +var msg408 = msg("RMOPD_NOT_ROOT", part428); + +var part429 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","No information for routing instance"), + dup22, +])); + +var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part429); + +var part430 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TRACEROUTE ERROR"), + dup22, +])); + +var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part430); + +var part431 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","RMOPD usage"), + dup22, +])); + +var msg411 = msg("RMOPD_usage", part431); + +var part432 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD ABORT"), + dup22, +])); + +var msg412 = msg("RPD_ABORT", part432); + +var part433 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD exiting with active tasks"), + dup22, +])); + +var msg413 = msg("RPD_ACTIVE_TERMINATE", part433); + +var part434 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD Assertion failed"), + dup22, +])); + +var msg414 = msg("RPD_ASSERT", part434); + +var part435 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD Soft assertion failed"), + dup22, +])); + +var msg415 = msg("RPD_ASSERT_SOFT", part435); + +var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ + dup20, + dup21, + setc("event_description","RPD EXIT"), + dup22, +])); + +var msg416 = msg("RPD_EXIT", part436); + +var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup144); + +var msg418 = msg("RPD_IFL_NAMECOLLISION", dup144); + +var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS lost adjacency"), + dup22, +])); + +var msg419 = msg("RPD_ISIS_ADJDOWN", part437); + +var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","IS-IS new adjacency"), + dup22, +])); + +var msg420 = msg("RPD_ISIS_ADJUP", part438); + +var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS new adjacency without an address"), + dup22, +])); + +var msg421 = msg("RPD_ISIS_ADJUPNOIP", part439); + +var part440 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS LSP checksum error on iterface"), + dup22, +])); + +var msg422 = msg("RPD_ISIS_LSPCKSUM", part440); + +var part441 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS database overload"), + dup22, +])); + +var msg423 = msg("RPD_ISIS_OVERLOAD", part441); + +var part442 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","message with unsupported address family received"), + dup22, +])); + +var msg424 = msg("RPD_KRT_AFUNSUPRT", part442); + +var part443 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ + dup29, + dup21, + setc("event_description","RPD KRT CCC IFL MODIFY"), + dup22, +])); + +var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part443); + +var part444 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","received deleted routing table from kernel"), + dup22, +])); + +var msg426 = msg("RPD_KRT_DELETED_RTT", part444); + +var part445 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ifa generation mismatch"), + dup22, +])); + +var msg427 = msg("RPD_KRT_IFA_GENERATION", part445); + +var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup29, + dup21, + setc("event_description","CHANGE for ifd failed"), + dup22, +])); + +var msg428 = msg("RPD_KRT_IFDCHANGE", part446); + +var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup29, + dup21, + setc("event_description","GET SERVICE failure on interface"), + dup22, +])); + +var msg429 = msg("RPD_KRT_IFDEST_GET", part447); + +var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ + dup29, + dup21, + setc("event_description","GET index for ifd interface failed"), + dup22, +])); + +var msg430 = msg("RPD_KRT_IFDGET", part448); + +var part449 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ifd generation mismatch"), + dup22, +])); + +var msg431 = msg("RPD_KRT_IFD_GENERATION", part449); + +var part450 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","KRT IFL CELL RELAY MODE INVALID"), + dup22, +])); + +var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part450); + +var part451 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), + dup22, +])); + +var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part451); + +var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ifl generation mismatch"), + dup22, +])); + +var msg434 = msg("RPD_KRT_IFL_GENERATION", part452); + +var part453 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","lost interface for route"), + dup22, +])); + +var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part453); + +var part454 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","number of next hops exceeded the maximum"), + dup22, +])); + +var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part454); + +var part455 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","No device for interface"), + dup22, +])); + +var msg437 = msg("RPD_KRT_NOIFD", part455); + +var part456 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","received routing table message for unknown table"), + dup22, +])); + +var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part456); + +var part457 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Routing socket version mismatch"), + dup22, +])); + +var msg439 = msg("RPD_KRT_VERSION", part457); + +var part458 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Routing socket message type not supported by kernel"), + dup22, +])); + +var msg440 = msg("RPD_KRT_VERSIONNONE", part458); + +var part459 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Routing socket message type version is older than expected"), + dup22, +])); + +var msg441 = msg("RPD_KRT_VERSIONOLD", part459); + +var part460 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Duplicate session ID detected"), + dup22, +])); + +var msg442 = msg("RPD_LDP_INTF_BLOCKED", part460); + +var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","LDP interface now unblocked"), + dup22, +])); + +var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part461); + +var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + setc("eventcategory","1603030000"), + dup21, + setc("event_description","LDP neighbor down"), + dup22, +])); + +var msg444 = msg("RPD_LDP_NBRDOWN", part462); + +var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","LDP neighbor up"), + dup22, +])); + +var msg445 = msg("RPD_LDP_NBRUP", part463); + +var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LDP session down"), + dup22, +])); + +var msg446 = msg("RPD_LDP_SESSIONDOWN", part464); + +var part465 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ + dup20, + dup21, + setc("event_description","LDP session up"), + dup22, +])); + +var msg447 = msg("RPD_LDP_SESSIONUP", part465); + +var part466 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to obtain a lock"), + dup22, +])); + +var msg448 = msg("RPD_LOCK_FLOCKED", part466); + +var part467 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to obtain service lock"), + dup22, +])); + +var msg449 = msg("RPD_LOCK_LOCKED", part467); + +var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","MPLS LSP CHANGE"), + dup22, +])); + +var msg450 = msg("RPD_MPLS_LSP_CHANGE", part468); + +var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MPLS LSP DOWN"), + dup22, +])); + +var msg451 = msg("RPD_MPLS_LSP_DOWN", part469); + +var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","MPLS LSP SWITCH"), + dup22, +])); + +var msg452 = msg("RPD_MPLS_LSP_SWITCH", part470); + +var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","MPLS LSP UP"), + dup22, +])); + +var msg453 = msg("RPD_MPLS_LSP_UP", part471); + +var part472 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MSDP PEER DOWN"), + dup22, +])); + +var msg454 = msg("RPD_MSDP_PEER_DOWN", part472); + +var part473 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","MSDP PEER UP"), + dup22, +])); + +var msg455 = msg("RPD_MSDP_PEER_UP", part473); + +var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","OSPF neighbor down"), + dup22, +])); + +var msg456 = msg("RPD_OSPF_NBRDOWN", part474); + +var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","OSPF neighbor up"), + dup22, +])); + +var msg457 = msg("RPD_OSPF_NBRUP", part475); + +var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ + dup50, + dup21, + setc("event_description","OS MEMHIGH"), + dup22, +])); + +var msg458 = msg("RPD_OS_MEMHIGH", part476); + +var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","PIM neighbor down"), + setc("result","timeout"), + dup22, +])); + +var msg459 = msg("RPD_PIM_NBRDOWN", part477); + +var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","PIM neighbor up"), + dup22, +])); + +var msg460 = msg("RPD_PIM_NBRUP", part478); + +var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Bad checksum for router solicitation"), + dup22, +])); + +var msg461 = msg("RPD_RDISC_CKSUM", part479); + +var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Ignoring interface"), + dup22, +])); + +var msg462 = msg("RPD_RDISC_NOMULTI", part480); + +var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to locate interface for router"), + dup22, +])); + +var msg463 = msg("RPD_RDISC_NORECVIF", part481); + +var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Expected multicast for router solicitation"), + dup22, +])); + +var msg464 = msg("RPD_RDISC_SOLICITADDR", part482); + +var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Nonzero ICMP code for router solicitation"), + dup22, +])); + +var msg465 = msg("RPD_RDISC_SOLICITICMP", part483); + +var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Insufficient length for router solicitation"), + dup22, +])); + +var msg466 = msg("RPD_RDISC_SOLICITLEN", part484); + +var part485 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ + dup29, + dup21, + setc("event_description","RIP update with invalid authentication"), + dup22, +])); + +var msg467 = msg("RPD_RIP_AUTH", part485); + +var part486 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RIP - unable to get broadcast address"), + dup22, +])); + +var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part486); + +var part487 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RIP - Unable to join multicast group"), + dup22, +])); + +var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part487); + +var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","RIP interface up"), + dup22, +])); + +var msg470 = msg("RPD_RT_IFUP", part488); + +var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup145); + +var part489 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ + dup29, + dup21, + setc("event_description","excessive runtime after action of module"), + dup22, +])); + +var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part489); + +var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup145); + +var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ + dup29, + dup21, + setc("event_description","task extended runtime"), + dup22, +])); + +var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part490); + +var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ + dup29, + dup21, + setc("event_description","termination signal received for service"), + dup22, +])); + +var msg475 = msg("RPD_SIGNAL_TERMINATE", part491); + +var part492 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","version built"), + dup22, +])); + +var msg476 = msg("RPD_START", part492); + +var part493 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","system command"), + dup22, +])); + +var msg477 = msg("RPD_SYSTEM", part493); + +var part494 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ + dup20, + dup21, + setc("event_description","Commencing routing updates"), + dup22, +])); + +var msg478 = msg("RPD_TASK_BEGIN", part494); + +var part495 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","task killed by signal"), + dup22, +])); + +var msg479 = msg("RPD_TASK_CHILDKILLED", part495); + +var part496 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","task stopped by signal"), + dup22, +])); + +var msg480 = msg("RPD_TASK_CHILDSTOPPED", part496); + +var part497 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fork task"), + dup22, +])); + +var msg481 = msg("RPD_TASK_FORK", part497); + +var part498 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","RPD TASK GETWD"), + dup22, +])); + +var msg482 = msg("RPD_TASK_GETWD", part498); + +var part499 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ + dup29, + dup21, + setc("event_description","Reinitialization not possible"), + dup22, +])); + +var msg483 = msg("RPD_TASK_NOREINIT", part499); + +var part500 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to close and remove task"), + dup22, +])); + +var msg484 = msg("RPD_TASK_PIDCLOSED", part500); + +var part501 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD TASK PIDFLOCK"), + dup22, +])); + +var msg485 = msg("RPD_TASK_PIDFLOCK", part501); + +var part502 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to write"), + dup22, +])); + +var msg486 = msg("RPD_TASK_PIDWRITE", part502); + +var msg487 = msg("RPD_TASK_REINIT", dup146); + +var part503 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","ignoring task signal"), + dup22, +])); + +var msg488 = msg("RPD_TASK_SIGNALIGNORE", part503); + +var part504 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","COS IPC op failed"), + dup22, +])); + +var msg489 = msg("RT_COS", part504); + +var part505 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); + +var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); + +var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{fld11}\"%{p0}"); + +var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{fld11}\"%{p0}"); + +var select39 = linear_select([ + part507, + part508, +]); + +var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{p0}"); + +var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", "%{dinterface}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); + +var select40 = linear_select([ + part510, + dup91, +]); + +var all22 = all_match({ + processors: [ + dup86, + dup147, + part505, + dup148, + part506, + select39, + part509, + select40, + dup92, + ], + on_success: processor_chain([ + dup27, + dup52, + dup53, + dup21, + dup51, + ]), +}); + +var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); + +var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", "%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + +var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_1", "nwparser.p0", "%{dport}\"%{p0}"); + +var select41 = linear_select([ + part511, + part512, +]); + +var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{p0}"); + +var part514 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", "%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); + +var part515 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_1", "nwparser.p0", "%{policyname}\"%{p0}"); + +var select42 = linear_select([ + part514, + part515, +]); + +var all23 = all_match({ + processors: [ + dup86, + select41, + part513, + select42, + dup92, + ], + on_success: processor_chain([ + dup27, + dup52, + dup53, + dup21, + dup51, + ]), +}); + +var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); + +var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created%{p0}"); + +var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created%{p0}"); + +var select43 = linear_select([ + part516, + part517, +]); + +var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); + +var part519 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN "); + +var part520 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15->} "); + +var part521 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "%{info->} "); + +var select44 = linear_select([ + part519, + part520, + part521, +]); + +var all24 = all_match({ + processors: [ + select43, + part518, + select44, + ], + on_success: processor_chain([ + dup27, + dup52, + dup53, + dup21, + setc("event_description","session created"), + dup22, + ]), +}); + +var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); + +var select45 = linear_select([ + msg490, + msg491, + msg492, +]); + +var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{p0}"); + +var part523 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", "%{dinterface}\" encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); + +var part524 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", "%{dinterface}\" encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); + +var select46 = linear_select([ + part523, + part524, + dup91, +]); + +var all25 = all_match({ + processors: [ + dup86, + dup147, + part522, + select46, + dup92, + ], + on_success: processor_chain([ + dup93, + dup52, + dup94, + dup21, + dup51, + ]), +}); + +var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); + +var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ + dup93, + dup52, + dup94, + dup21, + dup51, +])); + +var msg494 = msg("RT_FLOW_SESSION_DENY", part525); + +var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); + +var all26 = all_match({ + processors: [ + dup149, + part526, + ], + on_success: processor_chain([ + dup26, + dup52, + dup94, + dup21, + dup97, + dup22, + ]), +}); + +var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); + +var part527 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); + +var all27 = all_match({ + processors: [ + dup149, + part527, + ], + on_success: processor_chain([ + dup26, + dup52, + dup94, + dup21, + dup97, + dup22, + ]), +}); + +var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); + +var select47 = linear_select([ + msg493, + msg494, + msg495, + msg496, +]); + +var part528 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{p0}"); + +var part529 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", "%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + +var part530 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_1", "nwparser.p0", "%{duration}\"%{p0}"); + +var select48 = linear_select([ + part529, + part530, +]); + +var all28 = all_match({ + processors: [ + dup98, + dup147, + dup99, + dup148, + dup100, + dup150, + part528, + select48, + dup92, + ], + on_success: processor_chain([ + dup26, + dup52, + dup54, + dup103, + dup21, + dup51, + ]), +}); + +var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); + +var part531 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup26, + dup52, + dup54, + dup21, + dup51, +])); + +var msg498 = msg("RT_FLOW_SESSION_CLOSE", part531); + +var part532 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed%{p0}"); + +var part533 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed%{p0}"); + +var select49 = linear_select([ + part532, + part533, +]); + +var part534 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{} %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); + +var all29 = all_match({ + processors: [ + select49, + part534, + ], + on_success: processor_chain([ + dup26, + dup52, + dup54, + dup21, + setc("event_description","session closed"), + dup22, + ]), +}); + +var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); + +var part535 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" %{p0}"); + +var part536 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_0", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + +var part537 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); + +var part538 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_2", "nwparser.p0", "elapsed-time=\"%{duration}\"%{p0}"); + +var select50 = linear_select([ + part536, + part537, + part538, +]); + +var part539 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); + +var all30 = all_match({ + processors: [ + dup98, + dup147, + dup99, + dup148, + dup100, + dup150, + part535, + select50, + part539, + ], + on_success: processor_chain([ + dup26, + dup52, + dup54, + dup103, + dup21, + dup51, + dup60, + ]), +}); + +var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); + +var select51 = linear_select([ + msg497, + msg498, + msg499, + msg500, +]); + +var part540 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","Fragmented traffic"), + dup22, +])); + +var msg501 = msg("RT_SCREEN_IP", part540); + +var part541 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg502 = msg("RT_SCREEN_IP:01", part541); + +var select52 = linear_select([ + msg501, + msg502, +]); + +var msg503 = msg("RT_SCREEN_TCP", dup151); + +var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part542); + +var msg505 = msg("RT_SCREEN_UDP", dup151); + +var part543 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","attempt to connect to interface failed"), + dup22, +])); + +var msg506 = msg("SERVICED_CLIENT_CONNECT", part543); + +var part544 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ + dup26, + dup21, + setc("event_description","unexpected termination of connection"), + dup22, +])); + +var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part544); + +var part545 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","client interface connection failure"), + dup22, +])); + +var msg508 = msg("SERVICED_CLIENT_ERROR", part545); + +var part546 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","remote command execution failed"), + dup22, +])); + +var msg509 = msg("SERVICED_COMMAND_FAILED", part546); + +var part547 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","client commit configuration failed"), + dup22, +])); + +var msg510 = msg("SERVICED_COMMIT_FAILED", part547); + +var part548 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","configuration process failed"), + dup22, +])); + +var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part548); + +var part549 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SERVICED CONFIG ERROR"), + dup22, +])); + +var msg512 = msg("SERVICED_CONFIG_ERROR", part549); + +var part550 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","service failed to read path"), + dup22, +])); + +var msg513 = msg("SERVICED_CONFIG_FILE", part550); + +var part551 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SERVICED CONNECTION ERROR"), + dup22, +])); + +var msg514 = msg("SERVICED_CONNECTION_ERROR", part551); + +var part552 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","GGSN services disabled"), + dup22, +])); + +var msg515 = msg("SERVICED_DISABLED_GGSN", part552); + +var msg516 = msg("SERVICED_DUPLICATE", dup138); + +var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","event function failed"), + dup22, +])); + +var msg517 = msg("SERVICED_EVENT_FAILED", part553); + +var part554 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","service initialization failed"), + dup22, +])); + +var msg518 = msg("SERVICED_INIT_FAILED", part554); + +var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","memory allocation failure"), + dup22, +])); + +var msg519 = msg("SERVICED_MALLOC_FAILURE", part555); + +var part556 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","NETWORK FAILURE"), + dup22, +])); + +var msg520 = msg("SERVICED_NETWORK_FAILURE", part556); + +var part557 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","SERVICED must be run as root"), + dup22, +])); + +var msg521 = msg("SERVICED_NOT_ROOT", part557); + +var msg522 = msg("SERVICED_PID_FILE_LOCK", dup139); + +var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup140); + +var part558 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","routing socket sequence error"), + dup22, +])); + +var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part558); + +var part559 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","set up of signal name handler failed"), + dup22, +])); + +var msg525 = msg("SERVICED_SIGNAL_HANDLER", part559); + +var part560 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","socket create failed with error"), + dup22, +])); + +var msg526 = msg("SERVICED_SOCKET_CREATE", part560); + +var part561 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","socket function failed"), + dup22, +])); + +var msg527 = msg("SERVICED_SOCKET_IO", part561); + +var part562 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unable to set socket option"), + dup22, +])); + +var msg528 = msg("SERVICED_SOCKET_OPTION", part562); + +var part563 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","STDLIB FAILURE"), + dup22, +])); + +var msg529 = msg("SERVICED_STDLIB_FAILURE", part563); + +var part564 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Incorrect service usage"), + dup22, +])); + +var msg530 = msg("SERVICED_USAGE", part564); + +var part565 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","object has unexpected value"), + dup22, +])); + +var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part565); + +var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup152); + +var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup152); + +var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup152); + +var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ + dup20, + dup21, + setc("event_description","AgentX subagent connected"), + dup60, + dup22, +])); + +var msg535 = msg("SNMP_NS_LOG_INFO", part566); + +var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ + dup20, + dup21, + setc("event_description","ns_subagent registering rows"), + dup60, + dup22, +])); + +var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part567); + +var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD ACCESS GROUP ERROR"), + dup22, +])); + +var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part568); + +var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ + dup29, + dup21, + dup104, + setc("result","unauthorized SNMP community to unknown community name"), + dup22, +])); + +var msg538 = msg("SNMPD_AUTH_FAILURE", part569); + +var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ + dup29, + dup21, + dup104, + setc("result","failed input interface authorization to unknown"), + dup22, +])); + +var msg539 = msg("SNMPD_AUTH_FAILURE:01", part570); + +var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ + dup29, + dup21, + dup104, + setc("result","unauthorized SNMP community "), + dup22, +])); + +var msg540 = msg("SNMPD_AUTH_FAILURE:02", part571); + +var part572 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ + dup29, + dup21, + dup104, + dup60, + dup61, +])); + +var msg541 = msg("SNMPD_AUTH_FAILURE:03", part572); + +var select53 = linear_select([ + msg538, + msg539, + msg540, + msg541, +]); + +var part573 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP request exceeded community privileges"), + dup22, +])); + +var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part573); + +var part574 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ + dup47, + dup21, + setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), + setc("result","request not allowed"), + dup22, +])); + +var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part574); + +var part575 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unauthorized SNMP PDU type"), + dup22, +])); + +var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part575); + +var part576 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ + dup29, + dup21, + setc("event_description","Configuration database has errors"), + dup22, +])); + +var msg545 = msg("SNMPD_CONFIG_ERROR", part576); + +var part577 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD CONTEXT ERROR"), + dup22, +])); + +var msg546 = msg("SNMPD_CONTEXT_ERROR", part577); + +var part578 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD ENGINE FILE FAILURE"), + dup22, +])); + +var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part578); + +var part579 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ + dup29, + dup21, + setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), + dup22, +])); + +var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part579); + +var part580 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD FILE FAILURE"), + dup22, +])); + +var msg549 = msg("SNMPD_FILE_FAILURE", part580); + +var part581 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD GROUP ERROR"), + dup22, +])); + +var msg550 = msg("SNMPD_GROUP_ERROR", part581); + +var part582 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","snmpd initialization failure"), + dup22, +])); + +var msg551 = msg("SNMPD_INIT_FAILED", part582); + +var part583 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LIBJUNIPER FAILURE"), + dup22, +])); + +var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part583); + +var part584 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LOOPBACK ADDR ERROR"), + dup22, +])); + +var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part584); + +var part585 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ + dup29, + dup21, + setc("event_description","duplicate memory free"), + dup22, +])); + +var msg554 = msg("SNMPD_MEMORY_FREED", part585); + +var part586 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","radix_add failed"), + dup22, +])); + +var msg555 = msg("SNMPD_RADIX_FAILURE", part586); + +var part587 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD RECEIVE FAILURE"), + dup22, +])); + +var msg556 = msg("SNMPD_RECEIVE_FAILURE", part587); + +var part588 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RMONFILE FAILURE"), + dup22, +])); + +var msg557 = msg("SNMPD_RMONFILE_FAILURE", part588); + +var part589 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ + dup29, + dup21, + setc("event_description","Null cookie"), + dup22, +])); + +var msg558 = msg("SNMPD_RMON_COOKIE", part589); + +var part590 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","RMON EVENTLOG"), + dup22, +])); + +var msg559 = msg("SNMPD_RMON_EVENTLOG", part590); + +var part591 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Received io error"), + dup22, +])); + +var msg560 = msg("SNMPD_RMON_IOERROR", part591); + +var part592 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","internal Get request error"), + dup22, +])); + +var msg561 = msg("SNMPD_RMON_MIBERROR", part592); + +var part593 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","sequence mismatch"), + dup22, +])); + +var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part593); + +var part594 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ + dup29, + dup21, + dup105, + dup22, +])); + +var msg563 = msg("SNMPD_SEND_FAILURE", part594); + +var part595 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ + dup29, + dup21, + dup105, + dup22, +])); + +var msg564 = msg("SNMPD_SEND_FAILURE:01", part595); + +var select54 = linear_select([ + msg563, + msg564, +]); + +var part596 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD SOCKET FAILURE"), + dup22, +])); + +var msg565 = msg("SNMPD_SOCKET_FAILURE", part596); + +var part597 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ + dup29, + dup21, + setc("event_description","No buffers available for subagent"), + dup22, +])); + +var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part597); + +var part598 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Send to subagent failed"), + dup22, +])); + +var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part598); + +var part599 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","system function failed"), + dup22, +])); + +var msg568 = msg("SNMPD_SYSLIB_FAILURE", part599); + +var part600 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ + dup20, + dup21, + setc("event_description","cleared all throttled traps"), + dup22, +])); + +var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part600); + +var part601 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP trap: cold start"), + dup22, +])); + +var msg570 = msg("SNMPD_TRAP_COLD_START", part601); + +var part602 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ + dup29, + dup21, + dup106, + dup22, +])); + +var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part602); + +var part603 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ + dup29, + dup21, + dup106, + dup22, +])); + +var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part603); + +var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP INVALID DATA"), + dup22, +])); + +var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part604); + +var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP ERROR"), + dup22, +])); + +var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part605); + +var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ + dup20, + dup21, + setc("event_description","Adding trap to queue"), + dup22, +])); + +var msg575 = msg("SNMPD_TRAP_QUEUED", part606); + +var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ + dup20, + dup21, + setc("event_description","traps queued - sent successfully"), + dup22, +])); + +var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part607); + +var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), + dup22, +])); + +var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part608); + +var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP maximum queue size exceeded"), + dup22, +])); + +var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part609); + +var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP traps throttled"), + dup22, +])); + +var msg579 = msg("SNMPD_TRAP_THROTTLED", part610); + +var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ + dup29, + dup21, + setc("event_description","unknown SNMP trap type requested"), + dup22, +])); + +var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part611); + +var part612 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), + dup22, +])); + +var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part612); + +var part613 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP ERROR - invalid version signature"), + dup22, +])); + +var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part613); + +var part614 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ + dup20, + dup21, + setc("event_description","SNMPD TRAP WARM START"), + dup22, +])); + +var msg583 = msg("SNMPD_TRAP_WARM_START", part614); + +var part615 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD USER ERROR"), + dup22, +])); + +var msg584 = msg("SNMPD_USER_ERROR", part615); + +var part616 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP deleting view"), + dup22, +])); + +var msg585 = msg("SNMPD_VIEW_DELETE", part616); + +var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","installing default SNMP view"), + dup22, +])); + +var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part617); + +var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","oid parsing failed for SNMP view"), + dup22, +])); + +var msg587 = msg("SNMPD_VIEW_OID_PARSE", part618); + +var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP_GET_ERROR 1"), + dup22, +])); + +var msg588 = msg("SNMP_GET_ERROR1", part619); + +var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP GET ERROR 2"), + dup22, +])); + +var msg589 = msg("SNMP_GET_ERROR2", part620); + +var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP GET ERROR 3"), + dup22, +])); + +var msg590 = msg("SNMP_GET_ERROR3", part621); + +var part622 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP GET ERROR 4"), + dup22, +])); + +var msg591 = msg("SNMP_GET_ERROR4", part622); + +var part623 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP RTSLIB FAILURE"), + dup22, +])); + +var msg592 = msg("SNMP_RTSLIB_FAILURE", part623); + +var part624 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup29, + dup21, + dup107, + dup22, +])); + +var msg593 = msg("SNMP_TRAP_LINK_DOWN", part624); + +var part625 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ + dup29, + dup21, + dup107, + dup60, + dup61, +])); + +var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part625); + +var select55 = linear_select([ + msg593, + msg594, +]); + +var part626 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup20, + dup21, + dup108, + dup22, +])); + +var msg595 = msg("SNMP_TRAP_LINK_UP", part626); + +var part627 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ + dup20, + dup21, + dup108, + dup60, + dup61, +])); + +var msg596 = msg("SNMP_TRAP_LINK_UP:01", part627); + +var select56 = linear_select([ + msg595, + msg596, +]); + +var part628 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP TRAP PING PROBE FAILED"), + dup22, +])); + +var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part628); + +var part629 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP PING TEST COMPLETED"), + dup22, +])); + +var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part629); + +var part630 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP TRAP PING TEST FAILED"), + dup22, +])); + +var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part630); + +var part631 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), + dup22, +])); + +var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part631); + +var part632 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), + dup22, +])); + +var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part632); + +var part633 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), + dup22, +])); + +var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part633); + +var part634 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup109, + dup22, +])); + +var msg603 = msg("SSHD_LOGIN_FAILED", part634); + +var part635 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup109, + dup60, + dup51, + setf("process","hfld33"), +])); + +var msg604 = msg("SSHD_LOGIN_FAILED:01", part635); + +var select57 = linear_select([ + msg603, + msg604, +]); + +var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","task connect failure"), + dup22, +])); + +var msg605 = msg("task_connect", part636); + +var msg606 = msg("TASK_TASK_REINIT", dup146); + +var part637 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected address family"), + dup22, +])); + +var msg607 = msg("TFTPD_AF_ERR", part637); + +var part638 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD BIND ERROR"), + dup22, +])); + +var msg608 = msg("TFTPD_BIND_ERR", part638); + +var part639 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD CONNECT ERROR"), + dup22, +])); + +var msg609 = msg("TFTPD_CONNECT_ERR", part639); + +var part640 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","TFTPD CONNECT INFO"), + dup22, +])); + +var msg610 = msg("TFTPD_CONNECT_INFO", part640); + +var part641 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD CREATE ERROR"), + dup22, +])); + +var msg611 = msg("TFTPD_CREATE_ERR", part641); + +var part642 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD FIO ERR"), + dup22, +])); + +var msg612 = msg("TFTPD_FIO_ERR", part642); + +var part643 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD FORK ERROR"), + dup22, +])); + +var msg613 = msg("TFTPD_FORK_ERR", part643); + +var part644 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD NAK ERROR"), + dup22, +])); + +var msg614 = msg("TFTPD_NAK_ERR", part644); + +var part645 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ + dup29, + dup21, + dup77, + dup22, +])); + +var msg615 = msg("TFTPD_OPEN_ERR", part645); + +var part646 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","TFTPD RECVCOMPLETE INFO"), + dup22, +])); + +var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part646); + +var part647 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD RECVFROM ERROR"), + dup22, +])); + +var msg617 = msg("TFTPD_RECVFROM_ERR", part647); + +var part648 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD RECV ERROR"), + dup22, +])); + +var msg618 = msg("TFTPD_RECV_ERR", part648); + +var part649 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","TFTPD SENDCOMPLETE INFO"), + dup22, +])); + +var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part649); + +var part650 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD SEND ERROR"), + dup22, +])); + +var msg620 = msg("TFTPD_SEND_ERR", part650); + +var part651 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD SOCKET ERROR"), + dup22, +])); + +var msg621 = msg("TFTPD_SOCKET_ERR", part651); + +var part652 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD STATFS ERROR"), + dup22, +])); + +var msg622 = msg("TFTPD_STATFS_ERR", part652); + +var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","adding neighbor to interface"), + dup22, +])); + +var msg623 = msg("TNP", part653); + +var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ + dup20, + dup21, + setc("event_description","tracing to file"), + dup22, + call({ + dest: "nwparser.filename", + fn: RMQ, + args: [ + field("fld33"), + ], + }), +])); + +var msg624 = msg("trace_on", part654); + +var part655 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","trace rotating file"), + dup22, +])); + +var msg625 = msg("trace_rotate", part655); + +var part656 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","transfered file"), + dup22, +])); + +var msg626 = msg("transfer-file", part656); + +var part657 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","ttloop - peer died"), + dup22, +])); + +var msg627 = msg("ttloop", part657); + +var part658 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ + dup79, + dup33, + dup34, + dup36, + dup21, + setc("event_description","Authenticated user"), + dup22, +])); + +var msg628 = msg("UI_AUTH_EVENT", part658); + +var part659 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ + dup29, + dup21, + setc("event_description","Received invalid authentication challenge for user response"), + dup22, +])); + +var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part659); + +var part660 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fetch boot time"), + dup22, +])); + +var msg630 = msg("UI_BOOTTIME_FAILED", part660); + +var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ + dup29, + dup21, + setc("event_description","user path unknown"), + dup22, +])); + +var msg631 = msg("UI_CFG_AUDIT_NEW", part661); + +var part662 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ + dup41, + dup21, + setc("event_description"," user Inserted Security Policies in config"), + dup22, +])); + +var msg632 = msg("UI_CFG_AUDIT_NEW:01", part662); + +var select58 = linear_select([ + msg631, + msg632, +]); + +var part663 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ + dup20, + dup21, + setc("event_description","User deleted file"), + setc("action","delete"), + dup22, +])); + +var msg633 = msg("UI_CFG_AUDIT_OTHER", part663); + +var part664 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","User rollback file"), + dup22, +])); + +var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part664); + +var part665 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\" "); + +var part666 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} "); + +var select59 = linear_select([ + part665, + part666, +]); + +var all31 = all_match({ + processors: [ + dup110, + select59, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","User set"), + dup22, + ]), +}); + +var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); + +var part667 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ + dup20, + dup21, + setc("event_description","User config replace"), + setc("action","replace"), + dup22, +])); + +var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part667); + +var part668 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ + setc("eventcategory","1701070000"), + dup21, + setc("event_description","User deactivating group(s)"), + setc("action","deactivate"), + dup22, +])); + +var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part668); + +var part669 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ + dup111, + dup21, + setc("event_description","User updates config file"), + setc("action","update"), + dup22, +])); + +var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part669); + +var select60 = linear_select([ + msg633, + msg634, + msg635, + msg636, + msg637, + msg638, +]); + +var part670 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); + +var select61 = linear_select([ + part670, + dup112, +]); + +var all32 = all_match({ + processors: [ + dup110, + select61, + dup113, + ], + on_success: processor_chain([ + dup20, + dup21, + dup114, + dup22, + ]), +}); + +var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); + +var part671 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); + +var select62 = linear_select([ + part671, + dup112, +]); + +var all33 = all_match({ + processors: [ + dup110, + select62, + dup113, + ], + on_success: processor_chain([ + dup20, + dup21, + dup114, + dup22, + ]), +}); + +var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); + +var part672 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ + dup20, + dup21, + setc("event_description","User replace config application(s)"), + dup22, +])); + +var msg641 = msg("UI_CFG_AUDIT_SET", part672); + +var select63 = linear_select([ + msg639, + msg640, + msg641, +]); + +var part673 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); + +var all34 = all_match({ + processors: [ + dup115, + dup153, + part673, + ], + on_success: processor_chain([ + dup111, + dup21, + dup118, + dup22, + ]), +}); + +var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); + +var part674 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); + +var all35 = all_match({ + processors: [ + dup115, + dup153, + part674, + ], + on_success: processor_chain([ + dup111, + dup21, + dup118, + dup22, + ]), +}); + +var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); + +var part675 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ + dup20, + dup21, + setc("event_description","UI CFG AUDIT SET SECRET"), + dup22, +])); + +var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part675); + +var select64 = linear_select([ + msg642, + msg643, + msg644, +]); + +var part676 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ + dup29, + dup21, + setc("event_description","Too many arguments for child process"), + dup22, +])); + +var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part676); + +var part677 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to switch to local user"), + dup22, +])); + +var msg646 = msg("UI_CHILD_CHANGE_USER", part677); + +var part678 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Child exec failed"), + dup22, +])); + +var msg647 = msg("UI_CHILD_EXEC", part678); + +var part679 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup29, + dup21, + setc("event_description","Child exited"), + dup22, +])); + +var msg648 = msg("UI_CHILD_EXITED", part679); + +var part680 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to append to log"), + dup22, +])); + +var msg649 = msg("UI_CHILD_FOPEN", part680); + +var part681 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to create pipe for command"), + dup22, +])); + +var msg650 = msg("UI_CHILD_PIPE_FAILED", part681); + +var part682 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ + dup20, + dup21, + dup60, + setc("event_description","Child received signal"), + dup22, +])); + +var msg651 = msg("UI_CHILD_SIGNALED", part682); + +var part683 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ + dup20, + dup21, + setc("event_description","Child stopped"), + dup22, +])); + +var msg652 = msg("UI_CHILD_STOPPED", part683); + +var part684 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ + dup20, + dup21, + setc("event_description","Starting child"), + dup22, +])); + +var msg653 = msg("UI_CHILD_START", part684); + +var part685 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Cleanup child"), + dup22, +])); + +var msg654 = msg("UI_CHILD_STATUS", part685); + +var part686 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","waitpid failed"), + dup22, +])); + +var msg655 = msg("UI_CHILD_WAITPID", part686); + +var part687 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Idle timeout for user exceeded"), + dup22, +])); + +var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part687); + +var part688 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup20, + dup21, + dup119, + dup22, +])); + +var msg657 = msg("UI_CMDLINE_READ_LINE", part688); + +var part689 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Command execution failed"), + dup22, +])); + +var msg658 = msg("UI_CMDSET_EXEC_FAILED", part689); + +var part690 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fork command"), + dup22, +])); + +var msg659 = msg("UI_CMDSET_FORK_FAILED", part690); + +var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup141); + +var part691 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ + dup29, + dup21, + dup69, + dup22, +])); + +var msg661 = msg("UI_CMDSET_STOPPED", part691); + +var part692 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ + dup29, + dup21, + dup71, + dup22, +])); + +var msg662 = msg("UI_CMDSET_WEXITED", part692); + +var part693 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Invalid regexp command"), + dup22, +])); + +var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part693); + +var part694 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info}) "); + +var part695 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action->} "); + +var select65 = linear_select([ + part694, + part695, +]); + +var all36 = all_match({ + processors: [ + dup115, + select65, + ], + on_success: processor_chain([ + dup20, + dup21, + dup120, + dup22, + ]), +}); + +var msg664 = msg("UI_COMMIT", all36); + +var part696 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ + dup20, + dup21, + dup120, + dup22, +])); + +var msg665 = msg("UI_COMMIT_AT", part696); + +var part697 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ + dup20, + dup21, + setc("event_description","User commit successful"), + dup22, +])); + +var msg666 = msg("UI_COMMIT_AT_COMPLETED", part697); + +var part698 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ + dup29, + dup21, + setc("event_description","User commit failed"), + dup22, +])); + +var msg667 = msg("UI_COMMIT_AT_FAILED", part698); + +var part699 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to compress file"), + dup22, +])); + +var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part699); + +var part700 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ + dup20, + dup21, + setc("event_description","UI COMMIT CONFIRMED"), + dup22, +])); + +var msg669 = msg("UI_COMMIT_CONFIRMED", part700); + +var part701 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); + +var part702 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1->} "); + +var part703 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes "); + +var select66 = linear_select([ + part702, + part703, +]); + +var all37 = all_match({ + processors: [ + part701, + select66, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","COMMIT must be confirmed within # minutes"), + dup22, + ]), +}); + +var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); + +var part704 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "%{}'%{username}' performed '%{action}'"); + +var all38 = all_match({ + processors: [ + dup49, + dup142, + part704, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","user performed commit confirm"), + dup22, + ]), +}); + +var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); + +var part705 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Skipped empty object"), + dup22, +])); + +var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part705); + +var part706 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","COMMIT NOT CONFIRMED"), + dup22, +])); + +var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part706); + +var part707 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); + +var part708 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); + +var select67 = linear_select([ + part707, + part708, +]); + +var part709 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); + +var all39 = all_match({ + processors: [ + dup49, + select67, + part709, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","Commit operation in progress"), + dup22, + ]), +}); + +var msg674 = msg("UI_COMMIT_PROGRESS", all39); + +var part710 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","COMMIT QUIT"), + dup22, +])); + +var msg675 = msg("UI_COMMIT_QUIT", part710); + +var part711 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ + dup29, + dup21, + setc("event_description","Automatic rollback failed"), + dup22, +])); + +var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part711); + +var part712 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","COMMIT SYNC"), + dup22, +])); + +var msg677 = msg("UI_COMMIT_SYNC", part712); + +var part713 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","All logins to local configuration database were terminated"), + dup22, +])); + +var msg678 = msg("UI_COMMIT_SYNC_FORCE", part713); + +var part714 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); + +var part715 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); + +var part716 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); + +var select68 = linear_select([ + part715, + part716, +]); + +var part717 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "%{}statement: %{info->} %{p0}"); + +var part718 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); + +var part719 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_1", "nwparser.p0", "%{space}"); + +var select69 = linear_select([ + part718, + part719, +]); + +var all40 = all_match({ + processors: [ + part714, + select68, + part717, + select69, + ], + on_success: processor_chain([ + dup29, + dup21, + setc("event_description","CONFIGURATION ERROR"), + dup22, + ]), +}); + +var msg679 = msg("UI_CONFIGURATION_ERROR", all40); + +var part720 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "%{}socket connection accept failed: %{result}"); + +var all41 = all_match({ + processors: [ + dup49, + dup154, + part720, + ], + on_success: processor_chain([ + dup29, + dup21, + setc("event_description","socket connection accept failed"), + dup22, + ]), +}); + +var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); + +var part721 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to create session child"), + dup22, +])); + +var msg681 = msg("UI_DAEMON_FORK_FAILED", part721); + +var part722 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","DAEMON SELECT FAILED"), + dup22, +])); + +var msg682 = msg("UI_DAEMON_SELECT_FAILED", part722); + +var part723 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "%{}socket create failed: %{result}"); + +var all42 = all_match({ + processors: [ + dup49, + dup154, + part723, + ], + on_success: processor_chain([ + dup29, + dup21, + setc("event_description","socket create failed"), + dup22, + ]), +}); + +var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); + +var part724 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to reaccess database file"), + dup22, +])); + +var msg684 = msg("UI_DBASE_ACCESS_FAILED", part724); + +var part725 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ + dup29, + dup21, + setc("event_description","Database is out of data"), + dup22, +])); + +var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part725); + +var part726 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to extend database file"), + dup22, +])); + +var msg686 = msg("UI_DBASE_EXTEND_FAILED", part726); + +var part727 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","User entering configuration mode"), + dup22, +])); + +var msg687 = msg("UI_DBASE_LOGIN_EVENT", part727); + +var part728 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ + dup123, + dup33, + dup34, + dup124, + dup36, + dup21, + setc("event_description","User exiting configuration mode"), + dup22, +])); + +var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part728); + +var part729 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header extent mismatch"), + dup22, +])); + +var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part729); + +var part730 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header major version number mismatch"), + dup22, +])); + +var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part730); + +var part731 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header minor version number mismatch"), + dup22, +])); + +var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part731); + +var part732 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ + dup29, + dup21, + setc("event_description","Database header sequence numbers mismatch"), + dup22, +])); + +var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part732); + +var part733 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header size mismatch"), + dup22, +])); + +var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part733); + +var part734 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Database open failed"), + dup22, +])); + +var msg694 = msg("UI_DBASE_OPEN_FAILED", part734); + +var part735 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ + dup29, + dup21, + setc("event_description","DBASE REBUILD FAILED"), + dup22, +])); + +var msg695 = msg("UI_DBASE_REBUILD_FAILED", part735); + +var part736 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ + dup29, + dup21, + setc("event_description","Automatic rebuild of the database failed"), + dup22, +])); + +var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part736); + +var part737 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); + +var select70 = linear_select([ + dup75, + part737, +]); + +var part738 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username->} rebuild/rollback of the database '%{filename}' started"); + +var all43 = all_match({ + processors: [ + dup49, + select70, + part738, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","DBASE REBUILD STARTED"), + dup22, + ]), +}); + +var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); + +var part739 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ + dup20, + dup21, + setc("event_description","user attempting database re-creation"), + dup22, +])); + +var msg698 = msg("UI_DBASE_RECREATE", part739); + +var part740 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ + dup29, + dup21, + setc("event_description","Reopen of the database failed"), + dup22, +])); + +var msg699 = msg("UI_DBASE_REOPEN_FAILED", part740); + +var part741 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ + dup29, + dup21, + setc("event_description","Users have the same UID"), + dup22, +])); + +var msg700 = msg("UI_DUPLICATE_UID", part741); + +var part742 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ + setc("eventcategory","1401050100"), + dup21, + setc("event_description","User used JUNOScript client to run command"), + dup22, +])); + +var msg701 = msg("UI_JUNOSCRIPT_CMD", part742); + +var part743 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","JUNOScript error"), + dup22, +])); + +var msg702 = msg("UI_JUNOSCRIPT_ERROR", part743); + +var part744 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ + dup20, + dup21, + setc("event_description","User command"), + dup22, +])); + +var msg703 = msg("UI_LOAD_EVENT", part744); + +var part745 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ + setc("eventcategory","1701040000"), + dup21, + setc("event_description","Loading default config from file"), + dup22, +])); + +var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part745); + +var part746 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + dup125, + dup126, + dup22, +])); + +var msg705 = msg("UI_LOGIN_EVENT:01", part746); + +var part747 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + dup125, + dup22, +])); + +var msg706 = msg("UI_LOGIN_EVENT", part747); + +var select71 = linear_select([ + msg705, + msg706, +]); + +var part748 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ + dup123, + dup33, + dup34, + dup124, + dup36, + dup21, + setc("event_description","User logout"), + dup22, +])); + +var msg707 = msg("UI_LOGOUT_EVENT", part748); + +var part749 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","Lost connection to daemon"), + dup22, +])); + +var msg708 = msg("UI_LOST_CONN", part749); + +var part750 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ + dup20, + dup21, + setc("event_description","MASTERSHIP EVENT"), + dup22, +])); + +var msg709 = msg("UI_MASTERSHIP_EVENT", part750); + +var part751 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","Terminating operation"), + dup22, +])); + +var msg710 = msg("UI_MGD_TERMINATE", part751); + +var part752 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ + dup28, + dup21, + setc("event_description","User used NETCONF client to run command"), + dup22, +])); + +var msg711 = msg("UI_NETCONF_CMD", part752); + +var part753 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","read failed for peer"), + dup22, +])); + +var msg712 = msg("UI_READ_FAILED", part753); + +var part754 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ + dup29, + dup21, + setc("event_description","Timeout on read of peer"), + dup22, +])); + +var msg713 = msg("UI_READ_TIMEOUT", part754); + +var part755 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ + dup59, + dup21, + setc("event_description","System reboot or halt"), + dup22, +])); + +var msg714 = msg("UI_REBOOT_EVENT", part755); + +var part756 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ + dup28, + dup21, + setc("event_description","user restarting daemon"), + dup22, +])); + +var msg715 = msg("UI_RESTART_EVENT", part756); + +var part757 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema is out of date"), + dup22, +])); + +var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part757); + +var part758 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema major version mismatch"), + dup22, +])); + +var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part758); + +var part759 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema minor version mismatch"), + dup22, +])); + +var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part759); + +var part760 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema header sequence numbers mismatch"), + dup22, +])); + +var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part760); + +var part761 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ + dup29, + dup21, + setc("event_description","Schema sequence number mismatch"), + dup22, +])); + +var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part761); + +var part762 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Configuration synchronization with remote Routing Engine"), + dup22, +])); + +var msg721 = msg("UI_SYNC_OTHER_RE", part762); + +var part763 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup29, + dup21, + dup127, + dup22, +])); + +var msg722 = msg("UI_TACPLUS_ERROR", part763); + +var part764 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fetch system version"), + dup22, +])); + +var msg723 = msg("UI_VERSION_FAILED", part764); + +var part765 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ + dup20, + dup21, + setc("event_description","Re-establishing connection to peer"), + dup22, +])); + +var msg724 = msg("UI_WRITE_RECONNECT", part765); + +var part766 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ + dup20, + dup21, + setc("event_description","Interface new master for User"), + dup22, +])); + +var msg725 = msg("VRRPD_NEWMASTER_TRAP", part766); + +var part767 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ + dup68, + dup33, + dup34, + dup42, + dup21, + setc("event_description","Unable to authenticate client"), + dup22, +])); + +var msg726 = msg("WEB_AUTH_FAIL", part767); + +var part768 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ + dup79, + dup33, + dup34, + dup36, + dup21, + setc("event_description","Authenticated client"), + dup22, +])); + +var msg727 = msg("WEB_AUTH_SUCCESS", part768); + +var part769 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ + setc("eventcategory","1001030300"), + dup21, + setc("event_description","web request from unauthorized interface"), + dup22, +])); + +var msg728 = msg("WEB_INTERFACE_UNAUTH", part769); + +var part770 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ + dup73, + dup21, + setc("event_description","Unable to read from client"), + dup22, +])); + +var msg729 = msg("WEB_READ", part770); + +var part771 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ + setc("eventcategory","1204020100"), + dup21, + setc("event_description","failed to check web request"), + dup22, +])); + +var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part771); + +var part772 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ + dup73, + dup52, + dup42, + dup21, + dup51, +])); + +var msg731 = msg("FLOW_REASSEMBLE_FAIL", part772); + +var part773 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ + dup28, + dup21, + setc("event_description","Bridge Address"), + dup22, +])); + +var msg732 = msg("eswd", part773); + +var part774 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ + dup28, + dup21, + setc("event_description","ESWD STP State Change Info"), + dup22, +])); + +var msg733 = msg("eswd:01", part774); + +var select72 = linear_select([ + msg732, + msg733, +]); + +var part775 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ + dup28, + dup21, + dup25, + dup22, +])); + +var msg734 = msg("/usr/sbin/cron", part775); + +var part776 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ + dup28, + dup21, + setc("event_description","Link status change event"), + dup22, +])); + +var msg735 = msg("chassism:02", part776); + +var part777 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ + dup28, + dup21, + setc("event_description","ifd process flaps"), + dup22, +])); + +var msg736 = msg("chassism:01", part777); + +var part778 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ + dup28, + dup21, + setc("event_description","IFCM "), + dup22, +])); + +var msg737 = msg("chassism", part778); + +var select73 = linear_select([ + msg735, + msg736, + msg737, +]); + +var msg738 = msg("WEBFILTER_URL_PERMITTED", dup155); + +var part779 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part779); + +var part780 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part780); + +var part781 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part781); + +var select74 = linear_select([ + msg738, + msg739, + msg740, + msg741, +]); + +var msg742 = msg("WEBFILTER_URL_BLOCKED", dup155); + +var part782 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part782); + +var select75 = linear_select([ + msg742, + msg743, +]); + +var part783 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup126, +])); + +var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part783); + +var part784 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ + dup45, + dup46, + dup22, +])); + +var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part784); + +var part785 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup126, +])); + +var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part785); + +var part786 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup126, +])); + +var msg747 = msg("SECINTEL_ERROR_OTHERS", part786); + +var part787 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ + dup47, + dup46, + dup22, + dup21, + dup126, +])); + +var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part787); + +var part788 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup126, +])); + +var msg749 = msg("LACPD_TIMEOUT", part788); + +var msg750 = msg("cli", dup156); + +var msg751 = msg("pfed", dup156); + +var msg752 = msg("idpinfo", dup156); + +var msg753 = msg("kmd", dup156); + +var part789 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg754 = msg("node:01", part789); + +var part790 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg755 = msg("node:02", part790); + +var part791 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg756 = msg("node:03", part791); + +var part792 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg757 = msg("node:04", part792); + +var select76 = linear_select([ + dup129, + dup130, +]); + +var part793 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); + +var select77 = linear_select([ + dup130, + dup129, +]); + +var part794 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); + +var all44 = all_match({ + processors: [ + dup128, + select76, + part793, + select77, + part794, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + ]), +}); + +var msg758 = msg("node:05", all44); + +var part795 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); + +var part796 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); + +var select78 = linear_select([ + part795, + part796, +]); + +var all45 = all_match({ + processors: [ + dup128, + select78, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + ]), +}); + +var msg759 = msg("node:06", all45); + +var part797 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg760 = msg("node:07", part797); + +var part798 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg761 = msg("node:08", part798); + +var part799 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg762 = msg("node:09", part799); + +var select79 = linear_select([ + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, +]); + +var part800 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg763 = msg("(FPC:01", part800); + +var part801 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg764 = msg("(FPC:02", part801); + +var part802 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); + +var part803 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); + +var part804 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); + +var select80 = linear_select([ + part803, + part804, +]); + +var part805 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "%{}received for interface %{interface}, member of %{fld4}"); + +var all46 = all_match({ + processors: [ + part802, + select80, + part805, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + dup23, + ]), +}); + +var msg765 = msg("(FPC:03", all46); + +var part806 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg766 = msg("(FPC:04", part806); + +var part807 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg767 = msg("(FPC:05", part807); + +var part808 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg768 = msg("(FPC", part808); + +var select81 = linear_select([ + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, +]); + +var part809 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ + dup47, + dup22, + dup21, + dup23, +])); + +var msg769 = msg("tnp.bootpd", part809); + +var part810 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ + dup47, + dup51, + dup21, + dup60, +])); + +var msg770 = msg("AAMW_ACTION_LOG", part810); + +var part811 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ + dup131, + dup51, + dup21, + dup60, +])); + +var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part811); + +var part812 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ + dup131, + dup51, + dup21, +])); + +var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part812); + +var part813 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ + dup80, + dup51, + dup21, + dup60, +])); + +var msg773 = msg("IDP_ATTACK_LOG_EVENT", part813); + +var part814 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ + dup80, + dup51, + dup21, + dup60, +])); + +var msg774 = msg("RT_SCREEN_ICMP", part814); + +var part815 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ + dup45, + dup51, + dup21, + dup60, +])); + +var msg775 = msg("SECINTEL_ACTION_LOG", part815); + +var part816 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{p0}"); + +var part817 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{process}: qsfp-%{interface->} Chan# %{p0}"); + +var part818 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "%{fld2->} qsfp-%{interface->} Chan# %{p0}"); + +var select82 = linear_select([ + part817, + part818, +]); + +var part819 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{fld5}:%{event_description}"); + +var all47 = all_match({ + processors: [ + part816, + select82, + part819, + ], + on_success: processor_chain([ + dup20, + dup21, + dup22, + ]), +}); + +var msg776 = msg("qsfp", all47); + +var part820 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup20, + dup21, + dup119, + dup22, +])); + +var msg777 = msg("JUNOSROUTER_GENERIC:03", part820); + +var part821 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ + dup123, + dup33, + dup34, + dup124, + dup36, + dup21, + setc("event_description","LOGOUT"), + dup22, +])); + +var msg778 = msg("JUNOSROUTER_GENERIC:04", part821); + +var part822 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup29, + dup21, + dup127, + dup22, +])); + +var msg779 = msg("JUNOSROUTER_GENERIC:05", part822); + +var part823 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup29, + dup21, + dup56, + dup22, +])); + +var msg780 = msg("JUNOSROUTER_GENERIC:06", part823); + +var part824 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup20, + dup21, + dup37, + dup22, +])); + +var msg781 = msg("JUNOSROUTER_GENERIC:07", part824); + +var part825 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{p0}"); + +var part826 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}), socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); + +var part827 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action})"); + +var select83 = linear_select([ + part826, + part827, +]); + +var all48 = all_match({ + processors: [ + part825, + select83, + ], + on_success: processor_chain([ + dup20, + dup21, + dup37, + dup22, + ]), +}); + +var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); + +var part828 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ + dup20, + dup21, + dup22, +])); + +var msg783 = msg("JUNOSROUTER_GENERIC:09", part828); + +var part829 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ + dup132, + dup22, + dup21, + setc("event_description","Interface Monitor failed "), + dup23, +])); + +var msg784 = msg("JUNOSROUTER_GENERIC:01", part829); + +var part830 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ + dup132, + dup22, + dup21, + setc("event_description","Interface Monitor failure recovered"), + dup23, +])); + +var msg785 = msg("JUNOSROUTER_GENERIC:02", part830); + +var part831 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ + dup132, + dup22, + dup21, + dup23, +])); + +var msg786 = msg("JUNOSROUTER_GENERIC", part831); + +var select84 = linear_select([ + msg777, + msg778, + msg779, + msg780, + msg781, + msg782, + msg783, + msg784, + msg785, + msg786, +]); + +var chain1 = processor_chain([ + select5, + msgid_select({ + "(FPC": select81, + "/usr/libexec/telnetd": msg2, + "/usr/sbin/cron": msg734, + "/usr/sbin/sshd": msg1, + "AAMWD_NETWORK_CONNECT_FAILED": msg745, + "AAMW_ACTION_LOG": msg770, + "AAMW_HOST_INFECTED_EVENT_LOG": msg771, + "AAMW_MALWARE_EVENT_LOG": msg772, + "ACCT_ACCOUNTING_FERROR": msg114, + "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, + "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, + "ACCT_BAD_RECORD_FORMAT": msg117, + "ACCT_CU_RTSLIB_error": msg118, + "ACCT_GETHOSTNAME_error": msg119, + "ACCT_MALLOC_FAILURE": msg120, + "ACCT_UNDEFINED_COUNTER_NAME": msg121, + "ACCT_XFER_FAILED": msg122, + "ACCT_XFER_POPEN_FAIL": msg123, + "APPQOS_LOG_EVENT": msg124, + "APPTRACK_SESSION_CLOSE": select30, + "APPTRACK_SESSION_CREATE": msg125, + "APPTRACK_SESSION_VOL_UPDATE": select31, + "BCHIP": msg106, + "BFDD_TRAP_STATE_DOWN": msg130, + "BFDD_TRAP_STATE_UP": msg131, + "BOOTPD_ARG_ERR": msg143, + "BOOTPD_BAD_ID": msg144, + "BOOTPD_BOOTSTRING": msg145, + "BOOTPD_CONFIG_ERR": msg146, + "BOOTPD_CONF_OPEN": msg147, + "BOOTPD_DUP_REV": msg148, + "BOOTPD_DUP_SLOT": msg149, + "BOOTPD_MODEL_CHK": msg150, + "BOOTPD_MODEL_ERR": msg151, + "BOOTPD_NEW_CONF": msg152, + "BOOTPD_NO_BOOTSTRING": msg153, + "BOOTPD_NO_CONFIG": msg154, + "BOOTPD_PARSE_ERR": msg155, + "BOOTPD_REPARSE": msg156, + "BOOTPD_SELECT_ERR": msg157, + "BOOTPD_TIMEOUT": msg158, + "BOOTPD_VERSION": msg159, + "CHASSISD": msg160, + "CHASSISD_ARGUMENT_ERROR": msg161, + "CHASSISD_BLOWERS_SPEED": msg162, + "CHASSISD_BLOWERS_SPEED_FULL": msg163, + "CHASSISD_CB_READ": msg164, + "CHASSISD_COMMAND_ACK_ERROR": msg165, + "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, + "CHASSISD_CONCAT_MODE_ERROR": msg167, + "CHASSISD_CONFIG_INIT_ERROR": msg168, + "CHASSISD_CONFIG_WARNING": msg169, + "CHASSISD_EXISTS": msg170, + "CHASSISD_EXISTS_TERM_OTHER": msg171, + "CHASSISD_FILE_OPEN": msg172, + "CHASSISD_FILE_STAT": msg173, + "CHASSISD_FRU_EVENT": msg174, + "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, + "CHASSISD_FRU_STEP_ERROR": msg176, + "CHASSISD_GETTIMEOFDAY": msg177, + "CHASSISD_HIGH_TEMP_CONDITION": msg214, + "CHASSISD_HOST_TEMP_READ": msg178, + "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, + "CHASSISD_IFDEV_DETACH_FPC": msg180, + "CHASSISD_IFDEV_DETACH_PIC": msg181, + "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, + "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, + "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, + "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, + "CHASSISD_IPC_UNEXPECTED_RECV": msg186, + "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, + "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, + "CHASSISD_MAC_ADDRESS_ERROR": msg189, + "CHASSISD_MAC_DEFAULT": msg190, + "CHASSISD_MBUS_ERROR": msg191, + "CHASSISD_PARSE_COMPLETE": msg192, + "CHASSISD_PARSE_ERROR": msg193, + "CHASSISD_PARSE_INIT": msg194, + "CHASSISD_PIDFILE_OPEN": msg195, + "CHASSISD_PIPE_WRITE_ERROR": msg196, + "CHASSISD_POWER_CHECK": msg197, + "CHASSISD_RECONNECT_SUCCESSFUL": msg198, + "CHASSISD_RELEASE_MASTERSHIP": msg199, + "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, + "CHASSISD_ROOT_MOUNT_ERROR": msg201, + "CHASSISD_RTS_SEQ_ERROR": msg202, + "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, + "CHASSISD_SERIAL_ID": msg204, + "CHASSISD_SMB_ERROR": msg205, + "CHASSISD_SNMP_TRAP10": msg208, + "CHASSISD_SNMP_TRAP6": msg206, + "CHASSISD_SNMP_TRAP7": msg207, + "CHASSISD_TERM_SIGNAL": msg209, + "CHASSISD_TRACE_PIC_OFFLINE": msg210, + "CHASSISD_UNEXPECTED_EXIT": msg211, + "CHASSISD_UNSUPPORTED_MODEL": msg212, + "CHASSISD_VERSION_MISMATCH": msg213, + "CM": msg107, + "CM_JAVA": msg216, + "COS": msg108, + "COSFPC": msg109, + "COSMAN": msg110, + "CRON": msg16, + "CROND": select11, + "Cmerror": msg17, + "DCD_AS_ROOT": msg217, + "DCD_FILTER_LIB_ERROR": msg218, + "DCD_MALLOC_FAILED_INIT": msg219, + "DCD_PARSE_EMERGENCY": msg220, + "DCD_PARSE_FILTER_EMERGENCY": msg221, + "DCD_PARSE_MINI_EMERGENCY": msg222, + "DCD_PARSE_STATE_EMERGENCY": msg223, + "DCD_POLICER_PARSE_EMERGENCY": msg224, + "DCD_PULL_LOG_FAILURE": msg225, + "DFWD_ARGUMENT_ERROR": msg226, + "DFWD_MALLOC_FAILED_INIT": msg227, + "DFWD_PARSE_FILTER_EMERGENCY": msg228, + "DFWD_PARSE_STATE_EMERGENCY": msg229, + "ECCD_DAEMONIZE_FAILED": msg230, + "ECCD_DUPLICATE": msg231, + "ECCD_LOOP_EXIT_FAILURE": msg232, + "ECCD_NOT_ROOT": msg233, + "ECCD_PCI_FILE_OPEN_FAILED": msg234, + "ECCD_PCI_READ_FAILED": msg235, + "ECCD_PCI_WRITE_FAILED": msg236, + "ECCD_PID_FILE_LOCK": msg237, + "ECCD_PID_FILE_UPDATE": msg238, + "ECCD_TRACE_FILE_OPEN_FAILED": msg239, + "ECCD_usage": msg240, + "EVENT": msg23, + "EVENTD_AUDIT_SHOW": msg241, + "FLOW_REASSEMBLE_FAIL": msg731, + "FLOW_REASSEMBLE_SUCCEED": msg242, + "FSAD_CHANGE_FILE_OWNER": msg243, + "FSAD_CONFIG_ERROR": msg244, + "FSAD_CONNTIMEDOUT": msg245, + "FSAD_FAILED": msg246, + "FSAD_FETCHTIMEDOUT": msg247, + "FSAD_FILE_FAILED": msg248, + "FSAD_FILE_REMOVE": msg249, + "FSAD_FILE_RENAME": msg250, + "FSAD_FILE_STAT": msg251, + "FSAD_FILE_SYNC": msg252, + "FSAD_MAXCONN": msg253, + "FSAD_MEMORYALLOC_FAILED": msg254, + "FSAD_NOT_ROOT": msg255, + "FSAD_PARENT_DIRECTORY": msg256, + "FSAD_PATH_IS_DIRECTORY": msg257, + "FSAD_PATH_IS_SPECIAL": msg258, + "FSAD_RECVERROR": msg259, + "FSAD_TERMINATED_CONNECTION": msg260, + "FSAD_TERMINATING_SIGNAL": msg261, + "FSAD_TRACEOPEN_FAILED": msg262, + "FSAD_USAGE": msg263, + "Failed": select25, + "GGSN_ALARM_TRAP_FAILED": msg264, + "GGSN_ALARM_TRAP_SEND": msg265, + "GGSN_TRAP_SEND": msg266, + "IDP_ATTACK_LOG_EVENT": msg773, + "JADE_AUTH_ERROR": msg267, + "JADE_EXEC_ERROR": msg268, + "JADE_NO_LOCAL_USER": msg269, + "JADE_PAM_ERROR": msg270, + "JADE_PAM_NO_LOCAL_USER": msg271, + "JSRPD_HA_CONTROL_LINK_UP": msg748, + "JUNOSROUTER_GENERIC": select84, + "KERN_ARP_ADDR_CHANGE": msg272, + "KMD_PM_SA_ESTABLISHED": msg273, + "L2CPD_TASK_REINIT": msg274, + "LACPD_TIMEOUT": msg749, + "LIBJNX_EXEC_EXITED": msg275, + "LIBJNX_EXEC_FAILED": msg276, + "LIBJNX_EXEC_PIPE": msg277, + "LIBJNX_EXEC_SIGNALED": msg278, + "LIBJNX_EXEC_WEXIT": msg279, + "LIBJNX_FILE_COPY_FAILED": msg280, + "LIBJNX_PRIV_LOWER_FAILED": msg281, + "LIBJNX_PRIV_RAISE_FAILED": msg282, + "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, + "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, + "LIBSERVICED_CLIENT_CONNECTION": msg285, + "LIBSERVICED_OUTBOUND_REQUEST": msg286, + "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, + "LIBSERVICED_SOCKET_BIND": msg288, + "LIBSERVICED_SOCKET_PRIVATIZE": msg289, + "LICENSE_EXPIRED": msg290, + "LICENSE_EXPIRED_KEY_DELETED": msg291, + "LICENSE_NEARING_EXPIRY": msg292, + "LOGIN_ABORTED": msg293, + "LOGIN_FAILED": msg294, + "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, + "LOGIN_FAILED_SET_CONTEXT": msg296, + "LOGIN_FAILED_SET_LOGIN": msg297, + "LOGIN_HOSTNAME_UNRESOLVED": msg298, + "LOGIN_INFORMATION": msg299, + "LOGIN_INVALID_LOCAL_USER": msg300, + "LOGIN_MALFORMED_USER": msg301, + "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, + "LOGIN_PAM_ERROR": msg303, + "LOGIN_PAM_MAX_RETRIES": msg304, + "LOGIN_PAM_NONLOCAL_USER": msg305, + "LOGIN_PAM_STOP": msg306, + "LOGIN_PAM_USER_UNKNOWN": msg307, + "LOGIN_PASSWORD_EXPIRED": msg308, + "LOGIN_REFUSED": msg309, + "LOGIN_ROOT": msg310, + "LOGIN_TIMED_OUT": msg311, + "MIB2D_ATM_ERROR": msg312, + "MIB2D_CONFIG_CHECK_FAILED": msg313, + "MIB2D_FILE_OPEN_FAILURE": msg314, + "MIB2D_IFD_IFINDEX_FAILURE": msg315, + "MIB2D_IFL_IFINDEX_FAILURE": msg316, + "MIB2D_INIT_FAILURE": msg317, + "MIB2D_KVM_FAILURE": msg318, + "MIB2D_RTSLIB_READ_FAILURE": msg319, + "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, + "MIB2D_SYSCTL_FAILURE": msg321, + "MIB2D_TRAP_HEADER_FAILURE": msg322, + "MIB2D_TRAP_SEND_FAILURE": msg323, + "MRVL-L2": msg56, + "Multiuser": msg324, + "NASD_AUTHENTICATION_CREATE_FAILED": msg325, + "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, + "NASD_CHAP_GETHOSTNAME_FAILED": msg327, + "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, + "NASD_CHAP_INVALID_OPCODE": msg329, + "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, + "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, + "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, + "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, + "NASD_DAEMONIZE_FAILED": msg334, + "NASD_DB_ALLOC_FAILURE": msg335, + "NASD_DB_TABLE_CREATE_FAILURE": msg336, + "NASD_DUPLICATE": msg337, + "NASD_EVLIB_CREATE_FAILURE": msg338, + "NASD_EVLIB_EXIT_FAILURE": msg339, + "NASD_LOCAL_CREATE_FAILED": msg340, + "NASD_NOT_ROOT": msg341, + "NASD_PID_FILE_LOCK": msg342, + "NASD_PID_FILE_UPDATE": msg343, + "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, + "NASD_PPP_READ_FAILURE": msg345, + "NASD_PPP_SEND_FAILURE": msg346, + "NASD_PPP_SEND_PARTIAL": msg347, + "NASD_PPP_UNRECOGNIZED": msg348, + "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, + "NASD_RADIUS_CONFIG_FAILED": msg350, + "NASD_RADIUS_CREATE_FAILED": msg351, + "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, + "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, + "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, + "NASD_RADIUS_OPEN_FAILED": msg355, + "NASD_RADIUS_SELECT_FAILED": msg356, + "NASD_RADIUS_SET_TIMER_FAILED": msg357, + "NASD_TRACE_FILE_OPEN_FAILED": msg358, + "NASD_usage": msg359, + "NOTICE": msg360, + "PFEMAN": msg61, + "PFE_FW_SYSLOG_IP": select36, + "PFE_NH_RESOLVE_THROTTLED": msg363, + "PING_TEST_COMPLETED": msg364, + "PING_TEST_FAILED": msg365, + "PKID_UNABLE_TO_GET_CRL": msg746, + "PWC_EXIT": msg368, + "PWC_HOLD_RELEASE": msg369, + "PWC_INVALID_RUNS_ARGUMENT": msg370, + "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, + "PWC_KILLED_BY_SIGNAL": msg372, + "PWC_KILL_EVENT": msg373, + "PWC_KILL_FAILED": msg374, + "PWC_KQUEUE_ERROR": msg375, + "PWC_KQUEUE_INIT": msg376, + "PWC_KQUEUE_REGISTER_FILTER": msg377, + "PWC_LOCKFILE_BAD_FORMAT": msg378, + "PWC_LOCKFILE_ERROR": msg379, + "PWC_LOCKFILE_MISSING": msg380, + "PWC_LOCKFILE_NOT_LOCKED": msg381, + "PWC_NO_PROCESS": msg382, + "PWC_PROCESS_EXIT": msg383, + "PWC_PROCESS_FORCED_HOLD": msg384, + "PWC_PROCESS_HOLD": msg385, + "PWC_PROCESS_HOLD_SKIPPED": msg386, + "PWC_PROCESS_OPEN": msg387, + "PWC_PROCESS_TIMED_HOLD": msg388, + "PWC_PROCESS_TIMEOUT": msg389, + "PWC_SIGNAL_INIT": msg390, + "PWC_SOCKET_CONNECT": msg391, + "PWC_SOCKET_CREATE": msg392, + "PWC_SOCKET_OPTION": msg393, + "PWC_STDOUT_WRITE": msg394, + "PWC_SYSTEM_CALL": msg395, + "PWC_UNKNOWN_KILL_OPTION": msg396, + "RDP": msg111, + "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, + "RMOPD_ADDRESS_SOURCE_INVALID": msg398, + "RMOPD_ADDRESS_STRING_FAILURE": msg399, + "RMOPD_ADDRESS_TARGET_INVALID": msg400, + "RMOPD_DUPLICATE": msg401, + "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, + "RMOPD_ICMP_SENDMSG_FAILURE": msg403, + "RMOPD_IFINDEX_NOT_ACTIVE": msg404, + "RMOPD_IFINDEX_NO_INFO": msg405, + "RMOPD_IFNAME_NOT_ACTIVE": msg406, + "RMOPD_IFNAME_NO_INFO": msg407, + "RMOPD_NOT_ROOT": msg408, + "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, + "RMOPD_TRACEROUTE_ERROR": msg410, + "RMOPD_usage": msg411, + "RPD_ABORT": msg412, + "RPD_ACTIVE_TERMINATE": msg413, + "RPD_ASSERT": msg414, + "RPD_ASSERT_SOFT": msg415, + "RPD_EXIT": msg416, + "RPD_IFL_INDEXCOLLISION": msg417, + "RPD_IFL_NAMECOLLISION": msg418, + "RPD_ISIS_ADJDOWN": msg419, + "RPD_ISIS_ADJUP": msg420, + "RPD_ISIS_ADJUPNOIP": msg421, + "RPD_ISIS_LSPCKSUM": msg422, + "RPD_ISIS_OVERLOAD": msg423, + "RPD_KRT_AFUNSUPRT": msg424, + "RPD_KRT_CCC_IFL_MODIFY": msg425, + "RPD_KRT_DELETED_RTT": msg426, + "RPD_KRT_IFA_GENERATION": msg427, + "RPD_KRT_IFDCHANGE": msg428, + "RPD_KRT_IFDEST_GET": msg429, + "RPD_KRT_IFDGET": msg430, + "RPD_KRT_IFD_GENERATION": msg431, + "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, + "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, + "RPD_KRT_IFL_GENERATION": msg434, + "RPD_KRT_KERNEL_BAD_ROUTE": msg435, + "RPD_KRT_NEXTHOP_OVERFLOW": msg436, + "RPD_KRT_NOIFD": msg437, + "RPD_KRT_UNKNOWN_RTT": msg438, + "RPD_KRT_VERSION": msg439, + "RPD_KRT_VERSIONNONE": msg440, + "RPD_KRT_VERSIONOLD": msg441, + "RPD_LDP_INTF_BLOCKED": msg442, + "RPD_LDP_INTF_UNBLOCKED": msg443, + "RPD_LDP_NBRDOWN": msg444, + "RPD_LDP_NBRUP": msg445, + "RPD_LDP_SESSIONDOWN": msg446, + "RPD_LDP_SESSIONUP": msg447, + "RPD_LOCK_FLOCKED": msg448, + "RPD_LOCK_LOCKED": msg449, + "RPD_MPLS_LSP_CHANGE": msg450, + "RPD_MPLS_LSP_DOWN": msg451, + "RPD_MPLS_LSP_SWITCH": msg452, + "RPD_MPLS_LSP_UP": msg453, + "RPD_MSDP_PEER_DOWN": msg454, + "RPD_MSDP_PEER_UP": msg455, + "RPD_OSPF_NBRDOWN": msg456, + "RPD_OSPF_NBRUP": msg457, + "RPD_OS_MEMHIGH": msg458, + "RPD_PIM_NBRDOWN": msg459, + "RPD_PIM_NBRUP": msg460, + "RPD_RDISC_CKSUM": msg461, + "RPD_RDISC_NOMULTI": msg462, + "RPD_RDISC_NORECVIF": msg463, + "RPD_RDISC_SOLICITADDR": msg464, + "RPD_RDISC_SOLICITICMP": msg465, + "RPD_RDISC_SOLICITLEN": msg466, + "RPD_RIP_AUTH": msg467, + "RPD_RIP_JOIN_BROADCAST": msg468, + "RPD_RIP_JOIN_MULTICAST": msg469, + "RPD_RT_IFUP": msg470, + "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, + "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, + "RPD_SCHED_MODULE_LONGRUNTIME": msg473, + "RPD_SCHED_TASK_LONGRUNTIME": msg474, + "RPD_SIGNAL_TERMINATE": msg475, + "RPD_START": msg476, + "RPD_SYSTEM": msg477, + "RPD_TASK_BEGIN": msg478, + "RPD_TASK_CHILDKILLED": msg479, + "RPD_TASK_CHILDSTOPPED": msg480, + "RPD_TASK_FORK": msg481, + "RPD_TASK_GETWD": msg482, + "RPD_TASK_NOREINIT": msg483, + "RPD_TASK_PIDCLOSED": msg484, + "RPD_TASK_PIDFLOCK": msg485, + "RPD_TASK_PIDWRITE": msg486, + "RPD_TASK_REINIT": msg487, + "RPD_TASK_SIGNALIGNORE": msg488, + "RT_COS": msg489, + "RT_FLOW_SESSION_CLOSE": select51, + "RT_FLOW_SESSION_CREATE": select45, + "RT_FLOW_SESSION_DENY": select47, + "RT_SCREEN_ICMP": msg774, + "RT_SCREEN_IP": select52, + "RT_SCREEN_SESSION_LIMIT": msg504, + "RT_SCREEN_TCP": msg503, + "RT_SCREEN_UDP": msg505, + "Resolve": msg63, + "SECINTEL_ACTION_LOG": msg775, + "SECINTEL_ERROR_OTHERS": msg747, + "SECINTEL_NETWORK_CONNECT_FAILED": msg744, + "SERVICED_CLIENT_CONNECT": msg506, + "SERVICED_CLIENT_DISCONNECTED": msg507, + "SERVICED_CLIENT_ERROR": msg508, + "SERVICED_COMMAND_FAILED": msg509, + "SERVICED_COMMIT_FAILED": msg510, + "SERVICED_CONFIGURATION_FAILED": msg511, + "SERVICED_CONFIG_ERROR": msg512, + "SERVICED_CONFIG_FILE": msg513, + "SERVICED_CONNECTION_ERROR": msg514, + "SERVICED_DISABLED_GGSN": msg515, + "SERVICED_DUPLICATE": msg516, + "SERVICED_EVENT_FAILED": msg517, + "SERVICED_INIT_FAILED": msg518, + "SERVICED_MALLOC_FAILURE": msg519, + "SERVICED_NETWORK_FAILURE": msg520, + "SERVICED_NOT_ROOT": msg521, + "SERVICED_PID_FILE_LOCK": msg522, + "SERVICED_PID_FILE_UPDATE": msg523, + "SERVICED_RTSOCK_SEQUENCE": msg524, + "SERVICED_SIGNAL_HANDLER": msg525, + "SERVICED_SOCKET_CREATE": msg526, + "SERVICED_SOCKET_IO": msg527, + "SERVICED_SOCKET_OPTION": msg528, + "SERVICED_STDLIB_FAILURE": msg529, + "SERVICED_USAGE": msg530, + "SERVICED_WORK_INCONSISTENCY": msg531, + "SNMPD_ACCESS_GROUP_ERROR": msg537, + "SNMPD_AUTH_FAILURE": select53, + "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, + "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, + "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, + "SNMPD_CONFIG_ERROR": msg545, + "SNMPD_CONTEXT_ERROR": msg546, + "SNMPD_ENGINE_FILE_FAILURE": msg547, + "SNMPD_ENGINE_PROCESS_ERROR": msg548, + "SNMPD_FILE_FAILURE": msg549, + "SNMPD_GROUP_ERROR": msg550, + "SNMPD_INIT_FAILED": msg551, + "SNMPD_LIBJUNIPER_FAILURE": msg552, + "SNMPD_LOOPBACK_ADDR_ERROR": msg553, + "SNMPD_MEMORY_FREED": msg554, + "SNMPD_RADIX_FAILURE": msg555, + "SNMPD_RECEIVE_FAILURE": msg556, + "SNMPD_RMONFILE_FAILURE": msg557, + "SNMPD_RMON_COOKIE": msg558, + "SNMPD_RMON_EVENTLOG": msg559, + "SNMPD_RMON_IOERROR": msg560, + "SNMPD_RMON_MIBERROR": msg561, + "SNMPD_RTSLIB_ASYNC_EVENT": msg562, + "SNMPD_SEND_FAILURE": select54, + "SNMPD_SOCKET_FAILURE": msg565, + "SNMPD_SUBAGENT_NO_BUFFERS": msg566, + "SNMPD_SUBAGENT_SEND_FAILED": msg567, + "SNMPD_SYSLIB_FAILURE": msg568, + "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, + "SNMPD_TRAP_COLD_START": msg570, + "SNMPD_TRAP_GEN_FAILURE": msg571, + "SNMPD_TRAP_GEN_FAILURE2": msg572, + "SNMPD_TRAP_INVALID_DATA": msg573, + "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, + "SNMPD_TRAP_QUEUED": msg575, + "SNMPD_TRAP_QUEUE_DRAINED": msg576, + "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, + "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, + "SNMPD_TRAP_THROTTLED": msg579, + "SNMPD_TRAP_TYPE_ERROR": msg580, + "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, + "SNMPD_TRAP_VERSION_ERROR": msg582, + "SNMPD_TRAP_WARM_START": msg583, + "SNMPD_USER_ERROR": msg584, + "SNMPD_VIEW_DELETE": msg585, + "SNMPD_VIEW_INSTALL_DEFAULT": msg586, + "SNMPD_VIEW_OID_PARSE": msg587, + "SNMP_GET_ERROR1": msg588, + "SNMP_GET_ERROR2": msg589, + "SNMP_GET_ERROR3": msg590, + "SNMP_GET_ERROR4": msg591, + "SNMP_NS_LOG_INFO": msg535, + "SNMP_RTSLIB_FAILURE": msg592, + "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, + "SNMP_TRAP_LINK_DOWN": select55, + "SNMP_TRAP_LINK_UP": select56, + "SNMP_TRAP_PING_PROBE_FAILED": msg597, + "SNMP_TRAP_PING_TEST_COMPLETED": msg598, + "SNMP_TRAP_PING_TEST_FAILED": msg599, + "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, + "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, + "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, + "SNTPD": msg112, + "SSB": msg113, + "SSHD_LOGIN_FAILED": select57, + "SSL_PROXY_SESSION_IGNORE": msg534, + "SSL_PROXY_SSL_SESSION_ALLOW": msg532, + "SSL_PROXY_SSL_SESSION_DROP": msg533, + "TASK_TASK_REINIT": msg606, + "TFTPD_AF_ERR": msg607, + "TFTPD_BIND_ERR": msg608, + "TFTPD_CONNECT_ERR": msg609, + "TFTPD_CONNECT_INFO": msg610, + "TFTPD_CREATE_ERR": msg611, + "TFTPD_FIO_ERR": msg612, + "TFTPD_FORK_ERR": msg613, + "TFTPD_NAK_ERR": msg614, + "TFTPD_OPEN_ERR": msg615, + "TFTPD_RECVCOMPLETE_INFO": msg616, + "TFTPD_RECVFROM_ERR": msg617, + "TFTPD_RECV_ERR": msg618, + "TFTPD_SENDCOMPLETE_INFO": msg619, + "TFTPD_SEND_ERR": msg620, + "TFTPD_SOCKET_ERR": msg621, + "TFTPD_STATFS_ERR": msg622, + "TNP": msg623, + "UI_AUTH_EVENT": msg628, + "UI_AUTH_INVALID_CHALLENGE": msg629, + "UI_BOOTTIME_FAILED": msg630, + "UI_CFG_AUDIT_NEW": select58, + "UI_CFG_AUDIT_OTHER": select60, + "UI_CFG_AUDIT_SET": select63, + "UI_CFG_AUDIT_SET_SECRET": select64, + "UI_CHILD_ARGS_EXCEEDED": msg645, + "UI_CHILD_CHANGE_USER": msg646, + "UI_CHILD_EXEC": msg647, + "UI_CHILD_EXITED": msg648, + "UI_CHILD_FOPEN": msg649, + "UI_CHILD_PIPE_FAILED": msg650, + "UI_CHILD_SIGNALED": msg651, + "UI_CHILD_START": msg653, + "UI_CHILD_STATUS": msg654, + "UI_CHILD_STOPPED": msg652, + "UI_CHILD_WAITPID": msg655, + "UI_CLI_IDLE_TIMEOUT": msg656, + "UI_CMDLINE_READ_LINE": msg657, + "UI_CMDSET_EXEC_FAILED": msg658, + "UI_CMDSET_FORK_FAILED": msg659, + "UI_CMDSET_PIPE_FAILED": msg660, + "UI_CMDSET_STOPPED": msg661, + "UI_CMDSET_WEXITED": msg662, + "UI_CMD_AUTH_REGEX_INVALID": msg663, + "UI_COMMIT": msg664, + "UI_COMMIT_AT": msg665, + "UI_COMMIT_AT_COMPLETED": msg666, + "UI_COMMIT_AT_FAILED": msg667, + "UI_COMMIT_COMPRESS_FAILED": msg668, + "UI_COMMIT_CONFIRMED": msg669, + "UI_COMMIT_CONFIRMED_REMINDER": msg670, + "UI_COMMIT_CONFIRMED_TIMED": msg671, + "UI_COMMIT_EMPTY_CONTAINER": msg672, + "UI_COMMIT_NOT_CONFIRMED": msg673, + "UI_COMMIT_PROGRESS": msg674, + "UI_COMMIT_QUIT": msg675, + "UI_COMMIT_ROLLBACK_FAILED": msg676, + "UI_COMMIT_SYNC": msg677, + "UI_COMMIT_SYNC_FORCE": msg678, + "UI_CONFIGURATION_ERROR": msg679, + "UI_DAEMON_ACCEPT_FAILED": msg680, + "UI_DAEMON_FORK_FAILED": msg681, + "UI_DAEMON_SELECT_FAILED": msg682, + "UI_DAEMON_SOCKET_FAILED": msg683, + "UI_DBASE_ACCESS_FAILED": msg684, + "UI_DBASE_CHECKOUT_FAILED": msg685, + "UI_DBASE_EXTEND_FAILED": msg686, + "UI_DBASE_LOGIN_EVENT": msg687, + "UI_DBASE_LOGOUT_EVENT": msg688, + "UI_DBASE_MISMATCH_EXTENT": msg689, + "UI_DBASE_MISMATCH_MAJOR": msg690, + "UI_DBASE_MISMATCH_MINOR": msg691, + "UI_DBASE_MISMATCH_SEQUENCE": msg692, + "UI_DBASE_MISMATCH_SIZE": msg693, + "UI_DBASE_OPEN_FAILED": msg694, + "UI_DBASE_REBUILD_FAILED": msg695, + "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, + "UI_DBASE_REBUILD_STARTED": msg697, + "UI_DBASE_RECREATE": msg698, + "UI_DBASE_REOPEN_FAILED": msg699, + "UI_DUPLICATE_UID": msg700, + "UI_JUNOSCRIPT_CMD": msg701, + "UI_JUNOSCRIPT_ERROR": msg702, + "UI_LOAD_EVENT": msg703, + "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, + "UI_LOGIN_EVENT": select71, + "UI_LOGOUT_EVENT": msg707, + "UI_LOST_CONN": msg708, + "UI_MASTERSHIP_EVENT": msg709, + "UI_MGD_TERMINATE": msg710, + "UI_NETCONF_CMD": msg711, + "UI_READ_FAILED": msg712, + "UI_READ_TIMEOUT": msg713, + "UI_REBOOT_EVENT": msg714, + "UI_RESTART_EVENT": msg715, + "UI_SCHEMA_CHECKOUT_FAILED": msg716, + "UI_SCHEMA_MISMATCH_MAJOR": msg717, + "UI_SCHEMA_MISMATCH_MINOR": msg718, + "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, + "UI_SCHEMA_SEQUENCE_ERROR": msg720, + "UI_SYNC_OTHER_RE": msg721, + "UI_TACPLUS_ERROR": msg722, + "UI_VERSION_FAILED": msg723, + "UI_WRITE_RECONNECT": msg724, + "VRRPD_NEWMASTER_TRAP": msg725, + "Version": msg99, + "WEBFILTER_REQUEST_NOT_CHECKED": msg730, + "WEBFILTER_URL_BLOCKED": select75, + "WEBFILTER_URL_PERMITTED": select74, + "WEB_AUTH_FAIL": msg726, + "WEB_AUTH_SUCCESS": msg727, + "WEB_INTERFACE_UNAUTH": msg728, + "WEB_READ": msg729, + "alarmd": msg3, + "bgp_connect_start": msg132, + "bgp_event": msg133, + "bgp_listen_accept": msg134, + "bgp_listen_reset": msg135, + "bgp_nexthop_sanity": msg136, + "bgp_pp_recv": select33, + "bgp_process_caps": select32, + "bgp_send": msg141, + "bgp_traffic_timeout": msg142, + "bigd": select6, + "bigpipe": select7, + "bigstart": msg9, + "cgatool": msg10, + "chassisd": msg11, + "chassism": select73, + "checkd": select8, + "clean_process": msg215, + "cli": msg750, + "cosd": msg14, + "craftd": msg15, + "cron": msg18, + "crond": msg21, + "dcd": msg22, + "eswd": select72, + "ftpd": msg24, + "ha_rto_stats_handler": msg25, + "hostinit": msg26, + "idpinfo": msg752, + "ifinfo": select13, + "ifp_ifl_anydown_change_event": msg30, + "ifp_ifl_config_event": msg31, + "ifp_ifl_ext_chg": msg32, + "inetd": select14, + "init": select15, + "ipc_msg_write": msg40, + "kernel": select17, + "kmd": msg753, + "last": select28, + "login": select18, + "lsys_ssam_handler": msg53, + "mcsn": msg54, + "mgd": msg62, + "mrvl_dfw_log_effuse_status": msg55, + "node": select79, + "pfed": msg751, + "process_mode": select38, + "profile_ssam_handler": msg57, + "pst_nat_binding_set_profile": msg58, + "qsfp": msg776, + "respawn": msg64, + "root": msg65, + "rpd": select20, + "rshd": msg70, + "sfd": msg71, + "sshd": select21, + "syslogd": msg92, + "task_connect": msg605, + "task_reconfigure": msg59, + "tnetd": msg60, + "tnp.bootpd": msg769, + "trace_on": msg624, + "trace_rotate": msg625, + "transfer-file": msg626, + "ttloop": msg627, + "ucd-snmp": select26, + "usp_ipc_client_reconnect": msg95, + "usp_trace_ipc_disconnect": msg96, + "usp_trace_ipc_reconnect": msg97, + "uspinfo": msg98, + "xntpd": select27, + }), +]); + +var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); + +var part832 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + +var part833 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + +var part834 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + +var part835 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + +var part836 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + +var part837 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + +var part838 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + +var part839 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + +var part840 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + +var part841 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + +var part842 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + +var part843 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); + +var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + +var part844 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + +var part845 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + +var part846 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + +var part847 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); + +var part848 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + +var part849 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + +var part850 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + +var part851 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var part852 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); + +var part853 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); + +var part854 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + +var part855 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); + +var part856 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); + +var part857 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + +var part858 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); + +var part859 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); + +var part860 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var part861 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); + +var part862 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + +var part863 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + +var part864 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); + +var part865 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + +var part866 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + +var part867 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); + +var part868 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + +var part869 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + +var part870 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + +var part871 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + +var part872 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + +var part873 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + +var part874 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + +var part875 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + +var select85 = linear_select([ + dup12, + dup13, + dup14, + dup15, +]); + +var select86 = linear_select([ + dup39, + dup40, +]); + +var part876 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup20, + dup21, + dup55, + dup22, +])); + +var part877 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup50, + dup21, + dup63, + dup22, +])); + +var part878 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup29, + dup21, + dup64, + dup22, +])); + +var part879 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup29, + dup21, + dup65, + dup22, +])); + +var part880 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup29, + dup21, + dup66, + dup22, +])); + +var part881 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup29, + dup21, + dup67, + dup22, +])); + +var part882 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + dup70, + dup22, +])); + +var select87 = linear_select([ + dup75, + dup76, +]); + +var part883 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup29, + dup21, + dup78, + dup22, +])); + +var part884 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup29, + dup21, + dup83, + dup22, +])); + +var part885 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup29, + dup21, + dup84, + dup22, +])); + +var part886 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup20, + dup21, + dup85, + dup22, +])); + +var select88 = linear_select([ + dup87, + dup88, +]); + +var select89 = linear_select([ + dup89, + dup90, +]); + +var select90 = linear_select([ + dup95, + dup96, +]); + +var select91 = linear_select([ + dup101, + dup102, +]); + +var part887 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var part888 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup26, + dup21, + dup51, +])); + +var select92 = linear_select([ + dup116, + dup117, +]); + +var select93 = linear_select([ + dup121, + dup122, +]); + +var part889 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var part890 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ + dup47, + dup46, + dup22, + dup21, +])); diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml new file mode 100644 index 00000000000..64ad00379f7 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Juniper JUNOS + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/juniper/junos/manifest.yml b/x-pack/filebeat/module/juniper/junos/manifest.yml new file mode 100644 index 00000000000..ddc58972851 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["juniper.junos", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9513 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md new file mode 100644 index 00000000000..005ced11763 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/README.md @@ -0,0 +1,7 @@ +# kaspersky module + +This is a module for Kaspersky Anti-Virus logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 +at 2020-07-13 17:55:38.911054 +0000 UTC. + diff --git a/x-pack/filebeat/module/kaspersky/_meta/config.yml b/x-pack/filebeat/module/kaspersky/_meta/config.yml new file mode 100644 index 00000000000..befc314eb68 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/_meta/config.yml @@ -0,0 +1,19 @@ +- module: kaspersky + av: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9514 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc b/x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc new file mode 100644 index 00000000000..0522311ff49 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: kaspersky +:has-dashboards: false + +== Kaspersky module + +experimental[] + +This is a module for receiving Kaspersky Anti-Virus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: av + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `av` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "kasperskyav" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9514` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/kaspersky/_meta/fields.yml b/x-pack/filebeat/module/kaspersky/_meta/fields.yml new file mode 100644 index 00000000000..9d6e927574d --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: kaspersky + title: Kaspersky Anti-Virus + description: > + kaspersky fields. + fields: diff --git a/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml b/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/kaspersky/av/config/input.yml b/x-pack/filebeat/module/kaspersky/av/config/input.yml new file mode 100644 index 00000000000..5d86e5c695c --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Kaspersky" + product: "Kaspersky" + type: "Anti-Virus" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/kaspersky/av/config/liblogparser.js + - ${path.home}/module/kaspersky/av/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld12->} %{fld13->} %{protocol->} %{p0}"); + +var dup13 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}"); + +var dup14 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}"); + +var dup15 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}"); + +var dup16 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}"); + +var dup17 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})"); + +var dup18 = setf("msg","$MSG"); + +var dup19 = date_time({ + dest: "event_time", + args: ["fld11","fld12","fld13"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dP], + ], +}); + +var dup20 = setf("obj_type","protocol"); + +var dup21 = setc("eventcategory","1601020000"); + +var dup22 = lookup({ + dest: "nwparser.severity", + map: map_getSeveritylevel, + key: dup3, +}); + +var dup23 = linear_select([ + dup13, + dup14, +]); + +var dup24 = linear_select([ + dup15, + dup16, +]); + +var dup25 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var dup26 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var dup27 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup28 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup29 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var dup30 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup31 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup32 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var dup33 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup21, + dup2, + dup22, +])); + +var dup34 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup8, + dup2, + dup22, +])); + +var dup35 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ + dup1, + dup2, + dup22, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%kasperskyav: %{hfld1}^^%{hrecorded_time}^^%{messageid}^^%{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("^^"), + field("hrecorded_time"), + constant("^^"), + field("messageid"), + constant("^^"), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%kasperskyav-%{hlevel}: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var msg1 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED:01", dup25); + +var msg2 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED", dup26); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("KLSRV_EVENT_HOSTS_NOT_VISIBLE", dup26); + +var msg4 = msg("KLSRV_HOST_STATUS_WARNING:01", dup25); + +var msg5 = msg("KLSRV_HOST_STATUS_WARNING", dup26); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var part1 = match("MESSAGE#5:KLSRV_RUNTIME_ERROR", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup4, + dup2, + dup22, +])); + +var msg6 = msg("KLSRV_RUNTIME_ERROR", part1); + +var msg7 = msg("KLSRV_HOST_STATUS_CRITICAL:01", dup25); + +var msg8 = msg("KLSRV_HOST_STATUS_CRITICAL", dup26); + +var select4 = linear_select([ + msg7, + msg8, +]); + +var msg9 = msg("KLSRV_HOST_MOVED_WITH_RULE_EX", dup26); + +var msg10 = msg("KLSRV_HOST_OUT_CONTROL", dup26); + +var msg11 = msg("KLSRV_INVISIBLE_HOSTS_REMOVED", dup26); + +var msg12 = msg("KLAUD_EV_OBJECTMODIFY:01", dup27); + +var msg13 = msg("KLAUD_EV_OBJECTMODIFY", dup28); + +var select5 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("KLAUD_EV_TASK_STATE_CHANGED:01", dup27); + +var msg15 = msg("KLAUD_EV_TASK_STATE_CHANGED", dup28); + +var select6 = linear_select([ + msg14, + msg15, +]); + +var msg16 = msg("KLAUD_EV_ADMGROUP_CHANGED:01", dup27); + +var msg17 = msg("KLAUD_EV_ADMGROUP_CHANGED", dup28); + +var select7 = linear_select([ + msg16, + msg17, +]); + +var msg18 = msg("KLAUD_EV_SERVERCONNECT:01", dup27); + +var msg19 = msg("KLAUD_EV_SERVERCONNECT", dup28); + +var select8 = linear_select([ + msg18, + msg19, +]); + +var msg20 = msg("00010009", dup26); + +var msg21 = msg("00010013", dup26); + +var msg22 = msg("00020006", dup26); + +var msg23 = msg("00020007", dup26); + +var msg24 = msg("00020008", dup26); + +var msg25 = msg("00030006", dup26); + +var msg26 = msg("00030015", dup26); + +var msg27 = msg("00040007", dup26); + +var msg28 = msg("00040008", dup26); + +var part2 = match("MESSAGE#28:GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld19}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var msg29 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", part2); + +var part3 = match("MESSAGE#29:GNRL_EV_SUSPICIOUS_OBJECT_FOUND", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var msg30 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND", part3); + +var select9 = linear_select([ + msg29, + msg30, +]); + +var part4 = match("MESSAGE#30:GNRL_EV_OBJECT_CURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var msg31 = msg("GNRL_EV_OBJECT_CURED:01", part4); + +var msg32 = msg("GNRL_EV_OBJECT_CURED", dup29); + +var select10 = linear_select([ + msg31, + msg32, +]); + +var part5 = match("MESSAGE#32:GNRL_EV_OBJECT_NOTCURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup8, + dup2, + dup7, + dup22, +])); + +var msg33 = msg("GNRL_EV_OBJECT_NOTCURED:01", part5); + +var msg34 = msg("GNRL_EV_OBJECT_NOTCURED", dup29); + +var select11 = linear_select([ + msg33, + msg34, +]); + +var part6 = match("MESSAGE#34:GNRL_EV_OBJECT_DELETED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^^^%{virusname}^^%{username}^^%{fld18}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var msg35 = msg("GNRL_EV_OBJECT_DELETED:01", part6); + +var msg36 = msg("GNRL_EV_OBJECT_DELETED", dup29); + +var select12 = linear_select([ + msg35, + msg36, +]); + +var part7 = match("MESSAGE#36:GNRL_EV_VIRUS_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Virus '%{fld7}' detected in message from '%{from}' to '%{to}'.^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([ + dup6, + dup2, + dup7, + dup22, + setc("event_description","Virus detected in email message"), +])); + +var msg37 = msg("GNRL_EV_VIRUS_FOUND:01", part7); + +var part8 = match("MESSAGE#37:GNRL_EV_VIRUS_FOUND:03", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld22}", processor_chain([ + dup8, + dup2, + dup7, + dup22, +])); + +var msg38 = msg("GNRL_EV_VIRUS_FOUND:03", part8); + +var msg39 = msg("GNRL_EV_VIRUS_FOUND:02", dup29); + +var select13 = linear_select([ + msg37, + msg38, + msg39, +]); + +var part9 = match("MESSAGE#39:GNRL_EV_VIRUS_OUTBREAK", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup6, + dup2, + dup22, +])); + +var msg40 = msg("GNRL_EV_VIRUS_OUTBREAK", part9); + +var part10 = match("MESSAGE#40:GNRL_EV_ATTACK_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{threat_name}^^%{protocol}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup9, + dup10, + dup11, + dup2, + dup22, +])); + +var msg41 = msg("GNRL_EV_ATTACK_DETECTED:01", part10); + +var part11 = match("MESSAGE#41:GNRL_EV_ATTACK_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup6, + dup9, + dup10, + dup11, + dup2, + dup22, +])); + +var msg42 = msg("GNRL_EV_ATTACK_DETECTED", part11); + +var select14 = linear_select([ + msg41, + msg42, +]); + +var msg43 = msg("KLEVP_GroupTaskSyncState:01", dup30); + +var msg44 = msg("KLEVP_GroupTaskSyncState", dup31); + +var select15 = linear_select([ + msg43, + msg44, +]); + +var msg45 = msg("KLPRCI_TaskState:01", dup30); + +var msg46 = msg("KLPRCI_TaskState", dup31); + +var select16 = linear_select([ + msg45, + msg46, +]); + +var msg47 = msg("KLSRV_EV_LICENSE_CHECK_90", dup32); + +var msg48 = msg("KLNAG_EV_INV_APP_UNINSTALLED", dup32); + +var msg49 = msg("KLNAG_EV_DEVICE_ARRIVAL", dup32); + +var msg50 = msg("KLNAG_EV_DEVICE_REMOVE", dup32); + +var msg51 = msg("FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE", dup31); + +var part12 = match("MESSAGE#51:HTTP:Object_Infected/2", "nwparser.p0", "%{}'%{obj_name}' is infected with '%{virusname}'(Database date: %{fld14}, %{p0}"); + +var all1 = all_match({ + processors: [ + dup12, + dup23, + part12, + dup24, + dup17, + ], + on_success: processor_chain([ + dup6, + dup18, + dup19, + dup20, + ]), +}); + +var msg52 = msg("HTTP:Object_Infected", all1); + +var part13 = match("MESSAGE#52:HTTP:Object_Scanning_Error/2", "nwparser.p0", "%{}'%{obj_name}' scanning resulted in an error (Database date: %{fld14}, %{p0}"); + +var all2 = all_match({ + processors: [ + dup12, + dup23, + part13, + dup24, + dup17, + ], + on_success: processor_chain([ + dup4, + dup18, + dup19, + dup20, + ]), +}); + +var msg53 = msg("HTTP:Object_Scanning_Error", all2); + +var part14 = match("MESSAGE#53:HTTP:Object_Scanned_And_Clean/2", "nwparser.p0", "%{}'%{obj_name}' has been scanned and flagged as clean(Database date: %{fld14}, %{p0}"); + +var all3 = all_match({ + processors: [ + dup12, + dup23, + part14, + dup24, + dup17, + ], + on_success: processor_chain([ + dup8, + dup18, + dup19, + dup20, + ]), +}); + +var msg54 = msg("HTTP:Object_Scanned_And_Clean", all3); + +var part15 = match("MESSAGE#54:HTTP:Object_Not_Scanned_01/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy as %{policyname->} %{fld17->} ( %{p0}"); + +var all4 = all_match({ + processors: [ + dup12, + dup23, + part15, + dup24, + dup17, + ], + on_success: processor_chain([ + dup8, + dup18, + dup19, + dup20, + ]), +}); + +var msg55 = msg("HTTP:Object_Not_Scanned_01", all4); + +var part16 = match("MESSAGE#55:HTTP:Object_Not_Scanned_02/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy ( %{p0}"); + +var all5 = all_match({ + processors: [ + dup12, + dup23, + part16, + dup24, + dup17, + ], + on_success: processor_chain([ + dup8, + dup18, + dup19, + dup20, + ]), +}); + +var msg56 = msg("HTTP:Object_Not_Scanned_02", all5); + +var part17 = match("MESSAGE#57:HTTP:01/2", "nwparser.p0", "%{}'%{obj_name}"); + +var all6 = all_match({ + processors: [ + dup12, + dup23, + part17, + ], + on_success: processor_chain([ + dup8, + dup18, + dup19, + dup20, + ]), +}); + +var msg57 = msg("HTTP:01", all6); + +var select17 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, +]); + +var msg58 = msg("KLSRV_EV_LICENSE_CHECK_MORE_110", dup30); + +var msg59 = msg("000000ce", dup33); + +var msg60 = msg("000000d4", dup33); + +var msg61 = msg("000000d5", dup25); + +var msg62 = msg("000000d8", dup25); + +var msg63 = msg("000000da", dup25); + +var msg64 = msg("000000db", dup34); + +var msg65 = msg("000000d6", dup25); + +var msg66 = msg("000000de", dup34); + +var part18 = match("MESSAGE#66:000000e1", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + setc("eventcategory","1606000000"), + dup2, + dup22, +])); + +var msg67 = msg("000000e1", part18); + +var msg68 = msg("0000012f", dup25); + +var msg69 = msg("00000134", dup34); + +var msg70 = msg("00000143", dup34); + +var msg71 = msg("00000141", dup25); + +var msg72 = msg("00000353", dup25); + +var msg73 = msg("00000354", dup25); + +var msg74 = msg("000003fb", dup34); + +var msg75 = msg("000003fd", dup25); + +var msg76 = msg("000000cc", dup25); + +var part19 = match("MESSAGE#76:000000e2", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld7}^^%{fld8}^^%{fld15}^^", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg77 = msg("000000e2", part19); + +var msg78 = msg("KLSRV_EV_LICENSE_SRV_LIMITED_MODE", dup35); + +var part20 = match("MESSAGE#78:KSNPROXY_STOPPED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup22, +])); + +var msg79 = msg("KSNPROXY_STOPPED", part20); + +var part21 = match("MESSAGE#79:KLSRV_UPD_BASES_UPDATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg80 = msg("KLSRV_UPD_BASES_UPDATED", part21); + +var part22 = match("MESSAGE#80:FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not scanned. Reason: %{event_description->} Object name: %{filename}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg81 = msg("FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", part22); + +var part23 = match("MESSAGE#81:KLNAG_EV_INV_APP_INSTALLED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{product}^^%{version}^^%{fld8}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg82 = msg("KLNAG_EV_INV_APP_INSTALLED", part23); + +var part24 = match("MESSAGE#82:GNRL_EV_LICENSE_EXPIRATION", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info->} User: %{username->} Component: %{fld5}Result\\Description: %{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg83 = msg("GNRL_EV_LICENSE_EXPIRATION", part24); + +var part25 = match("MESSAGE#83:KSNPROXY_STARTED_CON_CHK_FAILED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([ + setc("eventcategory","1703000000"), + dup2, + dup22, +])); + +var msg84 = msg("KSNPROXY_STARTED_CON_CHK_FAILED", part25); + +var part26 = match("MESSAGE#84:000003f8", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{fld23->} Object: %{obj_name->} Object\\Path: %{url->} User:%{username->} Update ID: %{fld51}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg85 = msg("000003f8", part26); + +var msg86 = msg("FSEE_AKPLUGIN_AVBASES_CORRUPTED", dup35); + +var part27 = match("MESSAGE#86:GNRL_EV_OBJECT_BLOCKED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld19}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([ + dup1, + dup2, + dup7, + dup22, +])); + +var msg87 = msg("GNRL_EV_OBJECT_BLOCKED", part27); + +var part28 = match("MESSAGE#87:0000014d", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg88 = msg("0000014d", part28); + +var part29 = match("MESSAGE#88:000003f7/0", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{result->} %{p0}"); + +var part30 = match("MESSAGE#88:000003f7/1_0", "nwparser.p0", "Object: %{obj_name->} Object\\Path: %{url->} User:%{username}(%{privilege})%{p0}"); + +var part31 = match("MESSAGE#88:000003f7/1_1", "nwparser.p0", "User:%{username}(%{privilege})%{p0}"); + +var select18 = linear_select([ + part30, + part31, +]); + +var part32 = match("MESSAGE#88:000003f7/2", "nwparser.p0", "%{}Release date: %{fld23}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}"); + +var all7 = all_match({ + processors: [ + part29, + select18, + part32, + ], + on_success: processor_chain([ + dup1, + dup2, + dup22, + ]), +}); + +var msg89 = msg("000003f7", all7); + +var part33 = match("MESSAGE#89:FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not quarantined. Reason: %{event_description}^^%{context}^^%{product}^^%{version}^^%{filename}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var msg90 = msg("FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", part33); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "000000cc": msg76, + "000000ce": msg59, + "000000d4": msg60, + "000000d5": msg61, + "000000d6": msg65, + "000000d8": msg62, + "000000da": msg63, + "000000db": msg64, + "000000de": msg66, + "000000e1": msg67, + "000000e2": msg77, + "0000012f": msg68, + "00000134": msg69, + "00000141": msg71, + "00000143": msg70, + "0000014d": msg88, + "00000353": msg72, + "00000354": msg73, + "000003f7": msg89, + "000003f8": msg85, + "000003fb": msg74, + "000003fd": msg75, + "00010009": msg20, + "00010013": msg21, + "00020006": msg22, + "00020007": msg23, + "00020008": msg24, + "00030006": msg25, + "00030015": msg26, + "00040007": msg27, + "00040008": msg28, + "FSEE_AKPLUGIN_AVBASES_CORRUPTED": msg86, + "FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE": msg51, + "FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED": msg90, + "FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED": msg81, + "GNRL_EV_ATTACK_DETECTED": select14, + "GNRL_EV_LICENSE_EXPIRATION": msg83, + "GNRL_EV_OBJECT_BLOCKED": msg87, + "GNRL_EV_OBJECT_CURED": select10, + "GNRL_EV_OBJECT_DELETED": select12, + "GNRL_EV_OBJECT_NOTCURED": select11, + "GNRL_EV_SUSPICIOUS_OBJECT_FOUND": select9, + "GNRL_EV_VIRUS_FOUND": select13, + "GNRL_EV_VIRUS_OUTBREAK": msg40, + "HTTP": select17, + "KLAUD_EV_ADMGROUP_CHANGED": select7, + "KLAUD_EV_OBJECTMODIFY": select5, + "KLAUD_EV_SERVERCONNECT": select8, + "KLAUD_EV_TASK_STATE_CHANGED": select6, + "KLEVP_GroupTaskSyncState": select15, + "KLNAG_EV_DEVICE_ARRIVAL": msg49, + "KLNAG_EV_DEVICE_REMOVE": msg50, + "KLNAG_EV_INV_APP_INSTALLED": msg82, + "KLNAG_EV_INV_APP_UNINSTALLED": msg48, + "KLPRCI_TaskState": select16, + "KLSRV_EVENT_HOSTS_NEW_DETECTED": select2, + "KLSRV_EVENT_HOSTS_NOT_VISIBLE": msg3, + "KLSRV_EV_LICENSE_CHECK_90": msg47, + "KLSRV_EV_LICENSE_CHECK_MORE_110": msg58, + "KLSRV_EV_LICENSE_SRV_LIMITED_MODE": msg78, + "KLSRV_HOST_MOVED_WITH_RULE_EX": msg9, + "KLSRV_HOST_OUT_CONTROL": msg10, + "KLSRV_HOST_STATUS_CRITICAL": select4, + "KLSRV_HOST_STATUS_WARNING": select3, + "KLSRV_INVISIBLE_HOSTS_REMOVED": msg11, + "KLSRV_RUNTIME_ERROR": msg6, + "KLSRV_UPD_BASES_UPDATED": msg80, + "KSNPROXY_STARTED_CON_CHK_FAILED": msg84, + "KSNPROXY_STOPPED": msg79, + }), +]); + +var part34 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}"); + +var part35 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}"); + +var part36 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}"); + +var part37 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}"); + +var part38 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}"); + +var part39 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})"); + +var select19 = linear_select([ + dup13, + dup14, +]); + +var select20 = linear_select([ + dup15, + dup16, +]); + +var part40 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var part41 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup1, + dup2, + dup22, +])); + +var part42 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part43 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part44 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([ + dup6, + dup2, + dup7, + dup22, +])); + +var part45 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part46 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part47 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ + dup5, + dup2, + dup22, +])); + +var part48 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup21, + dup2, + dup22, +])); + +var part49 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ + dup8, + dup2, + dup22, +])); + +var part50 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ + dup1, + dup2, + dup22, +])); diff --git a/x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml b/x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml new file mode 100644 index 00000000000..963dec7e275 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Kaspersky Anti-Virus + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/kaspersky/av/manifest.yml b/x-pack/filebeat/module/kaspersky/av/manifest.yml new file mode 100644 index 00000000000..e0a8302ce70 --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/av/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["kaspersky.av", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9514 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/kaspersky/fields.go b/x-pack/filebeat/module/kaspersky/fields.go new file mode 100644 index 00000000000..60034a8e98c --- /dev/null +++ b/x-pack/filebeat/module/kaspersky/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package kaspersky + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "kaspersky", asset.ModuleFieldsPri, AssetKaspersky); err != nil { + panic(err) + } +} + +// AssetKaspersky returns asset data. +// This is the base64 encoded gzipped contents of module/kaspersky. +func AssetKaspersky() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q/JFTU1aHO1/gshllsBr8k/2j+RN9Ly7z5z3Zi/EFKCYZrXliv5mvzbXwghmx+TGQdRmslfSPiv1/i5+993RNIKXhMJdqX01YRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8duiuly97fS5jRRtgCl3xNZlQY2Pp4gHD7v/e0AqJmxC6gRYx0iJHVAjTgZ1bT2YwzsqCGTAEkUVMDegnlZECfNvQOxMy1aurbk7LL1M2yiLWkYou88dXH1o8tsVmkMvOtv+9fYXzDBrvyccGN+x7hhjQGSmIVYbS2TeC/pitSgTF07v5NLWGqAuOIVu7zHdCEvFVzcgpMlaDjhHhYfBepQ8lp4cISpC0caYkBB4Qzcz+w3CDPmZIWpDXufnBpLJW2RcNEcbS8OgTBktrdD4bYcY+TW4JQS1YLzhaEEgPGcCXJgltDKHkP9nduJRjT7v5kcDQ6Ys1CNaIkEpagyRS6c1dTbYC8A0sdapTMtKp6Sz19q+bmxQVlV2DNswH4U66BWbF+TmzAm5IP4IWFP+Gyh+YkykgBSxAHcFIouXs/tzh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZs8fvwj0/P/2BLKlowo3nJUjLZzycTrimzBKh5n6/9GAjkDruwIfTgt9z21FTbTlrBNX4+7Cxk9GTMQB90EmJnYwB5PGTMroly+Puycv/vyf798StmmdD7nd91fSPAgnZ3ZZHg92SHiL0sqOmwahGs0xv7/3Zluv+3w8zY6mFCqR9jMjRpuS2YILu3OFHgh5Iq9ePEbGF06keI2JcHoZYXo2plRyP96SVQA+RHnnZNgMoU9pQI3pNzM7sfbF1CzhsBnrIQEm4nxWxo4cMoN9gRYxzcce1ciQuyp5XJco+z64BmYnYRyIcvDP72DHU6kbyLw1s1Gjd0R/+tN42ak+UZO5xoFY9dst2RNwseV5x2OfuiVuGzzij/fv8Vs3J2RKkJZconEkjS9DOBNEQBNWA9Bm/hpIYsA7I1o+31zDjBku7CQPY9zZYuk0YgL7Tpgw9gen9S4cdzAFdd+DJ3XiwUCaTvto/l78qY/siUuyeSAOy5HLefmhix6bnQ/p6+MsPOWCDH40y9vxi+ROhZamdrBy77rvMHVBv1dfK3OWr3Ox99f8uex238suGXbngHWl9b1lJKJnzJcjOSfb1KgKORYf5L/JaIOVjVP6+jojGqEND1etCw5cMe90PHuIGI93TNXL5zC9NLvAiPQ/ebEvJx3UNhNGhBJkCAW4XoMmnc2l/eEWUJr8IRe2PL8mUGjxFbYBsxueNRtXvBroPUXe/YroxDJrP+EzgX3C/nqtcbrZ91nG78lfvYFB6RXWZTanrSbQe2X1Onl983tL3KNEg6O6WEmLWxkIVHtGAtoO2AH9SjWee+7fSfM4lFe1vtrWVG/iQS//akxhxfvH5VYQFAf0BJ+7Pgg6jIZdTvD6bgzpUHA99fRZAS9BHiV3/ikuR89P7REk9vv1gKYI5LFb6qJ1sghXZ/Wy0VbTON4oWXhRnupwoIYBZpb9GAey49wA5N+7McUOYZx2UDtMtRfWt2lVbyB5GP0KLr2LTx6KqVspgslulJJmuB5tGiIYvDRjrABpe1WId9sl92Ql6ApQtiOElkKffE7vQDXn588/PyIoaYgBkt8oeTjwK5fUWnDC1kgbysYJ9NaeCqUbazqfQVFMv9NxVNlEI5CmdqiX0mMFlNLOyFW/GaqDV6P1hX82xeWBWQcmbXT0tBaO+iWmOnWOBzwi3/2xefv/DX40X6S9qFKAt0v8cUPNPZw++pWvQ5CU5k4zWphE+suJMyjvJ9Rj0ewY/IrmVsVV+fEn+1ZH7nPz4I/lXwpR2+jJSERZ9Tv67sP/TfZEbss2Ub6JbKFUJj9bWlSsoGBViStlVXg3YIyeVxWtDrbcrHBNBlrXi0qJpYiGe4IyHowCtVab8tI0+aGpgnArEGDE1VmmnWcu11zrcB0sqeOkPRgwpQmaqkaV7YQQg8lzOg3J0Y/Li9o0YQE4RCwzXYU/YaGQX1kLR8rG8cwEdYvifQCqwmrOI1RFM4f6X0Rb2z30rhN2zT+1Go1Wzdtsm5Fe1clsztDm5JEo7Y8wqcgVQ38C0R/HifSVM04qBMcWSl0WZK+p61kqeOUjQ1OIlLx0He3bhkmvbUOGM9i3fu4y4OHjFndmNsXJkhqciXPXzU6KdtDboUEGmUT0H233tRk4YnSnp6cE54TPh9nNCZwkFDQX/+Wnre/0AlbJALsN5ZxrwoZ2uxwSl+18biPkKAi9hpcLUgufMbHjU5rzhA7X/UehmTuZmPO9469wbEM56e+paqyU8If81IoxevMy4eIAYvVvVGUcXJ28ugu7LqHTs4VWt9K7GS/CJ/OrSIJrH4f745J8qNMTRdI+5UrdN+Wbzk43B7vUctMwn5OXPr8gK+V4BlYQKEfcVoFMf1aSN/4isQIMHSy0RQI0lSu6Ui2wz8cHVxK+biZG7miNsG3j3u9IlMg6zmoAtpBJqvt4NxM24HmixhPxM2IJqyqxnorvUa8QfneaSNDLk9Igtn/loRW3qgm4fqM8ZRNgTu0SLonJKppJtGEHT1ahMQ8m6o1ZShhqrj1HI4HNQjDW6hWgslSXVJZFKV1TwP2P5vUpXUf6UIcvhYBapZjp4ku7EpA3WHTIvBJ8BUhwx8A0wJcsRBXuz3YWxOf0sewjikqmqFmCjB2DUiUpRgbea74jBXr2Ztg90kC/d2tHjPHaUt0/m6PGrlLSLRNu0qU9NlfOyyXIqH4jxZ7LMwXYH8k8lc3db2CMW3eqtiunTaz/ucnggorLd6DfEwrUNl48sQZteOUW5Lw8ssr/3PWxroKnI3JTpMaVLKPO9gyHJJjxTplux1THaTJvui/34+vC10qqaINQGi/INA0k1V16trxph+XeWgya0rkVb/bLpZVNRSeex0lxCBIZ3WnvRI+VxNYTbJ4aolfSRMUuretczGDB2qzkUh7fPGsIW3Fk3qgQzIe8aY9FM6gN1t5LakbxcauHATdorwGYzh/cSjqEJ4Sa3C3reaZiBBsn8gaBOtS75kpdOs8HzEBdkl60g+7jDvDiR1zXXR6Nws58+FnTtTiK3Yu2JNU7oOX3NIYUHdL9vNOGmj7pwnjtp3MmzyWDJLp1MNaklUDVQ5O4LseN/6quCGuSXBpqjHSV3uv0p2sjHFTUEkShHzg0i90NqpiZUCrYYmkGmzSub4fWdVzlwrYsMqNZFDu25TimKtoG+TA41g67Ue0UexoTcMR+jb8zgubzTm3Oo2LxJrh0SLNg8EDvdEFI7gigbKPEpFGvTiNxhpxErSjWWqQpeeBw64wWzstVscEKoDCzYMiBHDggsQXObs3RkD2Ht6qEIsBfZ2efyyVu8OOgd6F/prtLFQcO4Uw2Mz/jG8Ilrtz6YM9ZTJejK+bOZIhvQuRh5uSmYaF1UZQiyRPEOZvOxNuHztpXetwSVJr9dhtRYbtqEgF2/Gq7f7tBYlaSpleEJBcetzhaa07L0HaYwlb+9u6NdeBphi3yti+4oimRTgebsrrIoStsRqtj2ENavZOtuhhdL/n4PSFuCLJUOCbN7KVPTPx6ge00b2lXTP4DF7WiHWP5a8AG7nQTdj5iX9Dl71X0zvJCh6j+ImeDlWtAut1gqSyhZhI4X8QRaoeZFm6jyIEK9PYh3FurH6JmyJfv+julW2LUaxUdc8VeCs3Xu27NHLlwgAqG5thTrEbnciJx503EGfmgEIGJxcaqkhevcGmuH0Ln0/rpNP1Ralsb9Hz6qVLQIxRrA3PA4swWVcygkrHLLgrHAJax6oX5UQqzVfNpY6EmIYY6+8ag7bb3//MVFh6lpMmHXcU7wbG0r9zENDcHd/CKPTF9/ixi3WAHmGNY2HDSbnC+9BD0hl+A3pTGgJ3QO2Mo7ZLrPlG5xGMBuwXi9neHvif99r2+F0mSq1cp91v416Jre7BrtJ31eXlBtU7vpOsCpPSrhTqlBdeix7pQSZac25rpSqoYQUMz1Fr+RhArQtssu0ptFw998eCuIj14TAExCiijMJZFKfqehBrRk9mU/oNlwzCeHNVq7C9PZK7iTqMe94D7C1oZ/BpStuF0EZdnLenKKC06x2kQSJb+bK/ffe14CVFKKiOKYkW7aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEb2A8JUw0xrYHMvxjsE34E27cToaa6ODfcIovfjquAh1d+/E3LG7R+7ZM+ZSyJzcZXg7LU8SCUGMU4+gvdbsRtSdxw97yK3hNKKkXa8MZFaTk5uo5qTXORHlOwLIncUWZanpI7eUdH3pfZ6NpBRa0ITU12MXLYCMH34uAqapyUkxtBe2HpTVg2V51z78HD6Xx9fYww8PkxTdTVd0M72CGbaNkxWWpViGflinJoLbPu0yKUWYMyJw1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe0h3KuFbLq+gDLVAbSI6NeidCgaK++SbDrUJL/dtnBh0hcgq6vqTnbxbYheBFr3fLh8Kr9/q4Hkll8N2PV3QGXTFdwc75XaxhjURW3/+92vaPybWtGdc5L/jHcm/4GrdNdZQNgxIGzmCuLvNgOZUFJHXNNsjcolLtmrz7vvYewDdCzPqFwB2ZQ5qOZDCYxxWdw/dgppFd0OdWhipMmzYwmf+tjU2XZnhSQtpp0WYI6RbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGlmF04RC1MOTsGAHSyJU48av7nozjnlJvwWV3jXfs817m81Py3kuap6FxA/HT9kLRr8PtWVyv9g7oh/Dl99zP56fI0lDy1omJofdgOyLn0wA9CRN/iJwsWHETN1KXZp2zl/12VDcUaHt1Ya8fW3rj+4inxrH+pFuYnJ/eqMmm8s/doMk6xF7KcqPRTsiJr88M/U6F/2C/NosI6u1v/PBNcMdNG9tVbirbPUaNFGA8Z5R/UFaKLKnmdCoGVYC+KQOXpBZ0RBAYkCZrf5StDe2rqn7liZNUTsNo6wu52+fLF+cXuzo0CS1jvUdhrC77wIGCt66F3ERaPJLkXFpyyeeSorAYOaK10jmb1z4ZyC93SC9a3U1hV0f8T4dI7y7jKStV5OC8/+0j4ZKJpgQnzsIgW/fzCXl6dk2rWsBrcuEdIh4sSu9J3C+CkbmjxzbRObV5WuKYcXPlVO4D8LpDKV7Pjfk+PA0fuLnaE3K1ms/noPONsIuz7HM/FhBwQO10ocEslCjd6fG2+sik0a3Q+xE8C8PYe5DKTz94HeNZ14zj/DReRnLr6DxTVV0cOe8KdyXkXuEYV+/fM830O4eOklifOsNxM6ps2JiVFtTSB8oa62PeSUulsfOAk+stfiNT4qguV1Q/TIbesKu+k640PESOiJHWyE+dEKXkHWVtP+W4cutE0FHtGCW/axVUvV8KeVsz+VBrDdQkzw02ltomleLc+aMoFw9mdrjFp+qa8PLF+PvlXtbmGBg6jD4NGh/7u+CwiF/d9h3LPH1vcMhPh3P3DnnOuFRNqhhnr47EzJPfKSdJUzodBh7ZnxIDzt2ZcetIvBHCyT1iGsbAmFkjyJlbnzBVgnFHom32G7csuCzhOjEDBDf2MM3znrIFF0ZTTLdITEFjfLOimgvM4Il48Hz8Xc4JRSZ+534bpUxmOIdq6psLPZBGHFYnT7t8zhq0qUPRrZcwA5YFFWGTEN92eHo2UmTo3VzD9zh3QolXvrokr+Cr8t92H1IuDSnBUi4iToapamzvdyOkKXH03MzWY0u7PDbEY/whtVDVIls2zxtSwoyGEFDofNnG8EO2ptOKl6AFXWMhl1XhcSVPIzfSfYBWd/g1zNoqcO+rN5bbBhszkihhG9tg2LDpvtc1aRSr599hNDWmGWQVU1Xl7lOeY3TioRPeS/attVry0vvP2i5yFZjRRKhSscMDjXf3lv3CxUZrZP28vLhqcF1j0tPDyPp29byy/g81PdDvdDB5/1tNQwAmfrtqnq9x7ikmFPudv7w4J+cDhaqPRrautaG6ZD8GCQu7umrYeVJD+i7+sJBbHVfuvYgopqrMXfE1qLjbVToCLsThMqIeLdJ3S/AhgyNUnvdcwKF02CfQdvEQPudlF8oZceJVqa3GQRl4gpc/nZLX0V03OZ+pdrr3xSffPacNRGGyxjWwpu9F8KlfU4iVt7ZdmPYlbhzBERL1ipfbDpGuupIuKRd0GMggnSucYH3lDLQembTg79Ahvv50cbdgrFShAZQPwA5ICukGhs8nIxKRV8W0Kct1cv8Mr4qkdUA9uI2Bwxqd7/VSpYeouUrY5WCnxK4wzTEKErjpZ6/6nqu0KbntKus2fdECRrHBdpuKDS9KNuGF/UT6LLHUHFwezSo/+XxGnoZaic+NcLrylAss4MA8sLPrWhn3zWfku6GjQe5GYa6kWsktQ8gAa7CZxXIb+sikTUaP4ILbTQs9aavc34fSpLcwp2xNPo2aa4JPNX2Iovyw8BaLuSQV5XKmaQV70zFqqnFqb/4+CVvK5QUuS96r0idHb9oC9rLOIkiRG7QvTBVwjMhlIW33jXsPK/JrI9GUfKdKEOQpl8vJt88JV+w5mbr/A/d/VFKxNtxMvo3HFy2ri5mgg8n5qXWobQ3/5ILgoujrQjm5bodfqdneRg1WZcXU/3Ua8GzbIBjQ7iBHEVpWaeXuDmaf3/1ONZCPPgH4228/v/v9zYezb7/1ObdLqikfPZMrpa9SlizfeMF+bxfsR9hGnWBUplYiQs1O2i4l3XNAmXsu1hlMmJnSIA1nKQVIz5WUAeMqvRckEh9IBbRYUT4cTnxv7wD2Pk8N1F2f1CXqpplmuhR2WhqrU1e+Y712NodY/y1N9o62NR/5nKSHFrtsBoMNVJpQbLKpewn1Lg7EjI86mlpSszliDyU12o0oQuZueU9cKB/cT/DujguHfND/PwxX3ajMfvLfgxyxsuejD4jsRfJBDkcbx92Hn1JHSNra2tmeXfrUdhntbZYd9sl8hm63wcm9OTLdtqzmx4iHYdHXjHLheN02c7kIMuP8tF/bhp24nDloYR5pYTCeVdjmXBdORTyAnkMSrzHdOlQfnaiqauSuJ2qAnTyscdN9sXsP1/bvENepO9zMYZr1fXG7pLL8dxWPmm1ws9TyQyTDvbEbLryFnGlMzRlXybJEj2XBI/YrquUw6PDYUTeyqguVSxhfvn93QX7zftRNUmockS9HTSW4/I+35EsDeqR3ayNkoWG3U2fe5IaeQ3RNPrRFZ9G0rk5LZwkf0j5QlXqMgANaH+Q4ugmqjQTH7g23TD+ggQqqqwy75cBmcC/QOmEBcge0KZNNpd2Cmbbb1RboktpdrfC+cKcg2aKiOlVZSQd3XdPB+OJ7R58oG6RTJYFZLJKfBQaztAVUHeDZHFstZQCrpn9kgFrT5JMwfMep5McLg+4FT/3ghM5tFTjVMznSsqAMB6OkLz9xsI1MaLz3AE/n9fIneW0Xyd93JgtmdVGapH3Xe9Ad5MMiT7cAvBQ0ucSQBcg5lwmLIoegc+RGy2JWmBW3LLn8kMVMqJWhVfrclT5saZf5oGeIujBZcJlTnHBZg66m62QJ7wPYNbvKA3xJRY6zwuui1sqqIn1ICqEvfyrQ45getsh2N4WaF2UOZjvA6fPfmCwqel1Ym8ptsA3YnWgBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj7XzLC/h8ZYf81D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRm2EGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWIZDuHzluJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QjnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+NUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOTaRz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5jkllSobAYapHNwOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuVutsvDbYiVxnkq8+M98f8QzQrQZaZVAkfSlQLrTzKderheKm8BNm00NfU02zHPBypBA2BeSln2+fGi43lsrkc45LY6eNTjUssIUKflZQDqhNclzT69FtTXJqsDi5YZZ+2PWhnQb2wZzTskx9B3iZOqzatg7K8BbxqmBaqSpLVyIHOIOZxqsiT3Jk6HiUg831VfL2TLVJ37KU16bWPDFQQS23TfLsM8ElpGuxs4Fqkk7U6eBi8W16t5ZQvutpMRMq+XPeAc+Q8u9s3uRSxwHNIHGcDZ0B1eS5CULNsxxdOc9ygWulUwuwatrMc1yzihuWQyxUJsuBzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcshyxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDPviuo5mAp2eyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0h+AWIPWZFAzmFKGzzMIXlOn9rIZzXLcA83K5Iq00SzWFTcBYJtuxFYfZmOSd9VcMpm6UCI6Lfa+QH2TztTk27lNf6w80PQRvW6mZ2q46zp5t9amnGbJQ2+0yPAWNgZ0UfLUVe9Zxla0kaEcbLDMWFql9gYvCy6NpbMMmsGSa5tDDV/WMkPrJqt0I1O6WWNt0SIdRd80VpEPjSSDpbvskYzD8j5TwUtyoqHklpxQXYZuhgbbv8fR8ZOzMnJpbEIogsEh+gT7GzAlSKxUp8uH4DIf586qWqg1DAYL3si/mWqSNfW+5RlzPPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD1mMDJWKaulbakmHjUUJWC2oJt6TWMBs7CvdIy73LEIoY44PV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4FT9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgonv8/BQZ2HeDEd2d7cIF/fEGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvoem/O24O5q6JtxhfvGIse82okhY03S7zqu4LPkI1xZvxZi74BjTqEcE0mZw3XucUC3FyMRL7J6bcRw49s81YImGLw0Yu6dp9+HZynfvle9VBhzL41f1EnvXI9XlnW67U/bh5DHC2NjW37FDu3kdpTzl7P+b5xu6xc5PW6GAa8fPBloN6ZJ473iE3eMypQaIT9fusCGDW9XtUvjFw+Aru1HwHeZK+/b1UTYSQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rs5NKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Gbeb1x48+tmR+QPmN6+856dMHmfTsMGsk/9LA7phEGr98PXwP65h42BSUVqPhpb+QTEkJmFtBVtwuxgQFIZHKkE5j13BQedGdTQvHTpQn3RMl1JwzKojDYMT0QSweFjtcamRM48Pxrl6sTRy9XjrbSu1ktaZ+4Kng1BQLld0m8EZcZ67hLJXNUCMnFfsjeOL9AIi/NA5bfNPCIBYmgOrJG2GUM8S37tspBsvJr+EXE/JGrrt/DaBbtOWNtISWE6aqurGg42I4ixvfEZbPPPtmdy9wxuLWhnD7z+bl9z/81dm+p73taDn2TRTtcE6LtBGz2zpu6Bo0+ZfOJ2deBDQQufitT13/k//Myw3OW6d+734cmLx8k2x7sjswxa0zIe9/+3jmaAcN3nmC/tKSG6ahppKtnVYZ1DOxmwtCkEPPycd3r8m5tD++fE7O35+e/edr8ulc2lc/kaerxZpI4HYBmrCFMmFUmtIamMVv/fDqf/23Z0+iHAG7yCjjdvmBMnVS0fg4HpP59N3xml/6s3jeIhW/4uXjQrovm27A/MCGcbd+4GP47iimG+vkM9e2oYK8ffM+iuyfSkI+X9ZhJ+P/KAmTOG8dul+NCEVCbhaeuAWP8Q3esw9zamFFH2BEOp7uC/KmLDX6af0pj6HTPb2sqg+Nc943FnJ+8u7Cv0qj4bGKmiNGP7acSl5TDW83Ob9wqIx4vxwPD5wEkYSHbu1xHraaWOGnax1XQPTQpWXJ3Zep2ARse7P84+/cEQ+AMwnxgqtww0+3j8AAlU2udRa97rZPGiXvA4YXSttOJA+EbokBNtwAbtc3S15zZN57erict49JS9a7McZLiNmNx/LiBuzQ8qXGKMadyun9RgMdhzi5rKmcw6QznZiSMz5vNJRkukaYIEvMGorLmfrA1gODotERbTm66CxDvwORUPfvl3AldwBoqJSFImR2p88zSs/aUpqCFj4VPwPo2uo8wGcZjsQsQ7WwyHEdcvU/qTMwlZZF64nLp5bvWvCOjsnuan1nwgNosGd2AVqCJR/XNTwnn9pn7C06wH4kF60DbPAS/DamqbWjeo6gTIyYxi3SwS/+nFAhospEvfkiJrhRjYl5S9DuDeTSKmIsPuZckk/nowKFYYJsNnmVXGQ7oKrOMPbNAdZgUmf0OrAZSlz8i5g6FR397Rmw9aMVCgFynnxSJOLslI+MWuiIBupVHip6ARhJGKYTzAglvyi9oroczukm5M0ck700oe7GX2Mu3RTsCkDGVc/EXRPvGuNWlop+qM4jQ7BlPGZGDCjkMuS5YlpCxa0TS2HERpzEpaDyGHH8Wzgo2wSRnotyQOC2y3ITSVk6C3aOBuz2y5M6UgkMuxAs0/WDu13EnmrLWSOoJtgvmrRIPD27fv1WzdVsFp/+DqywC8i+vVvIfnQL+tvYw/vM4e3QfdPYBUgbksVH0TZNys4Jt0vo8UuOo/7JgB5FWDWWqeNyOiw5jvBlwxgYM4Izdh4/rDnaYYkniBdxKu5c6TWJFCYMcDuGcNrCEXZwdFIJA3ymVtK9K05uxZTD7odkoChtU7VM149u5N2kxHctxZoBwaHs6Al+mB19mEtiuG0i8pNgcQEEER2gLqghtFS1e13sArgmaiU3W+YZZ+m1kqoayavFmRyG+xb1x1UinHLPZenkj9KmYwAlv3AB5E1AbDJgw22cvbIjzN/J0YTxjv4HSVcYZcFlyFpIy4UYjRFGpKx3vwcjfL7eZajXSM2J8YTQqcpZPRAhfgoLuuSqQe2SqarWquIjGYpwbOTOJJ0KLCKbkZP9uHG57MRORiR3MdzSOkkUgS0Mkw6XOQDByPodfrl3t/fKbu7b6LHblFk20u6Ws6XW6EssAy/YIWb9rbQgfI/nIEFz1pKEDMFEv93UAm4X+NTGZruRgOyE/TAxVo8HP1uaDmm79WA0vdxPU1Av/FoZ6Yqapp0RbnkFxsl1r+1pqGE0iBR2IVlTiBs3AhsP3nMb9C2P1iG9ux/saP14O5p+KEyyIae3Ji04jG+icEAbUrwRCLcQBl8vdS9vpE4fde/8RUtCm75555L1Uj2OALlBjncC5Os9jj/evGWpRhscZ8tuJx/1USVIyjt2C/lx1OOYkrbBYeyUeixB2/FTJ6/caeyiqMAu1ANESeiWJ5l4NMLXRjcceylpldXrtCeq80GJ4K91iOw5l5k8If85+fn778nTt6dvLp6RU24sl/OGmwWUWAofxUWoucreF2hfJAyzZWcej7DN+MWRjDGtMnsV99V/ul2NYdDdGPTIJxv6fJfrwjDtv6v77Tn+EKdYzJTKWJv0TaYYFam60+0Q8oGWvDF+BaI0MbzigmovnpzYdHeI4bseL6/Ce254ecxOI/1M+U/uILRexJ2+mJtLnq/O4o3cd9cxrBEqDXv+3+Akwk8GZyE4bqBXllHGXZlK50wMGIRskNVKz6nkf+7Jqpb5jsJtmX0Ap/tnaoTdM66jtaSZuv784pbD18K3+PK9i7aymn8FKuyCUQ2k1lCqiksaLbjriacLajlIa25Mjxf0mNS+pQ9KrG/9CHWmg+uuzhMnuGqqLTZD2pC6X6wesdlREDa3kagzKEFTC2WRLKlsz/lwwueXdsUueHah1ZKXXfOw8D1a1yJoqoODEZr/uGdtW6eNKzgbInl5JCq7JUOvP7seITM6PBQzJ5fcR88Xu4r7SAu4TulMORT8rponXKPO1PtRrxJ6HiHU66iosVJDjFXaS3wHrQJLcbUn+K2J+9aTOPUVL0sBx5Ny73C928q5yPb25N5Bcq4dj3Ecci/Car0OQ3LdRmefk1pQt2XufVaagGR6XY95+TEV8gj25C0y6HRnW/6qjCXvKFtwOWLSlTST5Phml9efJGb61xqc+HD6kW9yZibkbUlr8hn/4fWjUklfd/rP4eNJFnQJTnMSQDX50oBeE+xBaGolDbQaVbw41dFb4G+OIy9DDzzmIGvedoGUnnzfl28cz5akI6C6OUAfQnPU22KKU57yOsx2z3jbWnqriZGzDcPDyw3RjZRRO9Y8714eH3n2baRGauwCxCJYmPk3gpIVl6VaGWJqYHzGmfvkeaxOMOTJDi+II8/ju8m5IU+xIyxItnmGMHT5rMct0kh8x9/CnLI1+WS2G992Edhqt5A2eXatW+EIBvvIa983tRAVrFXDQ+ZexAHHuz4Aker/rUpTLOcZsm+b7PwK9Vh3Xq9eRyhGCqMHLfzmAGKPk9c7RmrI8A2u91bWnSHp411Ah9Qcx2HXBQy292aTkOm3YbBD8YYUNxc/Y9lAypGAoxVuSHIJMy6Drx6FE3b1q2g90nQQsTuoUCwTbhsHzI76l1owdj7b3LSHXkojvSk7H7a1lC2qI7fA36yKDCcD66i/HVmGvEy5TDdBLOndcCRjUWHexzMipPplO7gtvo32prw/MrVzgHXet+8GrGuq2zPl/vx8Q8pqwQet1Im7Hc6W9cnvtyLPJp9Z4ttaKL3Ot+F/MzWV/3Zjx5gWke0u6q16HnuaHFv+9gKh30Dbg6lEA6rafuv7qRo9BQVIq1V9iOgoVTMdOBdudcbDms7ahhvKERBHX91x3Ht4oqqaynV3H/Ha4Th9b68sQbtnqOBypuJKATVXuWuEbpAfO1Zki9kK8nZFn33JlSPwSyPEmvxHQwWfcSjJKdY9e+dgFJUVTAum1BV/oKD77zAlfv2N/UzFmDafvNvsJhxeNxZV7gNHmN581z90S4QpO8Ed7X3yE/JxXXvSN54Dxxy/g+Obp2FWJG0mu4O2w8E7IvQTE2tbu4vMMVx1nXK5jZ33LNZKt95+DDF/eDuy5b1eOYmPU8uLOu8coj2scCvf6Llv0dRKZdJEtpFy67j9IDW1cdckkwU1KaP9PcA6lNMnhtxokXCbe1AT7kpnjBaNTuUN6cE0oAs6T2dTbkAnf562QSdNf9wGHU59BsEC1xYkqlbpjRMHP9lp7hS9hYadVJnUGpVf4hi1hFsy9yMui+rVi/DfJwGFF+E/Ql5TzO1PBeh4dl4g5wGj556YfvAcPa69UWsDcsowEM2ZVFzOQOuRuOuQ7qPQ1Vf8b2R91D17BCTbvsSz3jZErhSGtVXWKxVZ4mjH78zH7d2x+4gZxLr/p3/AMEFrfOAnrxegj+OPcDp7yHh6eoKjH5+RE1w/jhpoe6RmKSN8PgEdhn/CVhbmnua8kDV03GNkb8Pdok9Mr1P03p3mfx7qlbx7a5T4bpNL/mfcW8OvMsmU83+cEQlzZbnfwHpBzcgEKMOO3Vaot5V+8fHhgm6rs02AGiS47JyxtnF6W38TT0gxfH6Miort/kbd1MOPo4OWnTThxjTJlU6EjMlS+bx194uhIIagdVYf6GBT+tLzzC1OLjE4vU86HSVDousMHqLITy8xtXP/Y9STnocheXfpuQfHcRFqjCiWOV/03ZBqcGRHkSkLd/Rok7xNo8kFmF9BsKgzNTf4ZjOupP8goWz9iRiM1ylNzi/f/OPdBblw7xT5TY5MX9lgm6mS+hBsP65UHFsUQ2wB7Moc5ES+nRDO24MsNnSu69fZtQjDNNAwgnAjBfdouaD5oCnkAyi5Ho+uK8io0YA4W2qbo0347GO5pIKX/iBGkNgVhEfrar1PECLHrmBtdsV2opPfJpAmhr2wtjYFxxm0WUDjVuZgCKOP4DbxuWwrX5Tmdn3DjWKqqrL2ibsl3h6P4BCKl+CvuAaxa2mmdrGsBJWFMQ818Nat7GX474HatkYriq0vNS5qxY+RVh1D2GNAEANEKm4NIFvZgko5aJyRu91UWBURGYnZHqltc/ewhJmHv7998z68ey92lu8eFKv0ru8/ec82bq6KpRJNLga8aec4yzDnppuM3Y7zbSS3hjz1SJhn2K0DC3vbibo74AkiHaVGNJmk2duA6yfJbUgXmGwXHSxBY6bArBGEKcmgts5QvvR7ONJeYbXKKX09453B3o7QdojWSluiHH9//fc3sRTcKNtTnzul58dPsNwtMNhysU6pb3YSbRTz97PfLs4vyDt6XXFZdmO949vqaDt6GubWEMURsgIZA+r2kdWpT/GSxeTp2b7KsZgdr2DzoYvwW5Kzqx1bzrIglc9PQ5fegMVeDMXxNuWBewW0FFf/5euGu8IcWQ41ydS3G/0lzoR+oOzGMK4arfguqFv54t7nxDSRFHVqyN+M1UrO/20qKLsS3Fgo//Yi/O159ymXM2Dxj2Zcw4qKqCJDp6L3G0JlSYwiI8dSw5wbq9fOsj+msKipXYRm/R0OZBeHAZLolDoWmr4Q2tdrMaV7Xcg7fbLDHKTV67/83wAAAP//mfi+qw==" +} diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md new file mode 100644 index 00000000000..1531abe3c91 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/README.md @@ -0,0 +1,7 @@ +# microsoft module + +This is a module for Microsoft DHCP logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 +at 2020-07-13 17:55:39.223135 +0000 UTC. + diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml new file mode 100644 index 00000000000..ef13fce514e --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -0,0 +1,19 @@ +- module: microsoft + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc new file mode 100644 index 00000000000..5819117e04b --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: microsoft +:has-dashboards: false + +== Microsoft module + +experimental[] + +This is a module for receiving Microsoft DHCP logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: dhcp + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `dhcp` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9515` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/microsoft/_meta/fields.yml b/x-pack/filebeat/module/microsoft/_meta/fields.yml new file mode 100644 index 00000000000..9b510450005 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: microsoft + title: Microsoft DHCP + description: > + microsoft fields. + fields: diff --git a/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml b/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml new file mode 100644 index 00000000000..e8e683f9022 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Microsoft" + product: "DHCP" + type: "Application" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/microsoft/dhcp/config/liblogparser.js + - ${path.home}/module/microsoft/dhcp/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i + netscout fields. + fields: diff --git a/x-pack/filebeat/module/netscout/fields.go b/x-pack/filebeat/module/netscout/fields.go new file mode 100644 index 00000000000..db8685bac9d --- /dev/null +++ b/x-pack/filebeat/module/netscout/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package netscout + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "netscout", asset.ModuleFieldsPri, AssetNetscout); err != nil { + panic(err) + } +} + +// AssetNetscout returns asset data. +// This is the base64 encoded gzipped contents of module/netscout. +func AssetNetscout() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JBGuYauxfCLHcCnhN3uip0uQC6NVMqBW5vPgLISUYpnltuZKvyb/9hRDS/ZDMOIjSTP5Cwn+9xo/d/74jklaAa6yUvppwaUHPKIOJ+3v3NULUEvRKcwuvidVN/xO7ruG1w3SldNn7ewkz2ghb4JKvyYwKA1sfD/Bt//eeVkDUjNgFtIiRDjGyWoAG/MxqOptxRhbUkCmAJGpqQC+hnAzo04begZi5Vk19e1J2mbpZFrGWVGyRN7762PqxJTaLVGa+9ff9K4xv2GBXPi64cd8j3JDGQEmsIozWtgn813RFKjCGzt2/qSVMVWAc0cp9vgOakLdqTk6BqRJ0nBAPi+8idSg5LVxYgrSFIy0x4IBwZu4HlhvkOVPSgrTG3Q8ujaXStmiYKI6WV4cgWFK7+8EQO+5xcksQaslqwdmCUGLAGK4kWXBrCCXvwf7OrQRj2t2fDI5GR6xZqEaURMISNJlCd+5qqg2Qd2CpQ42SmVZVb6mnb9XcvLig7AqseTYAf8o1MCvWz4kNeFPyAbyw8Cdc9tCcRBkpYAniAE4KJXfv5xYnT6HWwKgNmJQw4xJKoqRAtCydCiAVreNYVWZeJLswe/b4Xbjn56c/kCUVTbjxvARp+YyH0wnXlFki1Nzvlx5sBFLHHfhwWvB7bjtqqi1njaAafx82djJ6MgagDzopsZMxgDx+Uka3ZHncPXn5//dk/564VfNsyP2ur5r+USAhu9vyaLBb0kOEXnbUNBjVaJbp7b0/23Ld//thZiy1UIG0jxE52pTcFkzQnTv8SNADafX6MSK2cDrVY0SMy8MQy6sxtZLj8Z60Eugh0iMv22YAZUobakSvidmZvS+2bgGHzUAPGSgJ97MidvSQAfQbrIhxLu64Vo7ERdnzqkTZ59k1IDMR+0iEg3dmHzuGWt1I/qWBjRqtO/rDn9bbRu2Jksw9DtSqx27ZjoibJc8rDvvcPXHL8BlntH+f36o5OVuCtOQShTNpZAnamSAagqAakD7j11ASA9YB2frx9hpm3GBpN2EA+94GS7cJA9B32pShJzC9f+mwgzmg6w48uRsPFspk0lf75/JXZWxfRIrdE2lAllzO2w9N7Nj0fEhfD3/5IQds8KNRxp5fLH8itCy1k5Vj132XuQPqrfpambt8lZu9r/7fZa/jVn7ZsCsXvCOt7y0rCSVzvgTZOcm+XkXAsegw/0VeC6R8jMrf1xHRGHVoqHpdaPiSYa/7wUPcYKR7ukYun/mlyQVepOfBm20p+biugTA6lCBTIMDtAjT5dC7tD6+I0uQXoaj98SWZUoOnqA2Qzfi80aj63UD3IeruV0w3hkHzGZ8J/Avu13OVy822zzpuV/7qHQxKr6gusyl1PYnWI7vPyfOLz1v6HiUaBN3dUkLM2liowiMa0HbQFuBPqvHMc/9Wms+5pKL9zba2cgMfculfexIjzi8+v4qwIKA/4MT9WdBhNORyitdnc1CHiuOhr88CaAn6KLHrX3Epcn56nyipx7cfLEUwh8VKH7WTTbAiu5+NtorW+UbRwoviTJcTJQQwq/TXKIAd9x4g58adOW4I86yD0mG6pai+VbtqC9nD6Edo8VVs+lhU1UoZTHarlCTT9WDTCNHwpQFjHUDDq1qswz65LztBT4CyBTG8BPL0e2IXuiEvf/75GVlRQwyA7FbZw4lHobzeghOmVtJAPlawr+ZUMNVI2/kUmmrqhZ67yiYKgTylU7WEHjO4jGZWtuLNWA20Gr0/7Ks5Ng/MKih5s6unpWDUNzHNsXMs8Bnh9p/Ny+9/+KvxIv1FjQK0RfqfA2r+6ezBt3QNmrwkZ5LR2jTCR1acSXknuR6Dfs/gRyS3MrbKjy/Jvzpyn5MffyT/SpjSTl9GKsKiz8l/F/Z/ui9yQ7aZ8k10C6Uq4dHaunIFBaNCTCm7yqsBe+SksnhtqPV2hWMiyLJWXFo0TSzEE5zxcBSgtcqUn7bRB00NjFOBGCOmxirtNGu59lqH+2BJBS/9wYghRchMNbJ0L4wARJ7LeVCObkxe3L4RA8gpYoHhOuwJG43swlooWj6Wdy6gQwz/E0gFVnMWsTqCKdz/MtrC/rlvhbB79qndaLRq1m7bhPyqVm5rhjYnl0RpZ4xZRa4A6huY9ihevK+EaVoxMKZY8rIoc0Vdz1rJMwcJmlq85KXjYM8uXHJtGyqc0b7le5cRFwevuDO7MVaOzPBUhKt+fkq0k9YGHSrINKrnYLuv3cgJozMlPT04J3wm3H5O6CyhoKHgPz9tfa8foFIWyGU470wDPrTT9ZigdP9rAzFfQeAlrFSYWvCcmQ2P2pw3fKD2PwrdzMncjOcdb517A8JZb09da7WEJ+S/RoTRi5cZFw8Qo3erOuPo4uTNRdB9GZWOPbyqld7VeAk+kV9dGkTzONwfn/xThYY4mu4xV+q2Kd9sfrIx2L2eg5b5hLz8+RVZId8roJJQIeK+AnTqo5q08R+RFWjwYKklAqixRMmdcpFtJj64mvh1MzFyV3OEbQPvfle6RMZhVhOwhVRCzde7gbgZ1wMtlpCfCVtQTZn1THSXeo34o9NckkaGnB6x5TMfrahNXdDtA/U5gwh7YpdoUVROyVSyDSNouhqVaShZd9RKylBj9TEKGXwOirFGtxCNpbKkuiRS6YoK/mcsv1fpKsqfMmQ5HMwi1UwHT9KdmLTBukPmheAzQIojBr4BpmQ5omBvtrswNqefZQ9BXDJV1QJs9ACMOlEpKvBW8x0x2Ks30/aBDvKlWzt6nMeO8vbJHD1+lZJ2kWibNvWpqXJeNllO5QMx/kyWOdjuQP6pZO5uC3vEolu9VTF9eu3HXQ4PRFS2G/2GWLi24fKRJWjTK6co9+WBRfb3vodtDTQVmZsyPaZ0CWW+dzAk2YRnynQrtjpGm2nTfbEfXx++VlpVE4TaYFG+YSCp5sqr9VUjLP/OctCE1rVoq182vWwqKuk8VppLiMDwTmsveqQ8roZw+8QQtZI+MmZpVe96BgPGbjWH4vD2WUPYgjvrRpVgJuRdYyyaSX2g7lZSO5KXSy0cuEl7Bdhs5vBewjE0IdzkdkHPOw0z0CCZPxDUqdYlX/LSaTZ4HuKC7LIVZB93mBcn8rrm+mgUbvbTx4Ku3UnkVqw9scYJPaevOaTwgO73jSbc9FEXznMnjTt5Nhks2aWTqSa1BKoGitx9IXb8T31VUIP80kBztKPkTrc/RRv5uKKGIBLlyLlB5H5IzdSESsEWQzPItHllM7y+8yoHrnWRAdW6yKE91ylF0TbQl8mhZtCVeq/Iw5iQO+Zj9I0ZPJd3enMOFZs3ybVDggWbB2KnG0JqRxBlAyU+hWJtGpE77DRiRanGMlXBC49DZ7xgVraaDU4IlYEFWwbkyAGBJWhuc5aO7CGsXT0UAfYiO/tcPnmLFwe9A/0r3VW6OGgYd6qB8RnfGD5x7dYHc8Z6qgRdOX82U2QDOhcjLzcFE62LqgxBlijewWw+1iZ83rbS+5ag0uS3y5Aay02bELDrV8P12x0aq5I0tTI8oeC41dlCc1qWvsMUpvK3d3e0C08jbJGvddEdRZFsKtCc3VUWRWk7QhXbHsL6lWzdzfBiyd/vAWlLkKXSIWF2L2Vq+scDdK9pQ7tq+gewuB3tEMtfCz5gt5Og+xHzkj5nr7pvhhcyVP0HMRO8XAva5RZLZQkli9DxIp5AK9S8aBNVHkSotwfxzkL9GD1TtmTf3zHdCrtWo/iIK/5KcLbOfXv2yIULRCA015ZiPSKXG5EzbzrOwA+NAEQsLk6VtHCdW2PtEDqX3l+36YdKy9K4/8NHlYoWoVgDmBseZ7agcg6FhFVuWTAWuIRVL9SPSoi1mk8bCz0JMczRNx51p633n7+46DA1TSbsOs4Jnq1t5T6moSG4m1/kkenrbxHjFivAHMPahoNmk/Oll6An5BL8pjQG9ITOAVt5h0z3mdItDgPYLRivtzP8PfG/7/WtUJpMtVq5z9q/Bl3Tm12j/aTPywuqbWo3XQc4tUcl3Ck1qA491p1SouzUxlxXStUQAoq53uI3klAB2nbZRXqzaPibD28F8dFrAoBJSBGFuSRSye801ICWzL7sBzQbjvnksEZrd2E6ewV3EvW4F9xH2Nrwz4CyFbeLoCx7WU9OccEpVptIouR3c+X+e89LgEpKEVEcM9JNe8HAF4iAQ1LNiJMOloOZkMuNTNkdbNCvrMqD8Ykv52uMM2J8yahPtimD+A2Mp4SJxtj2QIZ/DLYJf8KN28lQEx38G07xxU/HVaCjaz/+hsUtet+WKZ9S9uQmw8theYpYEGqMYhz9pW43ovYkbthbfgWvCSX1Ym04o4KU3Fw9J7XGmSjPCVj2JK4oU00Pqb2840Pv62w0rcCCNqSmBrt4GWzk4HsRMFVVToqpraD9sLQGLNur7vn34KE0vt4eZniYvPhmqqqb4R3MsG2UrLgs1Srk0zIlGdT2eZdJMcqMAZmzRog1+dJQ4Z2fpaool0FqyN5CQo08XX2vZyp1aQ/pTiV8y+UVlKEWqE1Epwa9U8FAcZ9806E24eW+jRODrhBZRV1/spN3S+wi0KL32+VD4fVbHTyv5HLYrqcLOoOu+O5gp9wu1rAmYuvP/35N+8fEmvaMi/x3vCP5F1ytu8YayoYBaSNHEHe3GdCciiLymmZ7RC5xyVZt3n0few+ge2FG/QLArsxBLQdSeIzD6u6hW1Cz6G6oUwsjVYYNW/jM37bGpiszPGkh7bQIc4R0y0yMZu5X3b+HlabEyXNJOObcNZIJoNr9CRvhbVALBYTB26nbws6bow9e+DXDPk+P+sViqppy2fXN7j9YoWxU3+H1WnLdmGN7+vraCCIw7vE7ToA0ciVO/Oq+J+O4p9RbcNld4x37vJf5/JS895LmaWjcQPy0vVD063B7FtervQP6IXz5Pffz+SmyNJS8dWJi6D3Yjsj5NEBPwsQfIicLVtzEjdSlWefsZb8d1Q0F2l5d2OvHlt74PuKpcaw/6RYm56c3arKp/HM3aLIOsZey3Gi0E3Li6zNDv1PhP9ivzSKCevsbP3wT3HHTxnaVm8p2j1EjBRjPGeUflJUiS6o5nYpBFaBvysAlqQUdEQQGpMnaH2VrQ/uqql954iSV0zDa+kLu9vnyxfnFrg5NQstY71EYq8s+cKDgrWshN5EWjyQ5l5Zc8rmkKCxGjmitdM7mtU8G8ssd0otWd1PY1RH/0yHSu8t4ykoVOTjvf/tIuGSiKcGJszDI1v18Qp6eXdOqFvCaXHiHiAeL0nsS94tgZO7osU10Tm2eljhm3Fw5lfsAvO5QitdzY74PT8MHbq72hFyt5vM56Hwj7OIs+9yPBQQcUDtdaDALJUp3erytPjJpdCv0fgTPwjD2HqTy0w9ex3jWNeM4P42Xkdw6Os9UVRdHzrvCXQm5VzjG1fv3TDP9zqGjJNanznDcjCobNmalBbX0gbLG+ph30lJp7Dzg5HqL38iUOKrLFdUPk6E37KrvpCsND5EjYqQ18lMnRCl5R1nbTzmu3DoRdFQ7RsnvWgVV75dC3tZMPtRaAzXJc4ONpbZJpTh3/ijKxYOZHW7xqbomvHwx/n65l7U5BoYOo0+Dxsf+Ljgs4le3fccyT98bHPLT4dy9Q54zLlWTKsbZqyMx8+R3yknSlE6HgUf2p8SAc3dm3DoSb4Rwco+YhjEwZtYIcubWJ0yVYNyRaJv9xi0LLku4TswAwY09TPO8p2zBhdEU0y0SU9AY36yo5gIzeCIePB9/l3NCkYnfud9GKZMZzqGa+uZCD6QRh9XJ0y6fswZt6lB06yXMgGVBRdgkxLcdnp6NFBl6N9fwPc6dUOKVry7JK/iq/Lfdh5RLQ0qwlIuIk2GqGtv73QhpShw9N7P12NIujw3xGH9ILVS1yJbN84aUMKMhBBQ6X7Yx/JCt6bTiJWhB11jIZVV4XMnTyI10H6DVHX4Ns7YK3PvqjeW2wcaMJErYxjYYNmy673VNGsXq+XcYTY1pBlnFVFW5+5TnGJ146IT3kn1rrZa89P6ztotcBWY0EapU7PBA4929Zb9wsdEaWT8vL64aXNeY9PQwsr5dPa+s/0NND/Q7HUze/1bTEICJ366a52uce4oJxX7nLy/OyflAoeqjka1rbagu2Y9BwsKurhp2ntSQvos/LORWx5V7LyKKqSpzV3wNKu52lY6AC3G4jKhHi/TdEnzI4AiV5z0XcCgd9gm0XTyEz3nZhXJGnHhVaqtxUAae4OVPp+R1dNdNzmeqne598cl3z2kDUZiscQ2s6XsRfOrXFGLlrW0Xpn2JG0dwhES94uW2Q6SrrqRLygUdBjJI5wonWF85A61HJi34O3SIrz9d3C0YK1VoAOUDsAOSQrqB4fPJiETkVTFtynKd3D/DqyJpHVAPbmPgsEbne71U6SFqrhJ2OdgpsStMc4yCBG762au+5yptSm67yrpNX7SAUWyw3aZiw4uSTXhhP5E+Syw1B5dHs8pPPp+Rp6FW4nMjnK485QILODAP7Oy6VsZ98xn5buhokLtRmCupVnLLEDLAGmxmsdyGPjJpk9EjuOB200JP2ir396E06S3MKVuTT6PmmuBTTR+iKD8svMViLklFuZxpWsHedIyaapzam79PwpZyeYHLkveq9MnRm7aAvayzCFLkBu0LUwUcI3JZSNt9497DivzaSDQl36kSBHnK5XLy7XPCFXtOpu7/wP0flVSsDTeTb+PxRcvqYiboYHJ+ah1qW8M/uSC4KPq6UE6u2+FXara3UYNVWTH1f50GPNs2CAa0O8hRhJZVWrm7g9nnd79TDeSjTwD+9tvP735/8+Hs2299zu2SaspHz+RK6auUJcs3XrDf2wX7EbZRJxiVqZWIULOTtktJ9xxQ5p6LdQYTZqY0SMNZSgHScyVlwLhK7wWJxAdSAS1WlA+HE9/bO4C9z1MDddcndYm6aaaZLoWdlsbq1JXvWK+dzSHWf0uTvaNtzUc+J+mhxS6bwWADlSYUm2zqXkK9iwMx46OOppbUbI7YQ0mNdiOKkLlb3hMXygf3E7y748IhH/T/D8NVNyqzn/z3IEes7PnoAyJ7kXyQw9HGcffhp9QRkra2drZnlz61XUZ7m2WHfTKfodttcHJvjky3Lav5MeJhWPQ1o1w4XrfNXC6CzDg/7de2YScuZw5amEdaGIxnFbY514VTEQ+g55DEa0y3DtVHJ6qqGrnriRpgJw9r3HRf7N7Dtf07xHXqDjdzmGZ9X9wuqSz/XcWjZhvcLLX8EMlwb+yGC28hZxpTc8ZVsizRY1nwiP2KajkMOjx21I2s6kLlEsaX799dkN+8H3WTlBpH5MtRUwku/+Mt+dKAHund2ghZaNjt1Jk3uaHnEF2TD23RWTStq9PSWcKHtA9UpR4j4IDWBzmOboJqI8Gxe8Mt0w9ooILqKsNuObAZ3Au0TliA3AFtymRTabdgpu12tQW6pHZXK7wv3ClItqioTlVW0sFd13Qwvvje0SfKBulUSWAWi+RngcEsbQFVB3g2x1ZLGcCq6R8ZoNY0+SQM33Eq+fHCoHvBUz84oXNbBU71TI60LCjDwSjpy08cbCMTGu89wNN5vfxJXttF8vedyYJZXZQmad/1HnQH+bDI0y0ALwVNLjFkAXLOZcKiyCHoHLnRspgVZsUtSy4/ZDETamVolT53pQ9b2mU+6BmiLkwWXOYUJ1zWoKvpOlnC+wB2za7yAF9SkeOs8LqotbKqSB+SQujLnwr0OKaHLbLdTaHmRZmD2Q5w+vw3JouKXhfWpnIbbAN2J1pAhkeh4jIT0lzmQ7oWphBTUaQOi27B/j4j8OSdwXuwU/dC7MNOXdXbh/1zRtivMsL+l4yw/0dG2H/NA9uqWtAp5BApHfT05pksqkag8j1dZ3gnW+D1VQa9pGoEn1d1Hu3baZlUzFMnIQXIPIdSYuALS+8bkYXxCYkZdtBolseadIDzWJNmbZo6wyxSJruy6iymqlXWmR5wnUGEWGWdYZYLNpo1WYA3kl9LKpUBluEQLl85rmR6FJavVG0XQMsMbjVV1QUTGXzYDnCGIAnC1dO1Te8WdZBNFsh1U2SIaTDNLWdUZCggMgWdg2TrhFlXfdiSivWfUE5z4L0ssA1oFsi+HUwerH1ibRbo03m9fJXHB22KKbd/zdJojJki7ay4HcBaJRfVJss1R6jAdPoqN+N9/MlmbfUAg114P39654gHjmpfFuC+m3y6DnI92DMuIIcNY4pZjk3ks5TF2duAc+gGpuA1JikWWUQdr5c/lcbWg2b+iWAbzbLAFnwGOcwYg47mCkqerGB0GzaXeU5JpcpGgGEqB7cDcD7PIJtUbVbUJp3534MeyyBPAljDnBuraXpPyAZ2Bo1PQ52L1Tobrw12IteZ5KvPzPdHPAN0q4FWGRRJXwqUC+18yvVqobgp/ITZ9NDXVNMsB7wcKYRNAXnp59unhsuNpTL5nOPS2GmjUw0LbKGCnxWUA2qTHNf0enRbk5waLE5umKUfdn1op4F9MOe0LFPfAV6mDqu2rYMyvEW8KphWqsrSlcgBzmCm8arIkxwZOh7lYHN9lbw9U23Styzltak1TwxUUMttkzz7THAJ6VrsbKCapBN1OrhYfJverSWU73pazIRK/px3wDOk/DubN7nUcUAzSBxnQ2dANXluglDzLEdXzrNc4Frp1AKsmjbzHNes4oblEAuVyXJgc8yBkGCxuVJyuMlluG8AnTrjz0NNnY4nV6vUFkiWijLlB0Ant0RVes1IaT4vIvO47g13JUGnf7Pqwg/lTQ426WTqDVg/4jXLIctQuBlm4qQWBgFsamlQF96RlBxdaoz7sGCLVHX+A9BwXfPkgYAadDXXVNpBz90UkFdZAKd/en0nsk+fdqaAJgCs1bygpk44MKAPWtPUUDVQkUO/08CQD77raCbg6ZnsIKdt4dqDrHSZAeP0jkyTwTdsvG84Qz6AgdSJAH7gcQbjxMCX9Acg1qA1GdQMppTh8wyC19SpvWxGsxz3QLMyuSJtNIt1xU0A2KYbsdWH2ZjkXTWXTKYulIhOi70vUN+kMzX5dm7THysPNH1Er5vpmRruuk7erbUpp1ny0BstMryFjQFdlDx11XuWsRVtZCgHGywzllapvcHLgktj6SyDZrDk2uZQw5e1zNC6ySrdyJRu1lhbtEhH0TeNVeRDI8lg6S57JOOwvM9U8JKcaCi5JSdUl6GbocH273F0/OSsjFwamxCKYHCIPsH+BkwJEivV6fIhuMzHubOqFmoNg8GCN/JvpppkTb1vecYcD73PCOedaZjDNanobqOFTSxWzpvdYSDZkRTc4HCGdvWw9dhAiZimrpW2ZNh4lJDVglrCLak1zMaOwj3Scu8yhCLG+GB1dCgQLkNn95G+0ILL3BP5e6i61fp4GmLVHOwC9GTzfbNQzeBFI0TCEnQ3jsgqUlNtgLwDS3EiuL+rtGPB07dqbl5c+LLXZ+Q0jPh6TuwiMqUImwF/gDD6GNGW5D3Y37mVYOL7PDzUWZg3w5Hd3S3CxT2xBqhmiwmXPIofztw9Qn/tHfGJszAwGeKFoI3EWb/zBue4tk3c4w3cd/q176EpfzvujqauCXeYXzxi7LuNKBLWNN2u8youSz7CtcVbMeYuOMY06hGBtBlc9x4nVEsxMvESu+dmHAeO/XMNWKLhSwPG7mnafXi28t175XuVAcfy+FW9xN71SHV5p9vulH04eYwwNrb1d+zQbl5HKU85+//m+YZusfPTVijg2vGzgVZDuiTeOx5h97hMqQHi07U7bMjgVnW7FH7xMPjKbhR8h7nSvn19lI2EUEMMAI47o/vnVWkqDWVHGO876DDtl5ao9m4ODWs0TkDbh3QNuuJe3TgW0psl/WAOvuQC5kAELEEQagyfS79xm3n98aOPLZkfUH7j+ntO+vRBJj07zBrJvzSwOyaRxi9fD9/DOiYeNgWl1Wh46S8kU1IC5laQFbeLMUFBSKQypNPYNRxUXnRn08KxE+VJ90QJNeeMCuIwGDF9EIuHxQ6XGhnT+HC8qxdrE0evl862UjtZrakfeCo4NcVCZbcJvBHXmWs4S2Uz1MhJxf4Inng/AOIvjcMW37QwiIUJoHryRhjlDPGt+3aKwXLya/jFhLyR6+5fA+gWbXkjLaHlhKmqbizouBjO4sZ3hOUzz77Z3Qucsbi1Idz+s3n5/Q9/dbbvaW87Wo59E0U7nNMibcTsto4bugZN/qXzyZkXAQ1ELn7rU9f/5D/zcoPz1qnfux8HJi/fJNue7A5McetMyPvfPp452kGDd56gv7TkhmmoqWRrp1UG9Uzs5oIQ5NBz8vHda3Iu7Y8vn5Pz96dn//mafDqX9tVP5OlqsSYSuF2AJmyhTBiVprQGZvFbP7z6X//t2ZMoR8AuMsq4XX6gTJ1UND6Ox2Q+fXe85pf+LJ63SMWvePm4kO7LphswP7Bh3K0f+Bi+O4rpxjr5zLVtqCBv37yPIvunkpDPl3XYyfg/SsIkzluH7lcjQpGQm4UnbsFjfIP37MOcWljRBxiRjqf7grwpS41+Wn/KY+h0Ty+r6kPjnPeNhZyfvLvwr9JoeKyi5ojRjy2nktdUw9tNzi8cKiPeL8fDAydBJOGhW3uch60mVvjpWscVED10aVly92UqNgHb3iz/+Dt3xAPgTEK84Crc8NPtIzBAZZNrnUWvu+2TRsn7gOGF0rYTyQOhW2KADTeA2/XNktccmfeeHi7n7WPSkvVujPESYnbjsby4ATu0fKkxinGncnq/0UDHIU4uayrnMOlMJ6bkjM8bDSWZrhEmyBKzhuJypj6w9cCgaHREW44uOsvQ70Ak1P37JVzJHQAaKmWhCJnd6fOM0rO2lKaghU/FzwC6tjoP8FmGIzHLUC0sclyHXP1P6gxMpWXReuLyqeW7FryjY7K7Wt+Z8AAa7JldgJZgycd1Dc/Jp/YZe4sOsB/JResAG7wEv41pau2oniMoEyOmcYt08Is/J1SIqDJRb76ICW5UY2LeErR7A7m0ihiLjzmX5NP5qEBhmCCbTV4lF9kOqKozjH1zgDWY1Bm9DmyGEhf/IqZORUd/ewZs/WiFQoCcJ58UiTg75SOjFjqigXqVh4peAEYShukEM0LJL0qvqC6Hc7oJeTPHZC9NqLvx15hLNwW7ApBx1TNx18S7xriVpaIfqvPIEGwZj5kRAwq5DHmumJZQcevEUhixESdxKag8Rhz/Fg7KNkGk56IcELjtstxEUpbOgp2jAbv98qSOVALDLgTLdP3gbhexp9py1giqCfaLJi0ST8+uX79VczWbxae/AyvsArJv7xayH92C/jb28D5zeDt03zR2AdKGZPFRtE2TsnPC7RJ6/JLjqH8yoEcRVo1l6ricDkuOI3zZMAbGjOCMnccPa452WOIJ4kWcijtXek0ihQkD3I4hnLZwhB0cnVTCAJ+plXTvipNbMeWw+yEZKErbVC3T9aMbeTcp8V1LsWZAcCg7eoIfZkcf5pIYbpuI/CRYXABBRAeoC2oILVXtXhe7AK6JWsnNlnnGWXqtpKpG8mpxJofhvkX9cZUIp9xzWTr5o7TpGEDJL1wAeRMQmwzYcBtnr+wI83dyNGG8o/9B0hVGWXAZshbSciFGY4QRKevd78EIn693Geo1UnNiPCF0qnJWD0SIn8KCLrlqULtkqqq1qvhIhiIcG7kzSacCi8hm5GQ/blwuO7GTEcldDLe0ThJFYAvDpMNlDkAwsn6HX+7d7b2ym/s2euw2ZZaNtLvlbKk1+hLLwAt2iFl/Ky0I3+M5SNCctSQhQzDRbze1gNsFPrWx2W4kIDthP0yM1ePBz5amQ9puPRhNL/fTFNQLv1ZGuqKmaWeEW16BcXLda3saahgNIoVdSNYU4saNwMaD99wGfcujdUjv7gc7Wj/ejqYfCpNsyOmtSQsO45soHNCGFG8Ewi2EwddL3csbqdNH3Tt/0ZLQpm/euWS9VI8jQG6Q450A+XqP4483b1mq0QbH2bLbyUd9VAmS8o7dQn4c9TimpG1wGDulHkvQdvzUySt3GrsoKrAL9QBRErrlSSYejfC10Q3HXkpaZfU67YnqfFAi+GsdInvOZSZPyH9Ofv7+e/L07embi2fklBvL5bzhZgEllsJHcRFqrrL3BdoXCcNs2ZnHI2wzfnEkY0yrzF7FffWfbldjGHQ3Bj3yyYY+3+W6MEz77+p+e44/xCkWM6Uy1iZ9kylGRarudDuEfKAlb4xfgShNDK+4oNqLJyc23R1i+K7Hy6vwnhteHrPTSD9T/pM7CK0Xcacv5uaS56uzeCP33XUMa4RKw57/NziJ8JPBWQiOG+iVZZRxV6bSORMDBiEbZLXScyr5n3uyqmW+o3BbZh/A6f6ZGmH3jOtoLWmmrj+/uOXwtfAtvnzvoq2s5l+BCrtgVAOpNZSq4pJGC+564umCWg7SmhvT4wU9JrVv6YMS61s/Qp3p4Lqr88QJrppqi82QNqTuF6tHbHYUhM1tJOoMStDUQlkkSyrbcz6c8PmlXbELnl1oteRl1zwsfI/WtQia6uBghOY/7lnb1mnjCs6GSF4eicpuydDrz65HyIwOD8XMySX30fPFruI+0gKuUzpTDgW/q+YJ16gz9X7Uq4SeRwj1OipqrNQQY5X2Et9Bq8BSXO0JfmvivvUkTn3Fy1LA8aTcO1zvtnIusr09uXeQnGvHYxyH3IuwWq/DkFy30dnnpBbUbZl7n5UmIJle12NefkyFPII9eYsMOt3Zlr8qY8k7yhZcjph0Jc0kOb7Z5fUniZn+tQYnPpx+5JucmQl5W9KafMZ/eP2oVNLXnf5z+HiSBV2C05wEUE2+NKDXBHsQmlpJA61GFS9OdfQW+JvjyMvQA485yJq3XSClJ9/35RvHsyXpCKhuDtCH0Bz1tpjilKe8DrPdM962lt5qYuRsw/DwckN0I2XUjjXPu5fHR559G6mRGrsAsQgWZv6NoGTFZalWhpgaGJ9x5j55HqsTDHmywwviyPP4bnJuyFPsCAuSbZ4hDF0+63GLNBLf8bcwp2xNPpntxrddBLbaLaRNnl3rVjiCwT7y2vdNLUQFa9XwkLkXccDxrg9ApPp/q9IUy3mG7NsmO79CPdad16vXEYqRwuhBC785gNjj5PWOkRoyfIPrvZV1Z0j6eBfQITXHcdh1AYPtvdkkZPptGOxQvCHFzcXPWDaQciTgaIUbklzCjMvgq0fhhF39KlqPNB1E7A4qFMuE28YBs6P+pRaMnc82N+2hl9JIb8rOh20tZYvqyC3wN6siw8nAOupvR5YhL1Mu000QS3o3HMlYVJj38YwIqX7ZDm6Lb6O9Ke+PTO0cYJ337bsB65rq9ky5Pz/fkLJa8EErdeJuh7NlffL7rcizyWeW+LYWSq/zbfjfTE3lv93YMaZFZLuLequex54mx5a/vUDoN9D2YCrRgKq23/p+qkZPQQHSalUfIjpK1UwHzoVbnfGwprO24YZyBMTRV3cc9x6eqKqmct3dR7x2OE7f2ytL0O4ZKricqbhSQM1V7hqhG+THjhXZYraCvF3RZ19y5Qj80gixJv/RUMFnHEpyinXP3jkYRWUF04IpdcUfKOj+O0yJX39jP1Mxps0n7za7CYfXjUWV+8ARpjff9Q/dEmHKTnBHe5/8hHxc1570jefAMcfv4PjmaZgVSZvJ7qDtcPCOCP3ExNrW7iJzDFddp1xuY+c9i7XSrbcfQ8wf3o5sea9XTuLj1PKizjuHaA8r3Mo3eu5bNLVSmTSRbaTcOm4/SE1t3DXJZEFNymh/D7AO5fSJITdaJNzmHtSEu9IZo0WjU3lDejAN6ILO09mUG9DJn6dt0EnTH7dBh1OfQbDAtQWJqlV648TBT3aaO0VvoWEnVSa1RuWXOEYt4ZbM/YjLonr1Ivz3SUDhRfiPkNcUc/tTATqenRfIecDouSemHzxHj2tv1NqAnDIMRHMmFZcz0Hok7jqk+yh09RX/G1kfdc8eAcm2L/Gstw2RK4VhbZX1SkWWONrxO/Nxe3fsPmIGse7/6R8wTNAaH/jJ6wXo4/gjnM4eMp6enuDox2fkBNePowbaHqlZygifT0CH4Z+wlYW5pzkvZA0d9xjZ23C36BPT6xS9d6f5n4d6Je/eGiW+2+SS/xn31vCrTDLl/B9nRMJcWe43sF5QMzIByrBjtxXqbaVffHy4oNvqbBOgBgkuO2esbZze1t/EE1IMnx+jomK7v1E39fDj6KBlJ024MU1ypRMhY7JUPm/d/WIoiCFondUHOtiUvvQ8c4uTSwxO75NOR8mQ6DqDhyjy00tM7dz/GPWk52FI3l167sFxXIQaI4plzhd9N6QaHNlRZMrCHT3aJG/TaHIB5lcQLOpMzQ2+2Ywr6T9IKFt/IgbjdUqT88s3/3h3QS7cO0V+kyPTVzbYZqqkPgTbjysVxxbFEFsAuzIHOZFvJ4Tz9iCLDZ3r+nV2LcIwDTSMINxIwT1aLmg+aAr5AEqux6PrCjJqNCDOltrmaBM++1guqeClP4gRJHYF4dG6Wu8ThMixK1ibXbGd6OS3CaSJYS+srU3BcQZtFtC4lTkYwugjuE18LtvKF6W5Xd9wo5iqqqx94m6Jt8cjOITiJfgrrkHsWpqpXSwrQWVhzEMNvHUrexn+e6C2rdGKYutLjYta8WOkVccQ9hgQxACRilsDyFa2oFIOGmfkbjcVVkVERmK2R2rb3D0sYebh72/fvA/v3oud5bsHxSq96/tP3rONm6tiqUSTiwFv2jnOMsy56SZjt+N8G8mtIU89EuYZduvAwt52ou4OeIJIR6kRTSZp9jbg+klyG9IFJttFB0vQmCkwawRhSjKorTOUL/0ejrRXWK1ySl/PeGewtyO0HaK10pYox99f//1NLAU3yvbU507p+fETLHcLDLZcrFPqm51EG8X8/ey3i/ML8o5eV1yW3Vjv+LY62o6ehrk1RHGErEDGgLp9ZHXqU7xkMXl6tq9yLGbHK9h86CL8luTsaseWsyxI5fPT0KU3YLEXQ3G8TXngXgEtxdV/+brhrjBHlkNNMvXtRn+JM6EfKLsxjKtGK74L6la+uPc5MU0kRZ0a8jdjtZLzf5sKyq4ENxbKv70If3vefcrlDFj8oxnXsKIiqsjQqej9hlBZEqPIyLHUMOfG6rWz7I8pLGpqF6FZf4cD2cVhgCQ6pY6Fpi+E9vVaTOleF/JOn+wwB2n1+i//NwAA//8+Irw+" +} diff --git a/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml b/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml new file mode 100644 index 00000000000..ec1e377e5cd --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Netscout" + product: "Arbor" + type: "DDOS" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/netscout/sightline/config/liblogparser.js + - ${path.home}/module/netscout/sightline/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hday->} %{htime->} %{hdata}: %{p0}"); + +var dup2 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); + +var dup3 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); + +var dup4 = call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + ], +}); + +var dup5 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}"); + +var dup6 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}"); + +var dup7 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}"); + +var dup8 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); + +var dup9 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); + +var dup10 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); + +var dup11 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], +}); + +var dup12 = setc("eventcategory","1801010000"); + +var dup13 = setf("msg","$MSG"); + +var dup14 = date_time({ + dest: "starttime", + args: ["fld15","fld16","fld17","fld18","fld19","fld20"], + fmts: [ + [dW,dM,dD,dH,dT,dS], + ], +}); + +var dup15 = setc("eventcategory","1801020000"); + +var dup16 = date_time({ + dest: "endtime", + args: ["fld15","fld16","fld17","fld18","fld19","fld20"], + fmts: [ + [dW,dM,dD,dH,dT,dS], + ], +}); + +var dup17 = setc("eventcategory","1607000000"); + +var dup18 = setc("eventcategory","1605000000"); + +var dup19 = setc("eventcategory","1701000000"); + +var dup20 = setc("eventcategory","1603010000"); + +var dup21 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); + +var dup22 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); + +var dup23 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); + +var dup24 = setc("eventcategory","1502020000"); + +var dup25 = setc("event_type","TMS mitigation"); + +var dup26 = setc("disposition","ongoing"); + +var dup27 = setc("disposition","done"); + +var dup28 = setc("event_type","Third party mitigation"); + +var dup29 = setc("event_type","Blackhole mitigation"); + +var dup30 = setc("event_type","Flowspec mitigation"); + +var dup31 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); + +var dup32 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); + +var dup33 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); + +var dup34 = setc("eventcategory","1002000000"); + +var dup35 = setc("signame","Bandwidth"); + +var dup36 = date_time({ + dest: "starttime", + args: ["fld15","fld16","fld17","fld18","fld19","fld20"], + fmts: [ + [dW,dM,dD,dN,dU,dO], + ], +}); + +var dup37 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); + +var dup38 = date_time({ + dest: "starttime", + args: ["fld2","fld3"], + fmts: [ + [dW,dc("-"),dM,dc("-"),dF,dZ], + ], +}); + +var dup39 = linear_select([ + dup2, + dup3, +]); + +var dup40 = linear_select([ + dup6, + dup7, + dup8, + dup9, +]); + +var dup41 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var dup42 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var dup43 = linear_select([ + dup21, + dup22, +]); + +var dup44 = linear_select([ + dup31, + dup32, +]); + +var part1 = match("HEADER#0:0001/1_0", "nwparser.p0", "TMS %{p0}"); + +var part2 = match("HEADER#0:0001/1_1", "nwparser.p0", "Third party %{p0}"); + +var part3 = match("HEADER#0:0001/1_2", "nwparser.p0", "Blackhole %{p0}"); + +var part4 = match("HEADER#0:0001/1_3", "nwparser.p0", "Flowspec %{p0}"); + +var select1 = linear_select([ + part1, + part2, + part3, + part4, +]); + +var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{} %{messageid->} %{payload}"); + +var all1 = all_match({ + processors: [ + dup1, + select1, + part5, + ], + on_success: processor_chain([ + setc("header_id","0001"), + ]), +}); + +var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1->} %{msgIdPart2->} %{payload}"); + +var all2 = all_match({ + processors: [ + dup1, + dup39, + part6, + ], + on_success: processor_chain([ + setc("header_id","0002"), + dup4, + ]), +}); + +var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1->} for service %{payload}"); + +var all3 = all_match({ + processors: [ + dup1, + dup39, + dup5, + dup40, + part7, + ], + on_success: processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + constant("usage_"), + field("msgIdPart1"), + ], + }), + ]), +}); + +var all4 = all_match({ + processors: [ + dup1, + dup39, + dup5, + dup40, + dup10, + ], + on_success: processor_chain([ + setc("header_id","0003"), + dup4, + ]), +}); + +var part8 = match("HEADER#4:0004/1_2", "nwparser.p0", "High %{p0}"); + +var select2 = linear_select([ + dup2, + dup3, + part8, +]); + +var all5 = all_match({ + processors: [ + dup1, + select2, + dup10, + ], + on_success: processor_chain([ + setc("header_id","0004"), + dup4, + ]), +}); + +var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: The %{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + dup11, +])); + +var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: Alert %{messageid->} %{payload}", processor_chain([ + setc("header_id","0006"), + dup11, +])); + +var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0007"), + dup11, +])); + +var hdr4 = match("HEADER#8:0010", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{msgIdPart1->} %{msgIdPart2}: %{payload}", processor_chain([ + setc("header_id","0010"), + dup4, +])); + +var hdr5 = match("HEADER#9:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0009"), +])); + +var select3 = linear_select([ + all1, + all2, + all3, + all4, + all5, + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, +]); + +var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg1 = msg("Flow:Down", part9); + +var part10 = match("MESSAGE#1:Flow:Restored", "nwparser.payload", "Flow restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var msg2 = msg("Flow:Restored", part10); + +var select4 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("BGP:Down", dup41); + +var msg4 = msg("BGP:Restored", dup42); + +var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol->} instability router %{node->} threshold %{fld25->} (%{fld1}) observed %{trigger_val->} (%{fld2})", processor_chain([ + dup17, + dup13, +])); + +var msg5 = msg("BGP:Instability", part11); + +var part12 = match("MESSAGE#5:BGP:Instability_Ended", "nwparser.payload", "%{protocol->} Instability for router %{node->} ended", processor_chain([ + dup18, + dup13, +])); + +var msg6 = msg("BGP:Instability_Ended", part12); + +var part13 = match("MESSAGE#6:BGP:Hijack", "nwparser.payload", "%{protocol->} Hijack local_prefix %{fld26->} router %{node->} bgp_prefix %{fld27->} bgp_attributes %{event_description}", processor_chain([ + setc("eventcategory","1002050000"), + dup13, +])); + +var msg7 = msg("BGP:Hijack", part13); + +var part14 = match("MESSAGE#7:BGP:Hijack_Done", "nwparser.payload", "%{protocol->} Hijack for prefix %{fld26->} router %{node->} done", processor_chain([ + dup18, + dup13, +])); + +var msg8 = msg("BGP:Hijack_Done", part14); + +var part15 = match("MESSAGE#8:BGP:Trap", "nwparser.payload", "%{protocol->} Trap %{node}: Prefix %{fld5->} %{fld6->} %{event_description}", processor_chain([ + dup19, + dup13, +])); + +var msg9 = msg("BGP:Trap", part15); + +var select5 = linear_select([ + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, +]); + +var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device %{node->} unreachable by controller %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg10 = msg("Device:Unreachable", part16); + +var part17 = match("MESSAGE#10:Device:Reachable", "nwparser.payload", "Device %{node->} reachable again by controller %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var msg11 = msg("Device:Reachable", part17); + +var select6 = linear_select([ + msg10, + msg11, +]); + +var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware failure on %{node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} GMT: %{event_description}", processor_chain([ + dup20, + dup13, + dup14, +])); + +var msg12 = msg("Hardware:Failure", part18); + +var part19 = match("MESSAGE#12:Hardware:Failure_Done", "nwparser.payload", "Hardware failure on %{node->} done at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} GMT: %{event_description}", processor_chain([ + dup18, + dup13, + dup16, +])); + +var msg13 = msg("Hardware:Failure_Done", part19); + +var select7 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("SNMP:Down", dup41); + +var msg15 = msg("SNMP:Restored", dup42); + +var select8 = linear_select([ + msg14, + msg15, +]); + +var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuration was changed on leader %{parent_node->} to version %{version->} by %{administrator}", processor_chain([ + dup19, + dup13, + setc("event_description","Configuration changed"), +])); + +var msg16 = msg("configuration", part20); + +var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autoclassification was restarted on %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} by %{administrator}", processor_chain([ + dup19, + dup13, + setc("event_description","Autoclassification restarted"), + dup14, +])); + +var msg17 = msg("Autoclassification", part21); + +var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down for destination %{daddr}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg18 = msg("GRE:Down", part22); + +var part23 = match("MESSAGE#18:GRE:Restored", "nwparser.payload", "GRE tunnel restored for destination %{daddr}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + setc("eventcategory","1801020100"), + dup13, + dup16, +])); + +var msg19 = msg("GRE:Restored", part23); + +var select9 = linear_select([ + msg18, + msg19, +]); + +var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all6 = all_match({ + processors: [ + part24, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup25, + dup26, + dup14, + ]), +}); + +var msg20 = msg("mitigation:TMS_Start", all6); + +var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all7 = all_match({ + processors: [ + part25, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup25, + dup27, + dup16, + ]), +}); + +var msg21 = msg("mitigation:TMS_Stop", all7); + +var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all8 = all_match({ + processors: [ + part26, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup28, + dup26, + dup14, + ]), +}); + +var msg22 = msg("mitigation:Thirdparty_Start", all8); + +var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all9 = all_match({ + processors: [ + part27, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup28, + dup27, + ]), +}); + +var msg23 = msg("mitigation:Thirdparty_Stop", all9); + +var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all10 = all_match({ + processors: [ + part28, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup29, + dup26, + dup14, + ]), +}); + +var msg24 = msg("mitigation:Blackhole_Start", all10); + +var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all11 = all_match({ + processors: [ + part29, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup29, + dup27, + ]), +}); + +var msg25 = msg("mitigation:Blackhole_Stop", all11); + +var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all12 = all_match({ + processors: [ + part30, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup30, + dup26, + dup14, + ]), +}); + +var msg26 = msg("mitigation:Flowspec_Start", all12); + +var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all13 = all_match({ + processors: [ + part31, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup30, + dup27, + ]), +}); + +var msg27 = msg("mitigation:Flowspec_Stop", all13); + +var select10 = linear_select([ + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, +]); + +var part32 = match("MESSAGE#27:TMS:Fault_Cleared", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node->} cleared", processor_chain([ + dup18, + dup13, + setc("event_type","Fault Cleared"), +])); + +var msg28 = msg("TMS:Fault_Cleared", part32); + +var part33 = match("MESSAGE#28:TMS:Fault", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node}", processor_chain([ + dup20, + dup13, + setc("event_type","Fault Occured"), +])); + +var msg29 = msg("TMS:Fault", part33); + +var select11 = linear_select([ + msg28, + msg29, +]); + +var part34 = match("MESSAGE#29:usage_alert:Interface", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} for router %{node->} interface \"%{interface}\" speed %{fld2->} threshold %{fld25->} observed %{trigger_val->} pct %{fld3}", processor_chain([ + dup17, + dup13, +])); + +var msg30 = msg("usage_alert:Interface", part34); + +var part35 = match("MESSAGE#30:usage_alert:Interface_Done", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} done for router %{node->} interface \"%{interface}\"", processor_chain([ + dup18, + dup13, +])); + +var msg31 = msg("usage_alert:Interface_Done", part35); + +var part36 = match("MESSAGE#31:usage_alert:Fingerprint_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ + dup17, + dup13, +])); + +var msg32 = msg("usage_alert:Fingerprint_Threshold", part36); + +var part37 = match("MESSAGE#32:usage_alert:Fingerprint_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} done", processor_chain([ + dup18, + dup13, +])); + +var msg33 = msg("usage_alert:Fingerprint_Threshold_Done", part37); + +var part38 = match("MESSAGE#33:usage_alert:Service_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} usage alert %{fld2->} for service %{service}, %{application->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ + dup17, + dup13, +])); + +var msg34 = msg("usage_alert:Service_Threshold", part38); + +var part39 = match("MESSAGE#34:usage_alert:Service_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} alert %{fld2->} for service %{service->} done", processor_chain([ + dup18, + dup13, +])); + +var msg35 = msg("usage_alert:Service_Threshold_Done", part39); + +var part40 = match("MESSAGE#35:usage_alert:ManagedObject_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{category->} %{fld2->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ + dup17, + dup13, +])); + +var msg36 = msg("usage_alert:ManagedObject_Threshold", part40); + +var part41 = match("MESSAGE#36:usage_alert:ManagedObject_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{fld3->} %{fld4->} done", processor_chain([ + dup18, + dup13, +])); + +var msg37 = msg("usage_alert:ManagedObject_Threshold_Done", part41); + +var select12 = linear_select([ + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, +]); + +var part42 = match("MESSAGE#37:Test", "nwparser.payload", "Test syslog message%{}", processor_chain([ + dup18, + dup13, +])); + +var msg38 = msg("Test", part42); + +var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node->} ran at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all14 = all_match({ + processors: [ + part43, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + setc("event_type","Script mitigation"), + dup26, + dup14, + ]), +}); + +var msg39 = msg("script", all14); + +var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all15 = all_match({ + processors: [ + part44, + dup44, + dup33, + ], + on_success: processor_chain([ + dup34, + dup13, + dup35, + dup36, + ]), +}); + +var msg40 = msg("anomaly:Resource_Info:01", all15); + +var part45 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all16 = all_match({ + processors: [ + part45, + dup44, + dup37, + ], + on_success: processor_chain([ + dup34, + dup13, + dup35, + dup36, + ]), +}); + +var msg41 = msg("anomaly:Resource_Info:02", all16); + +var part46 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all17 = all_match({ + processors: [ + part46, + dup44, + dup33, + ], + on_success: processor_chain([ + dup34, + dup13, + dup36, + ]), +}); + +var msg42 = msg("anomaly:Resource_Info:03", all17); + +var part47 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all18 = all_match({ + processors: [ + part47, + dup44, + dup37, + ], + on_success: processor_chain([ + dup34, + dup13, + dup36, + ]), +}); + +var msg43 = msg("anomaly:Resource_Info:04", all18); + +var part48 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ + dup34, + dup13, + dup35, +])); + +var msg44 = msg("anomaly:Router_Info:01", part48); + +var part49 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame->} id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ + dup34, + dup13, +])); + +var msg45 = msg("anomaly:Router_Info:02", part49); + +var select13 = linear_select([ + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, +]); + +var part50 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node->} unreachable by %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg46 = msg("Peakflow:Unreachable", part50); + +var part51 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node->} reachable again by %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var msg47 = msg("Peakflow:Reachable", part51); + +var select14 = linear_select([ + msg46, + msg47, +]); + +var part52 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, stop %{fld5->} %{fld6->} %{fld7}, , importance %{severity}, managed_objects (%{fld8}), is now %{result}, (parent managed object %{fld9})", processor_chain([ + dup18, + dup13, + dup38, + date_time({ + dest: "endtime", + args: ["fld5","fld6"], + fmts: [ + [dW,dc("-"),dM,dc("-"),dF,dZ], + ], + }), +])); + +var msg48 = msg("Host:Detection", part52); + +var part53 = match("MESSAGE#48:Host:Detection:01", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, direction %{direction}, host %{saddr}, signatures (%{signame}), impact %{fld5}, importance %{severity}, managed_objects (%{fld6}), (parent managed object %{fld7})", processor_chain([ + dup18, + dup13, + dup38, +])); + +var msg49 = msg("Host:Detection:01", part53); + +var select15 = linear_select([ + msg48, + msg49, +]); + +var part54 = match("MESSAGE#49:Infrastructure", "nwparser.payload", "AIF license expiring cleared,URL: %{url}", processor_chain([ + dup18, + dup13, + setc("event_description","AIF license expiring cleared"), +])); + +var msg50 = msg("Infrastructure", part54); + +var part55 = match("MESSAGE#50:Infrastructure:02", "nwparser.payload", "Hardware sensor detected a critical state. System Fan%{fld1}:%{fld2}Triggering value:%{fld3},URL:%{url}", processor_chain([ + dup18, + dup13, + setc("event_description","Hardware sensor detected a critical state"), +])); + +var msg51 = msg("Infrastructure:02", part55); + +var part56 = match("MESSAGE#51:Infrastructure:01", "nwparser.payload", "AIF license expired cleared,URL: %{url}", processor_chain([ + dup18, + dup13, + setc("event_description","AIF license expired cleared"), +])); + +var msg52 = msg("Infrastructure:01", part56); + +var select16 = linear_select([ + msg50, + msg51, + msg52, +]); + +var part57 = match("MESSAGE#52:Blocked_Host", "nwparser.payload", "Blocked host%{saddr}at%{fld1}by Blocked Countries using%{protocol}destination%{daddr},URL:%{url}", processor_chain([ + setc("eventcategory","1803000000"), + dup13, +])); + +var msg53 = msg("Blocked_Host", part57); + +var part58 = match("MESSAGE#53:Change_Log", "nwparser.payload", "Username:%{username}, Subsystem:%{fld1}, Setting Type:%{fld2}, Message:%{fld3}", processor_chain([ + dup18, + dup13, +])); + +var msg54 = msg("Change_Log", part58); + +var part59 = match("MESSAGE#54:Protection_Mode", "nwparser.payload", "Changed protection mode to active for protection group%{group},URL:%{url}", processor_chain([ + dup18, + dup13, + setc("event_description","Changed protection mode to active for protection group"), +])); + +var msg55 = msg("Protection_Mode", part59); + +var chain1 = processor_chain([ + select3, + msgid_select({ + "Autoclassification": msg17, + "BGP": select5, + "Blocked_Host": msg53, + "Change_Log": msg54, + "Device": select6, + "Flow": select4, + "GRE": select9, + "Hardware": select7, + "Host": select15, + "Infrastructure": select16, + "Peakflow": select14, + "Protection_Mode": msg55, + "SNMP": select8, + "TMS": select11, + "Test": msg38, + "anomaly": select13, + "configuration": msg16, + "mitigation": select10, + "script": msg39, + "usage_alert": select12, + }), +]); + +var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}"); + +var part60 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); + +var part61 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); + +var part62 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}"); + +var part63 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}"); + +var part64 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}"); + +var part65 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); + +var part66 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); + +var part67 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); + +var part68 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); + +var part69 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); + +var part70 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); + +var part71 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); + +var part72 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); + +var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); + +var part74 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); + +var select17 = linear_select([ + dup2, + dup3, +]); + +var select18 = linear_select([ + dup6, + dup7, + dup8, + dup9, +]); + +var part75 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var part76 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var select19 = linear_select([ + dup21, + dup22, +]); + +var select20 = linear_select([ + dup31, + dup32, +]); diff --git a/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml new file mode 100644 index 00000000000..66f9ab7bcc1 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Arbor Peakflow SP + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/netscout/sightline/manifest.yml b/x-pack/filebeat/module/netscout/sightline/manifest.yml new file mode 100644 index 00000000000..6c3ae460110 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["netscout.sightline", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9502 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log b/x-pack/filebeat/module/netscout/sightline/test/generated.log new file mode 100644 index 00000000000..892a1fc0f2b --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 pfsp: The configuration was changed on leader olab to version 1.6078 by rci +February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 13:12:33 uredolor by tatemac +February 26 20:15:08 ntsunti: Change Log: Username:nseq, Subsystem:itinvol, Setting Type:psa, Message:umq +March 12 03:17:42 pfsp: Test syslog message +March 26 10:20:16 pfsp: Alert Device ritquiin unreachable by controller umqui since 2016-03-26 10:20:16 +April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction external, host 10.51.132.10, signatures (utper), impact squame, importance medium, managed_objects (omm), (parent managed object iin) +April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi +May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59 +May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti +June 5 21:33:08 pfsp: Alert Test syslog message +June 20 04:35:42 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci +July 4 11:38:16 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-04 11:38:16 tNequ +July 18 18:40:50 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap +August 2 01:43:25 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis +August 16 08:45:59 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt +August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 atatnonp by uiano +September 13 22:51:07 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc +September 28 05:53:42 pfsp: Hardware failure on tatevel since 2016-09-28 05:53:42 GMT: abilloi +October 12 12:56:16 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name "lo5882" porainc +October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate +November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 iam by qua +November 24 10:03:59 pfsp: Test syslog message +December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli +December 23 00:09:07 pfsp: Alert Autoclassification was restarted on 2016-12-23 00:09:07 ntutl by caecatc +January 6 07:11:41 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-01-06 07:11:41 lup +January 20 14:14:16 pfsp: Alert Hardware failure on aperi since 2017-01-20 14:14:16 GMT: lor +February 3 21:16:50 pfsp: The BGP Instability for router oin ended +February 18 04:19:24 pfsp: Hardware failure on ritatis done at 2017-02-18 04:19:24 oloremi GMT: pitla +March 4 11:21:59 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des +March 18 18:24:33 pfsp: Device tdolorem unreachable by controller ono since 2017-03-18 18:24:33 +April 2 01:27:07 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-02 01:27:07 lumquido +April 16 08:29:41 Lor: Test: Test syslog message +April 30 15:32:16 pfsp: Alert script modoco ran at 2017-04-30 15:32:16 , leader estqu +May 14 22:34:50 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae +May 29 05:37:24 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore +June 12 12:39:58 pfsp: Device mque reachable again by controller uovolup at 2017-06-12 12:39:58 samvolu +June 26 19:42:33 pfsp: The Host Detection alert eirure, start 2017-06-26 19:42:33 conseq, duration 38.117000, stop 2017-06-26 19:42:33 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui) +July 11 02:45:07 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol +July 25 09:47:41 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih) +August 8 16:50:15 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup +August 22 23:52:50 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv +September 6 06:55:24 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu +September 20 13:57:58 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-09-20 13:57:58 olor +October 4 21:00:32 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-04 21:00:32 fdeFi +October 19 04:03:07 pfsp: BGP down for router ati, leader tlabo since 2017-10-19 04:03:07 uames +November 2 11:05:41 pfsp: script offi ran at 2017-11-02 11:05:41 , leader giatnu +November 16 18:08:15 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2017-11-16 6:08:15 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata +December 1 01:10:49 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte +December 15 08:13:24 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-15 08:13:24 dexea +December 29 15:15:58 pfsp: Test syslog message +January 12 22:18:32 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-12 22:18:32 litse +January 27 05:21:06 pfsp: Alert Host Detection alert sperna, start 2018-01-27 05:21:06 sintocc, duration 24.633000, stop 2018-01-27 05:21:06 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) +February 10 12:23:41 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc +February 24 19:26:15 pfsp: BGP Instability for router iatisu ended +March 11 02:28:49 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven +March 25 09:31:24 pfsp: Test syslog message +April 8 16:33:58 Sedutp: Test: Test syslog message +April 22 23:36:32 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe +May 7 06:39:06 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse +May 21 13:41:41 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro +June 4 20:44:15 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-04 20:44:15 +June 19 03:46:49 pfsp: configuration was changed on leader natuse to version 1.4425 by ati +July 3 10:49:23 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name "enp0s4306" aturauto +July 17 17:51:58 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-07-17 17:51:58 dmin +August 1 00:54:32 pfsp: The Host Detection alert uscipitl, start 2018-08-1 00:54:32 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its) +August 15 07:57:06 pfsp: Alert Test syslog message +August 29 14:59:40 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name "lo4293" labo +September 12 22:02:15 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla) +September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden +October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab +October 25 19:09:57 pfsp: The anomaly ntsunt id c8947b2b status liqua severity low classification utodita src 10.216.83.142/4365 iquidexe dst 10.224.198.212/2003 reseo start 2018-10-25 7:09:57 duration 2.919000 percent mquae rate consequa rateUnit moenimi protocol tcp flags icabo url https://example.net/con/preh.html?quamest=mac#qui +November 9 02:12:32 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips +November 23 09:15:06 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt +December 7 16:17:40 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation +December 21 23:20:14 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt +January 5 06:22:49 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo +January 19 13:25:23 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo +February 2 20:27:57 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor +February 17 03:30:32 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) +March 3 10:33:06 pfsp: Alert Test syslog message +March 17 17:35:40 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex +April 1 00:38:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu +April 15 07:40:49 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done +April 29 14:43:23 pfsp: Host Detection alert col, start 2019-04-29 14:43:23 mve, duration 177.586000, stop 2019-04-29 14:43:23 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) +May 13 21:45:57 pfsp: script remipsum ran at 2019-05-13 21:45:57 , leader tempor +May 28 04:48:31 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela +June 11 11:51:06 uto: Test: Test syslog message +June 25 18:53:40 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol +July 10 01:56:14 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae +July 24 08:58:48 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom +August 7 16:01:23 pfsp: The Host Detection alert inBCSedu, start 2019-08-7 16:01:23 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab) +August 21 23:03:57 pfsp: Hardware failure on ntiu since 2019-08-21 23:03:57 GMT: radipisc +September 5 06:06:31 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu +September 19 13:09:05 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui +October 3 20:11:40 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis +October 18 03:14:14 fugits: Test: Test syslog message +November 1 10:16:48 pfsp: GRE tunnel restored for destination 10.226.51.191, leader magnid at 2019-11-01 10:16:48 adol +November 15 17:19:22 culpaqui: Change Log: Username:tvolup, Subsystem:tdolore, Setting Type:ventore, Message:red +November 30 00:21:57 pfsp: Alert Autoclassification was restarted on 2019-11-30 00:21:57 tatev by luptas +December 14 07:24:31 pfsp: Alert Device aev reachable again by controller inrepr at 2019-12-14 07:24:31 mol diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json new file mode 100644 index 00000000000..a6bd506ffea --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -0,0 +1,2616 @@ +[ + { + "@timestamp": "2020-01-29T08:09:59.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 29 06:09:59 pfsp: The configuration was changed on leader olab to version 1.6078 by rci", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 0, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.6078", + "related.user": [ + "rci" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "olab", + "rsa.misc.version": "1.6078", + "rsa.time.event_time": "2020-01-29T08:09:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "rci" + }, + { + "@timestamp": "2020-02-12T15:12:33.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 13:12:33 uredolor by tatemac", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 96, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "tatemac" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2020-02-12T15:12:33.000Z", + "rsa.time.starttime": "2016-02-12T15:12:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "tatemac" + }, + { + "@timestamp": "2020-02-26T22:15:08.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 26 20:15:08 ntsunti: Change Log: Username:nseq, Subsystem:itinvol, Setting Type:psa, Message:umq", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 205, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "nseq" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-02-26T22:15:08.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "nseq" + }, + { + "@timestamp": "2020-03-12T05:17:42.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 12 03:17:42 pfsp: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 311, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-03-12T05:17:42.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-26T12:20:16.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 26 10:20:16 pfsp: Alert Device ritquiin unreachable by controller umqui since 2016-03-26 10:20:16", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 355, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "ritquiin", + "rsa.misc.parent_node": "umqui", + "rsa.time.event_time": "2020-03-26T12:20:16.000Z", + "rsa.time.starttime": "2016-03-26T12:20:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-09T19:22:51.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction external, host 10.51.132.10, signatures (utper), impact squame, importance medium, managed_objects (omm), (parent managed object iin)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 459, + "network.direction": "external", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.51.132.10" + ], + "rsa.internal.messageid": "Host", + "rsa.misc.policy_name": "utper", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 116.48, + "rsa.time.event_time": "2020-04-09T19:22:51.000Z", + "rsa.time.starttime": "2016-04-09T19:22:51.000Z", + "service.type": "netscout", + "source.ip": [ + "10.51.132.10" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-24T02:25:25.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 715, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "incidi" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2020-04-24T02:25:25.000Z", + "rsa.time.starttime": "2016-04-24T02:25:25.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "incidi" + }, + { + "@timestamp": "2020-05-08T09:27:59.000Z", + "event.code": "Peakflow", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 809, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Peakflow", + "rsa.misc.node": "oloremqu", + "rsa.misc.parent_node": "temvel", + "rsa.time.event_time": "2020-05-08T09:27:59.000Z", + "rsa.time.starttime": "2016-05-08T09:27:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-22T16:30:33.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 909, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "anti" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2020-05-22T16:30:33.000Z", + "rsa.time.starttime": "2016-05-22T16:30:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "anti" + }, + { + "@timestamp": "2020-06-05T23:33:08.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 5 21:33:08 pfsp: Alert Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1002, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-20T06:35:42.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 20 04:35:42 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1050, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.5162", + "related.user": [ + "nci" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "uipexea", + "rsa.misc.version": "1.5162", + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "nci" + }, + { + "@timestamp": "2020-07-04T13:38:16.000Z", + "event.code": "SNMP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 4 11:38:16 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-04 11:38:16 tNequ", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1142, + "network.protocol": "SNMP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "SNMP", + "rsa.misc.node": "mvolu", + "rsa.misc.parent_node": "radip", + "rsa.time.endtime": "2016-07-04T13:38:16.000Z", + "rsa.time.event_time": "2020-07-04T13:38:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-18T20:40:50.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 18 18:40:50 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", + "fileset.name": "sightline", + "group.name": "dquiac", + "input.type": "log", + "log.offset": 1243, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "dquiac", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-07-18T20:40:50.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap" + }, + { + "@timestamp": "2019-08-02T03:43:25.000Z", + "destination.ip": [ + "10.155.162.162" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 2 01:43:25 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1410, + "network.protocol": "udp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.66.171.247", + "10.155.162.162" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-08-02T03:43:25.000Z", + "service.type": "netscout", + "source.ip": [ + "10.66.171.247" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis" + }, + { + "@timestamp": "2019-08-16T10:45:59.000Z", + "event.action": "Fault Occured", + "event.code": "TMS", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 16 08:45:59 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1594, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "eip", + "rsa.internal.messageid": "TMS", + "rsa.internal.resource": "lupta", + "rsa.misc.event_type": "Fault Occured", + "rsa.misc.node": "iusmodt", + "rsa.time.event_time": "2019-08-16T10:45:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-30T17:48:33.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 atatnonp by uiano", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1677, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "uiano" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-08-30T17:48:33.000Z", + "rsa.time.starttime": "2016-08-30T17:48:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "uiano" + }, + { + "@timestamp": "2019-09-14T00:51:07.000Z", + "destination.ip": [ + "10.179.26.34" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 13 22:51:07 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1782, + "network.protocol": "ipv6-icmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.38.77.13", + "10.179.26.34" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-09-14T00:51:07.000Z", + "service.type": "netscout", + "source.ip": [ + "10.38.77.13" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://example.org/isiu/nimadmi.gif?ari=equun#suntinc" + }, + { + "@timestamp": "2019-09-28T07:53:42.000Z", + "event.code": "Hardware", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 28 05:53:42 pfsp: Hardware failure on tatevel since 2016-09-28 05:53:42 GMT: abilloi", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1974, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "abilloi", + "rsa.internal.messageid": "Hardware", + "rsa.misc.node": "tatevel", + "rsa.time.event_time": "2019-09-28T07:53:42.000Z", + "rsa.time.starttime": "2016-09-28T07:53:42.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-12T14:56:16.000Z", + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 12 12:56:16 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2069, + "network.interface.name": "lo5882", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "enimad", + "rsa.misc.disposition": "tsed", + "rsa.misc.node": "eci", + "rsa.misc.policy_name": "ore", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 2933, + "rsa.network.interface": "lo5882", + "rsa.time.event_time": "2019-10-12T14:56:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-26T21:58:50.000Z", + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "high", + "log.offset": 2251, + "network.interface.name": "lo4987", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "deomni", + "rsa.misc.disposition": "inim", + "rsa.misc.node": "ntsuntin", + "rsa.misc.policy_name": "Bandwidth", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 2902, + "rsa.network.interface": "lo4987", + "rsa.time.event_time": "2019-10-26T21:58:50.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-10T05:01:24.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 iam by qua", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2448, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "qua" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-11-10T05:01:24.000Z", + "rsa.time.starttime": "2016-11-10T05:01:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "qua" + }, + { + "@timestamp": "2019-11-24T12:03:59.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 24 10:03:59 pfsp: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2548, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2019-11-24T12:03:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-08T19:06:33.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2595, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "turveli" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-12-08T19:06:33.000Z", + "rsa.time.starttime": "2016-12-08T19:06:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "turveli" + }, + { + "@timestamp": "2019-12-23T02:09:07.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 23 00:09:07 pfsp: Alert Autoclassification was restarted on 2016-12-23 00:09:07 ntutl by caecatc", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2695, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "caecatc" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "rsa.time.starttime": "2016-12-23T02:09:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "caecatc" + }, + { + "@timestamp": "2020-01-06T09:11:41.000Z", + "destination.ip": [ + "10.224.68.213" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 6 07:11:41 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-01-06 07:11:41 lup", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2801, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.224.68.213" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "taed", + "rsa.time.endtime": "2017-01-06T09:11:41.000Z", + "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-20T16:14:16.000Z", + "event.code": "Hardware", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 20 14:14:16 pfsp: Alert Hardware failure on aperi since 2017-01-20 14:14:16 GMT: lor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2922, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "lor", + "rsa.internal.messageid": "Hardware", + "rsa.misc.node": "aperi", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "rsa.time.starttime": "2017-01-20T16:14:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-03T23:16:50.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 3 21:16:50 pfsp: The BGP Instability for router oin ended", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3015, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "oin", + "rsa.time.event_time": "2020-02-03T23:16:50.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-18T06:19:24.000Z", + "event.code": "Hardware", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 18 04:19:24 pfsp: Hardware failure on ritatis done at 2017-02-18 04:19:24 oloremi GMT: pitla", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3083, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "pitla", + "rsa.internal.messageid": "Hardware", + "rsa.misc.node": "ritatis", + "rsa.time.endtime": "2017-02-18T06:19:24.000Z", + "rsa.time.event_time": "2020-02-18T06:19:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-04T13:21:59.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 4 11:21:59 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3185, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "mqui" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "mqui" + }, + { + "@timestamp": "2020-03-18T20:24:33.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 18 18:24:33 pfsp: Device tdolorem unreachable by controller ono since 2017-03-18 18:24:33", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3291, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "tdolorem", + "rsa.misc.parent_node": "ono", + "rsa.time.event_time": "2020-03-18T20:24:33.000Z", + "rsa.time.starttime": "2017-03-18T20:24:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-02T03:27:07.000Z", + "destination.ip": [ + "10.60.185.151" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 2 01:27:07 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-02 01:27:07 lumquido", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3387, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.60.185.151" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "uidolo", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "rsa.time.starttime": "2017-04-02T03:27:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-16T10:29:41.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 16 08:29:41 Lor: Test: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3510, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-30T17:32:16.000Z", + "event.action": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 30 15:32:16 pfsp: Alert script modoco ran at 2017-04-30 15:32:16 , leader estqu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3559, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "modoco", + "rsa.misc.parent_node": "estqu", + "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "rsa.time.starttime": "2017-04-30T17:32:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-15T00:34:50.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 14 22:34:50 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", + "fileset.name": "sightline", + "group.name": "ents", + "input.type": "log", + "log.offset": 3647, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "ents", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2020-05-15T00:34:50.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae" + }, + { + "@timestamp": "2020-05-29T07:37:24.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 29 05:37:24 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3809, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "mdolore", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "reetd", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-12T14:39:58.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 12 12:39:58 pfsp: Device mque reachable again by controller uovolup at 2017-06-12 12:39:58 samvolu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3881, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "mque", + "rsa.misc.parent_node": "uovolup", + "rsa.time.endtime": "2017-06-12T14:39:58.000Z", + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-26T21:42:33.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 26 19:42:33 pfsp: The Host Detection alert eirure, start 2017-06-26 19:42:33 conseq, duration 38.117000, stop 2017-06-26 19:42:33 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3985, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 38.117, + "rsa.time.endtime": "2017-06-26T21:42:33.000Z", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "rsa.time.starttime": "2017-06-26T21:42:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-11T04:45:07.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 11 02:45:07 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4221, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "dol", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "doloremi", + "rsa.time.event_time": "2020-07-11T04:45:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-25T11:47:41.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 25 09:47:41 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4290, + "network.protocol": "ipv6", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "tincu", + "rsa.misc.trigger_val": "sci", + "rsa.time.event_time": "2019-07-25T11:47:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-08T18:50:15.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 8 16:50:15 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", + "fileset.name": "sightline", + "group.name": "eaq", + "input.type": "log", + "log.offset": 4397, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "eaq", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-08-08T18:50:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup" + }, + { + "@timestamp": "2019-08-23T01:52:50.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 22 23:52:50 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4563, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "suntexp" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2019-08-23T01:52:50.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "suntexp" + }, + { + "@timestamp": "2019-09-06T08:55:24.000Z", + "destination.ip": [ + "10.168.131.247" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 6 06:55:24 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4672, + "network.protocol": "rdp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.136.232.108", + "10.168.131.247" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-09-06T08:55:24.000Z", + "service.type": "netscout", + "source.ip": [ + "10.136.232.108" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://example.net/temqu/edol.jpg?ipi=reseos#pariatu" + }, + { + "@timestamp": "2019-09-20T15:57:58.000Z", + "destination.ip": [ + "10.209.182.237" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 20 13:57:58 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-09-20 13:57:58 olor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4861, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.209.182.237" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "tper", + "rsa.time.endtime": "2017-09-20T15:57:58.000Z", + "rsa.time.event_time": "2019-09-20T15:57:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-04T23:00:32.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 4 21:00:32 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-04 21:00:32 fdeFi", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4981, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "xerc", + "rsa.misc.parent_node": "iutali", + "rsa.time.endtime": "2017-10-04T23:00:32.000Z", + "rsa.time.event_time": "2019-10-04T23:00:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-19T06:03:07.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 19 04:03:07 pfsp: BGP down for router ati, leader tlabo since 2017-10-19 04:03:07 uames", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5090, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "ati", + "rsa.misc.parent_node": "tlabo", + "rsa.time.event_time": "2019-10-19T06:03:07.000Z", + "rsa.time.starttime": "2017-10-19T06:03:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-02T13:05:41.000Z", + "event.action": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 2 11:05:41 pfsp: script offi ran at 2017-11-02 11:05:41 , leader giatnu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5187, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "offi", + "rsa.misc.parent_node": "giatnu", + "rsa.time.event_time": "2019-11-02T13:05:41.000Z", + "rsa.time.starttime": "2017-11-02T13:05:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-16T20:08:15.000Z", + "destination.ip": [ + "10.128.31.83" + ], + "destination.port": 2346, + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 16 18:08:15 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2017-11-16 6:08:15 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5270, + "network.protocol": "udp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.128.31.83", + "10.97.164.220" + ], + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "aera", + "rsa.misc.disposition": "uamei", + "rsa.misc.event_id": "6f3fd2c5", + "rsa.misc.policy_name": "ncidid", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 50.929, + "rsa.time.event_time": "2019-11-16T20:08:15.000Z", + "rsa.time.starttime": "2017-11-16T08:08:15.000Z", + "service.type": "netscout", + "source.ip": [ + "10.97.164.220" + ], + "source.port": 6205, + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata" + }, + { + "@timestamp": "2019-12-01T03:10:49.000Z", + "destination.ip": [ + "10.163.161.165" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 1 01:10:49 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5621, + "network.protocol": "rdp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.163.161.165", + "10.83.23.104" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-12-01T03:10:49.000Z", + "service.type": "netscout", + "source.ip": [ + "10.83.23.104" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte" + }, + { + "@timestamp": "2019-12-15T10:13:24.000Z", + "destination.ip": [ + "10.53.248.4" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 15 08:13:24 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-15 08:13:24 dexea", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5813, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.53.248.4" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "derit", + "rsa.time.endtime": "2017-12-15T10:13:24.000Z", + "rsa.time.event_time": "2019-12-15T10:13:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-29T17:15:58.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 29 15:15:58 pfsp: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5931, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2019-12-29T17:15:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-13T00:18:32.000Z", + "event.code": "Flow", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 12 22:18:32 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-12 22:18:32 litse", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5978, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Flow", + "rsa.misc.node": "tessec", + "rsa.misc.parent_node": "olupta", + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "rsa.time.starttime": "2018-01-13T00:18:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-27T07:21:06.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 27 05:21:06 pfsp: Alert Host Detection alert sperna, start 2018-01-27 05:21:06 sintocc, duration 24.633000, stop 2018-01-27 05:21:06 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 6085, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "success", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 24.633, + "rsa.time.endtime": "2018-01-27T07:21:06.000Z", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "rsa.time.starttime": "2018-01-27T07:21:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-10T14:23:41.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 10 12:23:41 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6330, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "uiac" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "uiac" + }, + { + "@timestamp": "2020-02-24T21:26:15.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 24 19:26:15 pfsp: BGP Instability for router iatisu ended", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6435, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "iatisu", + "rsa.time.event_time": "2020-02-24T21:26:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-11T04:28:49.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 11 02:28:49 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6503, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "ersp" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "ersp" + }, + { + "@timestamp": "2020-03-25T11:31:24.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 25 09:31:24 pfsp: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6609, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-03-25T11:31:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-08T18:33:58.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 8 16:33:58 Sedutp: Test: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6653, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-04-08T18:33:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-23T01:36:32.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 22 23:36:32 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6704, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "rsitv" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-04-23T01:36:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "rsitv" + }, + { + "@timestamp": "2020-05-07T08:39:06.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 7 06:39:06 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", + "fileset.name": "sightline", + "group.name": "upida", + "input.type": "log", + "log.offset": 6809, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "upida", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2020-05-07T08:39:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse" + }, + { + "@timestamp": "2020-05-21T15:41:41.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 21 13:41:41 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6971, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "udexerci" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "udexerci" + }, + { + "@timestamp": "2020-06-04T22:44:15.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 4 20:44:15 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-04 20:44:15", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7078, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "illoin", + "rsa.misc.parent_node": "tanimid", + "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "rsa.time.starttime": "2018-06-04T22:44:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-19T05:46:49.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 19 03:46:49 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7178, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.4425", + "related.user": [ + "ati" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "natuse", + "rsa.misc.version": "1.4425", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "ati" + }, + { + "@timestamp": "2020-07-03T12:49:23.000Z", + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 3 10:49:23 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "low", + "log.offset": 7269, + "network.interface.name": "enp0s4306", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "itess", + "rsa.misc.disposition": "queips", + "rsa.misc.node": "ofdeFini", + "rsa.misc.policy_name": "Bandwidth", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 2366, + "rsa.network.interface": "enp0s4306", + "rsa.time.event_time": "2020-07-03T12:49:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-17T19:51:58.000Z", + "event.code": "SNMP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 17 17:51:58 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-07-17 17:51:58 dmin", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7462, + "network.protocol": "SNMP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "SNMP", + "rsa.misc.node": "entsunt", + "rsa.misc.parent_node": "ihilm", + "rsa.time.endtime": "2018-07-17T19:51:58.000Z", + "rsa.time.event_time": "2019-07-17T19:51:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-01T02:54:32.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 1 00:54:32 pfsp: The Host Detection alert uscipitl, start 2018-08-1 00:54:32 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 7561, + "network.direction": "internal", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.54.49.84" + ], + "rsa.internal.messageid": "Host", + "rsa.misc.policy_name": "ciad", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 29.657, + "rsa.time.event_time": "2019-08-01T02:54:32.000Z", + "rsa.time.starttime": "2018-08-01T02:54:32.000Z", + "service.type": "netscout", + "source.ip": [ + "10.54.49.84" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-15T09:57:06.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 15 07:57:06 pfsp: Alert Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7811, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2019-08-15T09:57:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-29T16:59:40.000Z", + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 29 14:59:40 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 7862, + "network.interface.name": "lo4293", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "tutlab", + "rsa.misc.disposition": "commodo", + "rsa.misc.node": "atevelit", + "rsa.misc.policy_name": "Bandwidth", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 5089, + "rsa.network.interface": "lo4293", + "rsa.time.event_time": "2019-08-29T16:59:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-13T00:02:15.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 12 22:02:15 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8043, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "uptate", + "rsa.misc.trigger_val": "tpersp", + "rsa.time.event_time": "2019-09-13T00:02:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-27T07:04:49.000Z", + "event.action": "Fault Occured", + "event.code": "TMS", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8152, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "tem", + "rsa.internal.messageid": "TMS", + "rsa.internal.resource": "dol", + "rsa.misc.event_type": "Fault Occured", + "rsa.misc.node": "proiden", + "rsa.time.event_time": "2019-09-27T07:04:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-11T14:07:23.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8236, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "isis", + "rsa.misc.parent_node": "uasiar", + "rsa.time.endtime": "2018-10-11T14:07:23.000Z", + "rsa.time.event_time": "2019-10-11T14:07:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-25T21:09:57.000Z", + "destination.ip": [ + "10.216.83.142" + ], + "destination.port": 4365, + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 25 19:09:57 pfsp: The anomaly ntsunt id c8947b2b status liqua severity low classification utodita src 10.216.83.142/4365 iquidexe dst 10.224.198.212/2003 reseo start 2018-10-25 7:09:57 duration 2.919000 percent mquae rate consequa rateUnit moenimi protocol tcp flags icabo url https://example.net/con/preh.html?quamest=mac#qui", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "low", + "log.offset": 8340, + "network.protocol": "tcp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.224.198.212", + "10.216.83.142" + ], + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "utodita", + "rsa.misc.disposition": "liqua", + "rsa.misc.event_id": "c8947b2b", + "rsa.misc.policy_name": "ntsunt", + "rsa.misc.severity": "low", + "rsa.time.duration_time": 2.919, + "rsa.time.event_time": "2019-10-25T21:09:57.000Z", + "rsa.time.starttime": "2018-10-25T09:09:57.000Z", + "service.type": "netscout", + "source.ip": [ + "10.224.198.212" + ], + "source.port": 2003, + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://example.net/con/preh.html?quamest=mac#qui" + }, + { + "@timestamp": "2019-11-09T04:12:32.000Z", + "destination.ip": [ + "10.28.226.128" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 9 02:12:32 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8678, + "network.protocol": "ipv6-icmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.28.226.128", + "10.122.76.148" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-11-09T04:12:32.000Z", + "service.type": "netscout", + "source.ip": [ + "10.122.76.148" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.org/idunt/luptat.txt?ica=lillum#remips" + }, + { + "@timestamp": "2019-11-23T11:15:06.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 23 09:15:06 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", + "fileset.name": "sightline", + "group.name": "amcor", + "input.type": "log", + "log.offset": 8876, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "amcor", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-11-23T11:15:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt" + }, + { + "@timestamp": "2019-12-07T18:17:40.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 7 16:17:40 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", + "fileset.name": "sightline", + "group.name": "equepor", + "input.type": "log", + "log.offset": 9048, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "equepor", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-12-07T18:17:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation" + }, + { + "@timestamp": "2019-12-22T01:20:14.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 21 23:20:14 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", + "fileset.name": "sightline", + "group.name": "isciv", + "input.type": "log", + "log.offset": 9230, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "isciv", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-12-22T01:20:14.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt" + }, + { + "@timestamp": "2020-01-05T08:22:49.000Z", + "destination.ip": [ + "10.98.209.10" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 5 06:22:49 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9398, + "network.protocol": "ggp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.98.209.10", + "10.31.177.226" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "service.type": "netscout", + "source.ip": [ + "10.31.177.226" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo" + }, + { + "@timestamp": "2020-01-19T15:25:23.000Z", + "destination.ip": [ + "10.179.210.218" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 19 13:25:23 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9594, + "network.protocol": "igmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.44.47.27", + "10.179.210.218" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2020-01-19T15:25:23.000Z", + "service.type": "netscout", + "source.ip": [ + "10.44.47.27" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo" + }, + { + "@timestamp": "2020-02-02T22:27:57.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 2 20:27:57 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9795, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.2883", + "related.user": [ + "lor" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "emvele", + "rsa.misc.version": "1.2883", + "rsa.time.event_time": "2020-02-02T22:27:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "lor" + }, + { + "@timestamp": "2020-02-17T05:30:32.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 17 03:30:32 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9895, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "iquamqua", + "rsa.misc.trigger_val": "ita", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-03T12:33:06.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 3 10:33:06 pfsp: Alert Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10007, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-03-03T12:33:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-17T19:35:40.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 17 17:35:40 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10056, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "tMal" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "tMal" + }, + { + "@timestamp": "2020-04-01T02:38:14.000Z", + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 1 00:38:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10161, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.2552", + "related.user": [ + "onu" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "maveni", + "rsa.misc.version": "1.2552", + "rsa.time.event_time": "2020-04-01T02:38:14.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "onu" + }, + { + "@timestamp": "2020-04-15T09:40:49.000Z", + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 15 07:40:49 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10258, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "norumet", + "rsa.time.event_time": "2020-04-15T09:40:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-29T16:43:23.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 29 14:43:23 pfsp: Host Detection alert col, start 2019-04-29 14:43:23 mve, duration 177.586000, stop 2019-04-29 14:43:23 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10340, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 177.586, + "rsa.time.endtime": "2019-04-29T16:43:23.000Z", + "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "rsa.time.starttime": "2019-04-29T16:43:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-13T23:45:57.000Z", + "event.action": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 13 21:45:57 pfsp: script remipsum ran at 2019-05-13 21:45:57 , leader tempor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10573, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "remipsum", + "rsa.misc.parent_node": "tempor", + "rsa.time.event_time": "2020-05-13T23:45:57.000Z", + "rsa.time.starttime": "2019-05-13T23:45:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-28T06:48:31.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 28 04:48:31 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10656, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "orroqu" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-05-28T06:48:31.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "orroqu" + }, + { + "@timestamp": "2020-06-11T13:51:06.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 11 11:51:06 uto: Test: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10760, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2020-06-11T13:51:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-25T20:53:40.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 25 18:53:40 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10808, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "veniamq" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2020-06-25T20:53:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "veniamq" + }, + { + "@timestamp": "2020-07-10T03:56:14.000Z", + "destination.ip": [ + "10.55.156.64" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 10 01:56:14 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10916, + "network.protocol": "ggp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.151.129.181", + "10.55.156.64" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", + "service.type": "netscout", + "source.ip": [ + "10.151.129.181" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 24 08:58:48 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom", + "fileset.name": "sightline", + "group.name": "quasiarc", + "input.type": "log", + "log.offset": 11103, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "quasiarc", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.net/rever/ore.jpg?oluptat=metco#acom" + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 7 16:01:23 pfsp: The Host Detection alert inBCSedu, start 2019-08-7 16:01:23 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 11267, + "network.direction": "internal", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.46.77.76" + ], + "rsa.internal.messageid": "Host", + "rsa.misc.policy_name": "iacons", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 77.637, + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "rsa.time.starttime": "2019-08-07T18:01:23.000Z", + "service.type": "netscout", + "source.ip": [ + "10.46.77.76" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T01:03:57.000Z", + "event.code": "Hardware", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 21 23:03:57 pfsp: Hardware failure on ntiu since 2019-08-21 23:03:57 GMT: radipisc", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11525, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "radipisc", + "rsa.internal.messageid": "Hardware", + "rsa.misc.node": "ntiu", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "rsa.time.starttime": "2019-08-22T01:03:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "destination.ip": [ + "10.166.90.130" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 5 06:06:31 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11615, + "network.protocol": "icmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.166.90.130", + "10.73.89.189" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "netscout", + "source.ip": [ + "10.73.89.189" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu" + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 19 13:09:05 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui", + "fileset.name": "sightline", + "group.name": "laudan", + "input.type": "log", + "log.offset": 11810, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "laudan", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui" + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 3 20:11:40 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11995, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "rcitat" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "rcitat" + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 18 03:14:14 fugits: Test: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12109, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "destination.ip": [ + "10.226.51.191" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 1 10:16:48 pfsp: GRE tunnel restored for destination 10.226.51.191, leader magnid at 2019-11-01 10:16:48 adol", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12163, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.226.51.191" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "magnid", + "rsa.time.endtime": "2019-11-01T12:16:48.000Z", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 15 17:19:22 culpaqui: Change Log: Username:tvolup, Subsystem:tdolore, Setting Type:ventore, Message:red", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12282, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "tvolup" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "tvolup" + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 30 00:21:57 pfsp: Alert Autoclassification was restarted on 2019-11-30 00:21:57 tatev by luptas", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12395, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "luptas" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "rsa.time.starttime": "2019-11-30T02:21:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "luptas" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 14 07:24:31 pfsp: Alert Device aev reachable again by controller inrepr at 2019-12-14 07:24:31 mol", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12500, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "aev", + "rsa.misc.parent_node": "inrepr", + "rsa.time.endtime": "2019-12-14T09:24:31.000Z", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md new file mode 100644 index 00000000000..d85f315d23f --- /dev/null +++ b/x-pack/filebeat/module/radware/README.md @@ -0,0 +1,7 @@ +# radware module + +This is a module for Radware DefensePro logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 +at 2020-07-13 17:55:41.342523 +0000 UTC. + diff --git a/x-pack/filebeat/module/radware/_meta/config.yml b/x-pack/filebeat/module/radware/_meta/config.yml new file mode 100644 index 00000000000..dc134fbe59f --- /dev/null +++ b/x-pack/filebeat/module/radware/_meta/config.yml @@ -0,0 +1,19 @@ +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/radware/_meta/docs.asciidoc b/x-pack/filebeat/module/radware/_meta/docs.asciidoc new file mode 100644 index 00000000000..7335cb86eab --- /dev/null +++ b/x-pack/filebeat/module/radware/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: radware +:has-dashboards: false + +== Radware module + +experimental[] + +This is a module for receiving Radware DefensePro logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: defensepro + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `defensepro` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device revision 114. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9518` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/radware/_meta/fields.yml b/x-pack/filebeat/module/radware/_meta/fields.yml new file mode 100644 index 00000000000..394601bc000 --- /dev/null +++ b/x-pack/filebeat/module/radware/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: radware + title: Radware DefensePro + description: > + radware fields. + fields: diff --git a/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml b/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml new file mode 100644 index 00000000000..24f226db8f3 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Radware" + product: "DefensePro" + type: "IDS" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/radware/defensepro/config/liblogparser.js + - ${path.home}/module/radware/defensepro/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); + +var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var dup3 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}"); + +var dup4 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}"); + +var dup5 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); + +var dup6 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); + +var dup7 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); + +var dup8 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}"); + +var dup9 = setc("eventcategory","1001000000"); + +var dup10 = setc("ec_theme","TEV"); + +var dup11 = setf("msg","$MSG"); + +var dup12 = date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dF,dc("-"),dG,dc("-"),dW,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup13 = setc("dclass_counter1_string","Bandwidth in Kbps"); + +var dup14 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); + +var dup15 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); + +var dup16 = setc("eventcategory","1002000000"); + +var dup17 = setc("ec_subject","NetworkComm"); + +var dup18 = setc("ec_activity","Scan"); + +var dup19 = setc("eventcategory","1401000000"); + +var dup20 = setc("ec_subject","User"); + +var dup21 = setc("ec_theme","ALM"); + +var dup22 = setc("ec_activity","Modify"); + +var dup23 = setc("ec_theme","Configuration"); + +var dup24 = setc("eventcategory","1612000000"); + +var dup25 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); + +var dup26 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); + +var dup27 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); + +var dup28 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); + +var dup29 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}"); + +var dup30 = setc("eventcategory","1401030000"); + +var dup31 = setc("ec_activity","Logon"); + +var dup32 = setc("ec_theme","Authentication"); + +var dup33 = setc("ec_outcome","Failure"); + +var dup34 = setc("event_description","Login Failed"); + +var dup35 = setc("ec_outcome","Error"); + +var dup36 = setc("eventcategory","1603000000"); + +var dup37 = setc("ec_theme","AccessControl"); + +var dup38 = setc("eventcategory","1401060000"); + +var dup39 = setc("ec_outcome","Success"); + +var dup40 = setc("event_description","User logged in"); + +var dup41 = linear_select([ + dup2, + dup3, +]); + +var dup42 = linear_select([ + dup4, + dup5, +]); + +var dup43 = linear_select([ + dup7, + dup8, +]); + +var dup44 = linear_select([ + dup25, + dup26, +]); + +var dup45 = linear_select([ + dup28, + dup29, +]); + +var dup46 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var dup47 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup13, + ]), +}); + +var dup48 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var dup49 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup13, + ]), +}); + +var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} \\\"%{hfld4}\\\" %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld3"), + constant(" "), + field("messageid"), + constant(" \\\""), + field("hfld4"), + constant("\\\" "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid->} \"%{hfld3}\" %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant(" \""), + field("hfld3"), + constant("\" "), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var msg1 = msg("Intrusions:01", dup46); + +var msg2 = msg("Intrusions:02", dup47); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("SynFlood:01", dup48); + +var msg4 = msg("Behavioral-DoS:01", dup48); + +var msg5 = msg("Behavioral-DoS:02", dup49); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var all1 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup9, + dup17, + dup18, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var msg6 = msg("Anti-Scanning:01", all1); + +var all2 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup9, + dup17, + dup18, + dup10, + dup11, + dup13, + ]), +}); + +var msg7 = msg("Anti-Scanning:02", all2); + +var select4 = linear_select([ + msg6, + msg7, +]); + +var msg8 = msg("DoS:01", dup48); + +var all3 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup16, + dup17, + dup18, + dup10, + dup11, + dup13, + ]), +}); + +var msg9 = msg("DoS:02", all3); + +var select5 = linear_select([ + msg8, + msg9, +]); + +var msg10 = msg("Cracking-Protection:01", dup46); + +var msg11 = msg("Cracking-Protection:02", dup47); + +var select6 = linear_select([ + msg10, + msg11, +]); + +var msg12 = msg("Anomalies:01", dup48); + +var msg13 = msg("Anomalies:02", dup49); + +var select7 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("HttpFlood:01", dup48); + +var msg15 = msg("HttpFlood:02", dup49); + +var select8 = linear_select([ + msg14, + msg15, +]); + +var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} COMMAND: \"%{action}\" by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup20, + setc("ec_activity","Execute"), + dup21, + dup11, + dup12, +])); + +var msg16 = msg("COMMAND:", part1); + +var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description->} set %{change_new}, Old Values: %{change_old}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup22, + dup23, + dup11, + dup12, +])); + +var msg17 = msg("Configuration:01", part2); + +var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup23, + dup11, + dup12, +])); + +var msg18 = msg("Configuration:02", part3); + +var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration File downloaded from device by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup23, + dup11, + setc("event_description","Configuration File downloaded"), + dup12, +])); + +var msg19 = msg("Configuration:03", part4); + +var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Upload has been completed", processor_chain([ + dup24, + dup23, + dup11, + setc("event_description","Configuration Upload has been completed"), + dup12, +])); + +var msg20 = msg("Configuration:04", part5); + +var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Download has been completed", processor_chain([ + dup24, + dup23, + dup11, + setc("event_description","Configuration Download has been completed"), + dup12, +])); + +var msg21 = msg("Configuration:05", part6); + +var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration file has been modified. Device may fail to load configuration file!", processor_chain([ + dup24, + dup22, + dup23, + dup11, + setc("event_description","Configuration file has been modified. Device may fail to load configuration file!"), + dup12, +])); + +var msg22 = msg("Configuration:06", part7); + +var select9 = linear_select([ + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, +]); + +var part8 = match("MESSAGE#22:Login:04/0", "nwparser.payload", "Login failed %{p0}"); + +var all4 = all_match({ + processors: [ + part8, + dup44, + dup27, + dup45, + ], + on_success: processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup33, + dup11, + dup34, + ]), +}); + +var msg23 = msg("Login:04", all4); + +var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup35, + dup11, + setc("event_description","Login Locked"), +])); + +var msg24 = msg("Login:05", part9); + +var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed %{p0}"); + +var all5 = all_match({ + processors: [ + part10, + dup44, + dup27, + dup45, + ], + on_success: processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup33, + dup11, + dup34, + dup12, + ]), +}); + +var msg25 = msg("Login:01", all5); + +var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed via %{network_service->} (IP: %{saddr}): %{result}", processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup33, + dup11, + dup34, + dup12, +])); + +var msg26 = msg("Login:02", part11); + +var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup35, + dup11, + dup34, + dup12, +])); + +var msg27 = msg("Login:03", part12); + +var select10 = linear_select([ + msg23, + msg24, + msg25, + msg26, + msg27, +]); + +var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Connection to NTP server timed out", processor_chain([ + dup36, + dup21, + dup11, + setc("event_description","Connection to NTP server timed out"), + dup12, +])); + +var msg28 = msg("Connection", part13); + +var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Device was rebooted by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup21, + dup11, + setc("event_description","Device was rebooted"), + dup12, +])); + +var msg29 = msg("Device", part14); + +var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Power supply fully operational", processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","Power supply fully operational"), + dup12, +])); + +var msg30 = msg("Power", part15); + +var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Cold Start", processor_chain([ + dup24, + setc("ec_activity","Start"), + dup21, + dup11, + setc("event_description","Cold Start"), + dup12, +])); + +var msg31 = msg("Cold", part16); + +var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Port %{interface->} %{p0}"); + +var part18 = match("MESSAGE#31:Port/1_0", "nwparser.p0", "Down%{}"); + +var part19 = match("MESSAGE#31:Port/1_1", "nwparser.p0", "Up %{}"); + +var select11 = linear_select([ + part18, + part19, +]); + +var all6 = all_match({ + processors: [ + part17, + select11, + ], + on_success: processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","Port Status Change"), + dup12, + ]), +}); + +var msg32 = msg("Port", all6); + +var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} DefensePro was powered off", processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","DefensePro Powered off"), + dup12, +])); + +var msg33 = msg("DefensePro", part20); + +var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); + +var all7 = all_match({ + processors: [ + part21, + dup43, + ], + on_success: processor_chain([ + dup36, + dup37, + dup11, + dup12, + ]), +}); + +var msg34 = msg("Access:01", all7); + +var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([ + dup36, + dup37, + dup11, + setc("event_description","Access attempted by unauthorized NMS"), + dup12, +])); + +var msg35 = msg("Access", part22); + +var select12 = linear_select([ + msg34, + msg35, +]); + +var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Please reboot the device for the latest changes to take effect", processor_chain([ + dup19, + dup21, + dup11, + setc("event_description","Reboot required for latest changes"), + dup12, +])); + +var msg36 = msg("Please", part23); + +var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ + dup38, + dup20, + dup31, + dup32, + dup39, + dup11, + dup40, +])); + +var msg37 = msg("User:01", part24); + +var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ + dup38, + dup20, + dup31, + dup32, + dup39, + dup11, + dup40, + dup12, +])); + +var msg38 = msg("User", part25); + +var select13 = linear_select([ + msg37, + msg38, +]); + +var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Certificate named %{fld3->} expired on %{fld4->} %{fld5}", processor_chain([ + dup19, + dup11, + setc("event_description","Certificate expired"), + dup12, + date_time({ + dest: "endtime", + args: ["fld5"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO,dW], + ], + }), +])); + +var msg39 = msg("Certificate", part26); + +var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Vision %{event_description->} by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup11, + dup12, +])); + +var msg40 = msg("Vision", part27); + +var part28 = match("MESSAGE#40:Updating", "nwparser.payload", "Updating policy database%{fld1}", processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","Updating policy database"), +])); + +var msg41 = msg("Updating", part28); + +var part29 = match("MESSAGE#41:Policy", "nwparser.payload", "Policy database updated successfully.%{}", processor_chain([ + dup24, + dup23, + dup39, + dup11, + setc("event_description","Policy database updated successfully"), +])); + +var msg42 = msg("Policy", part29); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "Access": select12, + "Anomalies": select7, + "Anti-Scanning": select4, + "Behavioral-DoS": select3, + "COMMAND:": msg16, + "Certificate": msg39, + "Cold": msg31, + "Configuration": select9, + "Connection": msg28, + "Cracking-Protection": select6, + "DefensePro": msg33, + "Device": msg29, + "DoS": select5, + "HttpFlood": select8, + "Intrusions": select2, + "Login": select10, + "Please": msg36, + "Policy": msg42, + "Port": msg32, + "Power": msg30, + "SynFlood": msg3, + "Updating": msg41, + "User": select13, + "Vision": msg40, + }), +]); + +var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); + +var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var part32 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}"); + +var part33 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}"); + +var part34 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); + +var part35 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); + +var part36 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); + +var part37 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}"); + +var part38 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); + +var part39 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); + +var part40 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); + +var part41 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); + +var part42 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); + +var part43 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); + +var part44 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}"); + +var select14 = linear_select([ + dup2, + dup3, +]); + +var select15 = linear_select([ + dup4, + dup5, +]); + +var select16 = linear_select([ + dup7, + dup8, +]); + +var select17 = linear_select([ + dup25, + dup26, +]); + +var select18 = linear_select([ + dup28, + dup29, +]); + +var all8 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var all9 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup13, + ]), +}); + +var all10 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var all11 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup13, + ]), +}); diff --git a/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml new file mode 100644 index 00000000000..9b916ed8805 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Radware DefensePro + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/radware/defensepro/manifest.yml b/x-pack/filebeat/module/radware/defensepro/manifest.yml new file mode 100644 index 00000000000..e2037dea3c3 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["radware.defensepro", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9518 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/radware/fields.go b/x-pack/filebeat/module/radware/fields.go new file mode 100644 index 00000000000..9b5ee1a40b7 --- /dev/null +++ b/x-pack/filebeat/module/radware/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package radware + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "radware", asset.ModuleFieldsPri, AssetRadware); err != nil { + panic(err) + } +} + +// AssetRadware returns asset data. +// This is the base64 encoded gzipped contents of module/radware. +func AssetRadware() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JpuWKavgLIZZbAa/JB/8HcgozkAYutPoLISUYpnltuZKvyb/9hRDS/pDMOIjSTP5Cwn+9xk/d/74jklbwmkiwK6WvJlxa0DPKYOL+3n2NELUEvdLcwmtiddP/xK5reO0QXSld9v5ewow2wha45Gsyo8LA1scDdNv/vacVEDUjdgEtYqRDjKwWoAE/s5rOZpyRBTVkCiCJmhrQSygnA/q0oXcgZq5VU9+elF2mbpZFrCUVW+SNrz62fmyJzSKVmW/9ff8K4xs22JWPC27c9wg3pDFQEqsIo7VtAv81XZEKjKFz929qCVMVGEe0cp/vgCbkrZqTU2CqBB0nxMPiu0gdSk4LF5YgbeFISww4IJyZ+4HlBnnOlLQgrXH3g0tjqbQtGiaKo+XVIQiW1O5+MMSOe5zcEoRaslpwtiCUGDCGK0kW3BpCyXuwv3MrwZh29yeDo9ERaxaqESWRsARNptCdu5pqA+QdWOpQo2SmVdVb6ulbNTcvLii7AmueDcCfcg3MivVzYgPelHwALyz8CZc9NCdRRgpYgjiAk0LJ3fu5xclTqDUwagMmJcy4hJIoKRAtS6cCSEXrOFaVmRfJLsyePX4X7vn56Q9kSUUTbjwvQVo+4+F0wjVllgg19/ulBxuB1HEHPpwW/J7bjppqy1kjqMbfh42djJ6MAeiDTkrsZAwgj5+U0S1ZHndPXv7/Pdm/J27VPBtyv+urpn8USMjutjwa7Jb0EKGXHTUNRjWaZXp778+2XPf/fpgZSy1UIO1jRI42JbcFE3TnDj8S9EBavX6MiC2cTvUYEePyMMTyakyt5Hi8J60Eeoj0yMu2GUCZ0oYa0Wtidmbvi61bwGEz0EMGSsL9rIgdPWQA/QYrYpyLO66VI3FR9rwqUfZ5dg3ITMQ+EuHgndnHjqFWN5J/aWCjRuuO/vCn9bZRe6Ikc48DteqxW7Yj4mbJ84rDPndP3DJ8xhnt3+e3ak7OliAtuUThTBpZgnYmiIYgqAakz/g1lMSAdUC2fry9hhk3WNpNGMC+t8HSbcIA9J02ZegJTO9fOuxgDui6A0/uxoOFMpn01f65/FUZ2xeRYvdEGpAll/P2QxM7Nj0f0tfDX37IARv8aJSx5xfLnwgtS+1k5dh132XugHqrvlbmLl/lZu+r/3fZ67iVXzbsygXvSOt7y0pCyZwvQXZOsq9XEXAsOsx/kdcCKR+j8vd1RDRGHRqqXhcavmTY637wEDcY6Z6ukctnfmlygRfpefBmW0o+rmsgjA4lyBQIcLsATT6dS/vDK6I0+UUoan98SabU4ClqA2QzPm80qn430H2IuvsV041h0HzGZwL/gvv1XOVys+2zjtuVv3oHg9IrqstsSl1PovXI7nPy/OLzlr5HiQZBd7eUELM2FqrwiAa0HbQF+JNqPPPcv5Xmcy6paH+zra3cwIdc+teexIjzi8+vIiwI6A84cX8WdBgNuZzi9dkc1KHieOjrswBagj5K7PpXXIqcn94nSurx7QdLEcxhsdJH7WQTrMjuZ6OtonW+UbTwojjT5UQJAcwq/TUKYMe9B8i5cWeOG8I866B0mG4pqm/VrtpC9jD6EVp8FZs+FlW1UgaT3SolyXQ92DRCNHxpwFgH0PCqFuuwT+7LTtAToGxBDC+BPP2e2IVuyMuff35GVtQQAyC7VfZw4lEor7fghKmVNJCPFeyrORVMNdJ2PoWmmnqh566yiUIgT+lULaHHDC6jmZWteDNWA61G7w/7ao7NA7MKSt7s6mkpGPVNTHPsHAt8Rrj9Z/Py+x/+arxIf1GjAG2R/ueAmn86e/AtXYMmL8mZZLQ2jfCRFWdS3kmux6DfM/gRya2MrfLjS/Kvjtzn5Mcfyb8SprTTl5GKsOhz8t+F/Z/ui9yQbaZ8E91CqUp4tLauXEHBqBBTyq7yasAeOaksXhtqvV3hmAiyrBWXFk0TC/EEZzwcBWitMuWnbfRBUwPjVCDGiKmxSjvNWq691uE+WFLBS38wYkgRMlONLN0LIwCR53IelKMbkxe3b8QAcopYYLgOe8JGI7uwFoqWj+WdC+gQw/8EUoHVnEWsjmAK97+MtrB/7lsh7J59ajcarZq12zYhv6qV25qhzcklUdoZY1aRK4D6BqY9ihfvK2GaVgyMKZa8LMpcUdezVvLMQYKmFi956TjYswuXXNuGCme0b/neZcTFwSvuzG6MlSMzPBXhqp+fEu2ktUGHCjKN6jnY7ms3csLoTElPD84Jnwm3nxM6SyhoKPjPT1vf6weolAVyGc4704AP7XQ9Jijd/9pAzFcQeAkrFaYWPGdmw6M25w0fqP2PQjdzMjfjecdb596AcNbbU9daLeEJ+a8RYfTiZcbFA8To3arOOLo4eXMRdF9GpWMPr2qldzVegk/kV5cG0TwO98cn/1ShIY6me8yVum3KN5ufbAx2r+egZT4hL39+RVbI9wqoJFSIuK8AnfqoJm38R2QFGjxYaokAaixRcqdcZJuJD64mft1MjNzVHGHbwLvflS6RcZjVBGwhlVDz9W4gbsb1QIsl5GfCFlRTZj0T3aVeI/7oNJekkSGnR2z5zEcralMXdPtAfc4gwp7YJVoUlVMylWzDCJquRmUaStYdtZIy1Fh9jEIGn4NirNEtRGOpLKkuiVS6ooL/GcvvVbqK8qcMWQ4Hs0g108GTdCcmbbDukHkh+AyQ4oiBb4ApWY4o2JvtLozN6WfZQxCXTFW1ABs9AKNOVIoKvNV8Rwz26s20faCDfOnWjh7nsaO8fTJHj1+lpF0k2qZNfWqqnJdNllP5QIw/k2UOtjuQfyqZu9vCHrHoVm9VTJ9e+3GXwwMRle1GvyEWrm24fGQJ2vTKKcp9eWCR/b3vYVsDTUXmpkyPKV1Cme8dDEk24Zky3YqtjtFm2nRf7MfXh6+VVtUEoTZYlG8YSKq58mp91QjLv7McNKF1Ldrql00vm4pKOo+V5hIiMLzT2oseKY+rIdw+MUStpI+MWVrVu57BgLFbzaE4vH3WELbgzrpRJZgJedcYi2ZSH6i7ldSO5OVSCwdu0l4BNps5vJdwDE0IN7ld0PNOwww0SOYPBHWqdcmXvHSaDZ6HuCC7bAXZxx3mxYm8rrk+GoWb/fSxoGt3ErkVa0+scULP6WsOKTyg+32jCTd91IXz3EnjTp5NBkt26WSqSS2BqoEid1+IHf9TXxXUIL800BztKLnT7U/RRj6uqCGIRDlybhC5H1IzNaFSsMXQDDJtXtkMr++8yoFrXWRAtS5yaM91SlG0DfRlcqgZdKXeK/IwJuSO+Rh9YwbP5Z3enEPF5k1y7ZBgweaB2OmGkNoRRNlAiU+hWJtG5A47jVhRqrFMVfDC49AZL5iVrWaDE0JlYMGWATlyQGAJmtucpSN7CGtXD0WAvcjOPpdP3uLFQe9A/0p3lS4OGsadamB8xjeGT1y79cGcsZ4qQVfOn80U2YDOxcjLTcFE66IqQ5Alincwm4+1CZ+3rfS+Jag0+e0ypMZy0yYE7PrVcP12h8aqJE2tDE8oOG51ttCclqXvMIWp/O3dHe3C0whb5GtddEdRJJsKNGd3lUVR2o5QxbaHsH4lW3czvFjy93tA2hJkqXRImN1LmZr+8QDda9rQrpr+ASxuRzvE8teCD9jtJOh+xLykz9mr7pvhhQxV/0HMBC/Xgna5xVJZQskidLyIJ9AKNS/aRJUHEertQbyzUD9Gz5Qt2fd3TLfCrtUoPuKKvxKcrXPfnj1y4QIRCM21pViPyOVG5MybjjPwQyMAEYuLUyUtXOfWWDuEzqX31236odKyNO7/8FGlokUo1gDmhseZLaicQyFhlVsWjAUuYdUL9aMSYq3m08ZCT0IMc/SNR91p6/3nLy46TE2TCbuOc4Jna1u5j2loCO7mF3lk+vpbxLjFCjDHsLbhoNnkfOkl6Am5BL8pjQE9oXPAVt4h032mdIvDAHYLxuvtDH9P/O97fSuUJlOtVu6z9q9B1/Rm12g/6fPygmqb2k3XAU7tUQl3Sg2qQ491p5QoO7Ux15VSNYSAYq63+I0kVIC2XXaR3iwa/ubDW0F89JoAYBJSRGEuiVTyOw01oCWzL/sBzYZjPjms0dpdmM5ewZ1EPe4F9xG2NvwzoGzF7SIoy17Wk1NccIrVJpIo+d1cuf/e8xKgklJEFMeMdNNeMPAFIuCQVDPipIPlYCbkciNTdgcb9Cur8mB84sv5GuOMGF8y6pNtyiB+A+MpYaIxtj2Q4R+DbcKfcON2MtREB/+GU3zx03EV6Ojaj79hcYvet2XKp5Q9ucnwclieIhaEGqMYR3+p242oPYkb9pZfwWtCSb1YG86oICU3V89JrXEmynMClj2JK8pU00NqL+/40Ps6G00rsKANqanBLl4GGzn4XgRMVZWTYmoraD8srQHL9qp7/j14KI2vt4cZHiYvvpmq6mZ4BzNsGyUrLku1Cvm0TEkGtX3eZVKMMmNA5qwRYk2+NFR452epKsplkBqyt5BQI09X3+uZSl3aQ7pTCd9yeQVlqAVqE9GpQe9UMFDcJ990qE14uW/jxKArRFZR15/s5N0Suwi06P12+VB4/VYHzyu5HLbr6YLOoCu+O9gpt4s1rInY+vO/X9P+MbGmPeMi/x3vSP4FV+uusYayYUDayBHE3W0GNKeiiLym2R6RS1yyVZt338feA+hemFG/ALArc1DLgRQe47C6e+gW1Cy6G+rUwkiVYcMWPvO3rbHpygxPWkg7LcIcId0yE6OZ+1X372GlKXHyXBKOOXeNZAKodn/CRngb1EIBYfB26raw8+bogxd+zbDP06N+sZiqplx2fbP7D1YoG9V3eL2WXDfm2J6+vjaCCIx7/I4TII1ciRO/uu/JOO4p9RZcdtd4xz7vZT4/Je+9pHkaGjcQP20vFP063J7F9WrvgH4IX37P/Xx+iiwNJW+dmBh6D7Yjcj4N0JMw8YfIyYIVN3EjdWnWOXvZb0d1Q4G2Vxf2+rGlN76PeGoc60+6hcn56Y2abCr/3A2arEPspSw3Gu2EnPj6zNDvVPgP9muziKDe/sYP3wR33LSxXeWmst1j1EgBxnNG+QdlpciSak6nYlAF6JsycElqQUcEgQFpsvZH2drQvqrqV544SeU0jLa+kLt9vnxxfrGrQ5PQMtZ7FMbqsg8cKHjrWshNpMUjSc6lJZd8LikKi5EjWiuds3ntk4H8cof0otXdFHZ1xP90iPTuMp6yUkUOzvvfPhIumWhKcOIsDLJ1P5+Qp2fXtKoFvCYX3iHiwaL0nsT9IhiZO3psE51Tm6cljhk3V07lPgCvO5Ti9dyY78PT8IGbqz0hV6v5fA463wi7OMs+92MBAQfUThcazEKJ0p0eb6uPTBrdCr0fwbMwjL0Hqfz0g9cxnnXNOM5P42Ukt47OM1XVxZHzrnBXQu4VjnH1/j3TTL9z6CiJ9akzHDejyoaNWWlBLX2grLE+5p20VBo7Dzi53uI3MiWOahwG/iAK4LCrvpOuNDxEjoiR1shPnRCl5B1lbT/luHLrRNBR7Rglv2sVVL1fCnlbM/lQaw3UJM8NNpbaJpXi3PmjKBcPZna4xafqmvDyxfj75V7W5hgYOow+DRof+7vgsIhf3fYdyzx9b3DIT4dz9w55zrhUTaoYZ6+OxMyT3yknSVM6HQYe2Z8SA87dmXHrSLwRwsk9YhrGwJhZI8iZW58wVYJxR6Jt9hu3LLgs4ToxAwQ39jDN856yBRdGU0y3SExBY3yzopoLzOCJePB8/F3OCUUmfud+G6VMZjiHauqbCz2QRhxWJ0+7fM4atKlD0a2XMAOWBRVhkxDfdnh6NlJk6N1cw/c4d0KJV766JK/gq/Lfdh9SLg0pwVIuIk6GqWps73cjpClx9NzM1mNLuzw2xGP8IbVQ1SJbNs8bUsKMhhBQ6HzZxvBDtqbTipegBV1jIZdV4XElTyM30n2AVnf4NczaKnDvqzeW2wYbM5IoYRvbYNiw6b7XNWkUq+ffYTQ1phlkFVNV5e5TnmN04qET3kv2rbVa8tL7z9ouchWY0USoUrHDA41395b9wsVGa2T9vLy4anBdY9LTw8j6dvW8sv4PNT3Q73Qwef9bTUMAJn67ap6vce4pJhT7nb+8OCfnA4Wqj0a2rrWhumQ/BgkLu7pq2HlSQ/ou/rCQWx1X7r2IKKaqzF3xNai421U6Ai7E4TKiHi3Sd0vwIYMjVJ73XMChdNgn0HbxED7nZRfKGXHiVamtxkEZeIKXP52S19FdNzmfqXa698Un3z2nDURhssY1sKbvRfCpX1OIlbe2XZj2JW4cwRES9YqX2w6RrrqSLikXdBjIIJ0rnGB95Qy0Hpm04O/QIb7+dHG3YKxUoQGUD8AOSArpBobPJyMSkVfFtCnLdXL/DK+KpHVAPbiNgcMane/1UqWHqLlK2OVgp8SuMM0xChK46Wev+p6rtCm57SrrNn3RAkaxwXabig0vSjbhhf1E+iyx1BxcHs0qP/l8Rp6GWonPjXC68pQLLODAPLCz61oZ981n5Luho0HuRmGupFrJLUPIAGuwmcVyG/rIpE1Gj+CC200LPWmr3N+H0qS3MKdsTT6NmmuCTzV9iKL8sPAWi7kkFeVypmkFe9Mxaqpxam/+PglbyuUFLkveq9InR2/aAvayziJIkRu0L0wVcIzIZSFt9417DyvyayPRlHynShDkKZfLybfPCVfsOZm6/wP3f1RSsTbcTL6Nxxctq4uZoIPJ+al1qG0N/+SC4KLo60I5uW6HX6nZ3kYNVmXF1P91GvBs2yAY0O4gRxFaVmnl7g5mn9/9TjWQjz4B+NtvP7/7/c2Hs2+/9Tm3S6opHz2TK6WvUpYs33jBfm8X7EfYRp1gVKZWIkLNTtouJd1zQJl7LtYZTJiZ0iANZykFSM+VlAHjKr0XJBIfSAW0WFE+HE58b+8A9j5PDdRdn9Ql6qaZZroUdloaq1NXvmO9djaHWP8tTfaOtjUf+Zykhxa7bAaDDVSaUGyyqXsJ9S4OxIyPOppaUrM5Yg8lNdqNKELmbnlPXCgf3E/w7o4Lh3zQ/z8MV92ozH7y34McsbLnow+I7EXyQQ5HG8fdh59SR0ja2trZnl361HYZ7W2WHfbJfIZut8HJvTky3bas5seIh2HR14xy4XjdNnO5CDLj/LRf24aduJw5aGEeaWEwnlXY5lwXTkU8gJ5DEq8x3TpUH52oqmrkridqgJ08rHHTfbF7D9f27xDXqTvczGGa9X1xu6Sy/HcVj5ptcLPU8kMkw72xGy68hZxpTM0ZV8myRI9lwSP2K6rlMOjw2FE3sqoLlUsYX75/d0F+837UTVJqHJEvR00luPyPt+RLA3qkd2sjZKFht1Nn3uSGnkN0TT60RWfRtK5OS2cJH9I+UJV6jIADWh/kOLoJqo0Ex+4Nt0w/oIEKqqsMu+XAZnAv0DphAXIHtCmTTaXdgpm229UW6JLaXa3wvnCnINmiojpVWUkHd13Twfjie0efKBukUyWBWSySnwUGs7QFVB3g2RxbLWUAq6Z/ZIBa0+STMHzHqeTHC4PuBU/94ITObRU41TM50rKgDAejpC8/cbCNTGi89wBP5/XyJ3ltF8nfdyYLZnVRmqR913vQHeTDIk+3ALwUNLnEkAXIOZcJiyKHoHPkRstiVpgVtyy5/JDFTKiVoVX63JU+bGmX+aBniLowWXCZU5xwWYOuputkCe8D2DW7ygN8SUWOs8LrotbKqiJ9SAqhL38q0OOYHrbIdjeFmhdlDmY7wOnz35gsKnpdWJvKbbAN2J1oARkehYrLTEhzmQ/pWphCTEWROiy6Bfv7jMCTdwbvwU7dC7EPO3VVbx/2zxlhv8oI+18ywv4fGWH/NQ9sq2pBp5BDpHTQ05tnsqgagcr3dJ3hnWyB11cZ9JKqEXxe1Xm0b6dlUjFPnYQUIPMcSomBLyy9b0QWxickZthBo1kea9IBzmNNmrVp6gyzSJnsyqqzmKpWWWd6wHUGEWKVdYZZLtho1mQB3kh+LalUBliGQ7h85biS6VFYvlK1XQAtM7jVVFUXTGTwYTvAGYIkCFdP1za9W9RBNlkg102RIabBNLecUZGhgMgUdA6SrRNmXfVhSyrWf0I5zYH3ssA2oFkg+3YwebD2ibVZoE/n9fJVHh+0Kabc/jVLozFmirSz4nYAa5VcVJss1xyhAtPpq9yM9/Enm7XVAwx24f386Z0jHjiqfVmA+27y6TrI9WDPuIAcNowpZjk2kc9SFmdvA86hG5iC15ikWGQRdbxe/lQaWw+a+SeCbTTLAlvwGeQwYww6misoebKC0W3YXOY5JZUqGwGGqRzcDsD5PINsUrVZUZt05n8PeiyDPAlgDXNurKbpPSEb2Bk0Pg11LlbrbLw22IlcZ5KvPjPfH/EM0K0GWmVQJH0pUC608ynXq4XipvATZtNDX1NNsxzwcqQQNgXkpZ9vnxouN5bK5HOOS2OnjU41LLCFCn5WUA6oTXJc0+vRbU1yarA4uWGWftj1oZ0G9sGc07JMfQd4mTqs2rYOyvAW8apgWqkqS1ciBziDmcarIk9yZOh4lIPN9VXy9ky1Sd+ylNem1jwxUEEtt03y7DPBJaRrsbOBapJO1OngYvFtereWUL7raTETKvlz3gHPkPLvbN7kUscBzSBxnA2dAdXkuQlCzbMcXTnPcoFrpVMLsGrazHNcs4oblkMsVCbLgc0xB0KCxeZKyeEml+G+AXTqjD8PNXU6nlytUlsgWSrKlB8AndwSVek1I6X5vIjM47o33JUEnf7Nqgs/lDc52KSTqTdg/YjXLIcsQ+FmmImTWhgEsKmlQV14R1JydKkx7sOCLVLV+Q9Aw3XNkwcCatDVXFNpBz13U0BeZQGc/un1ncg+fdqZApoAsFbzgpo64cCAPmhNU0PVQEUO/U4DQz74rqOZgKdnsoOctoVrD7LSZQaM0zsyTQbfsPG+4Qz5AAZSJwL4gccZjBMDX9IfgFiD1mRQM5hShs8zCF5Tp/ayGc1y3APNyuSKtNEs1hU3AWCbbsRWH2ZjknfVXDKZulAiOi32vkB9k87U5Nu5TX+sPND0Eb1upmdquOs6ebfWppxmyUNvtMjwFjYGdFHy1FXvWcZWtJGhHGywzFhapfYGLwsujaWzDJrBkmubQw1f1jJD6yardCNTulljbdEiHUXfNFaRD40kg6W77JGMw/I+U8FLcqKh5JacUF2GboYG27/H0fGTszJyaWxCKILBIfoE+xswJUisVKfLh+AyH+fOqlqoNQwGC97Iv5lqkjX1vuUZczz0PiOcd6ZhDtekoruNFjaxWDlvdoeBZEdScIPDGdrVw9ZjAyVimrpW2pJh41FCVgtqCbek1jAbOwr3SMu9yxCKGOOD1dGhQLgMnd1H+kILLnNP5O+h6lbr42mIVXOwC9CTzffNQjWDF40QCUvQ3Tgiq0hNtQHyDizFieD+rtKOBU/fqrl5ceHLXp+R0zDi6zmxi8iUImwG/AHC6GNEW5L3YH/nVoKJ7/PwUGdh3gxHdne3CBf3xBqgmi0mXPIofjhz9wj9tXfEJ87CwGSIF4I2Emf9zhuc49o2cY83cN/p176HpvztuDuauibcYX7xiLHvNqJIWNN0u86ruCz5CNcWb8WYu+AY06hHBNJmcN17nFAtxcjES+yem3EcOPbPNWCJhi8NGLunaffh2cp375XvVQYcy+NX9RJ71yPV5Z1uu1P24eQxwtjY1t+xQ7t5HaU85ez/m+cbusXOT1uhgGvHzwZaDemSeO94hN3jMqUGiE/X7rAhg1vV7VL4xcPgK7tR8B3mSvv29VE2EkINMQA47ozun1elqTSUHWG876DDtF9aotq7OTSs0TgBbR/SNeiKe3XjWEhvlvSDOfiSC5gDEbAEQagxfC79xm3m9cePPrZkfkD5jevvOenTB5n07DBrJP/SwO6YRBq/fD18D+uYeNgUlFaj4aW/kExJCZhbQVbcLsYEBSGRypBOY9dwUHnRnU0Lx06UJ90TJdScMyqIw2DE9EEsHhY7XGpkTOPD8a5erE0cvV4620rtZLWmfuCp4NQUC5XdJvBGXGeu4SyVzVAjJxX7I3ji/QCIvzQOW3zTwiAWJoDqyRthlDPEt+7bKQbLya/hFxPyRq67fw2gW7TljbSElhOmqrqxoONiOIsb3xGWzzz7ZncvcMbi1oZw+8/m5fc//NXZvqe97Wg59k0U7XBOi7QRs9s6bugaNPmXzidnXgQ0ELn4rU9d/5P/zMsNzlunfu9+HJi8fJNse7I7MMWtMyHvf/t45mgHDd55gv7SkhumoaaSrZ1WGdQzsZsLQpBDz8nHd6/JubQ/vnxOzt+fnv3na/LpXNpXP5Gnq8WaSOB2AZqwhTJhVJrSGpjFb/3w6n/9t2dPohwBu8go43b5gTJ1UtH4OB6T+fTd8Zpf+rN43iIVv+Ll40K6L5tuwPzAhnG3fuBj+O4ophvr5DPXtqGCvH3zPorsn0pCPl/WYSfj/ygJkzhvHbpfjQhFQm4WnrgFj/EN3rMPc2phRR9gRDqe7gvypiw1+mn9KY+h0z29rKoPjXPeNxZyfvLuwr9Ko+GxipojRj+2nEpeUw1vNzm/cKiMeL8cDw+cBJGEh27tcR62mljhp2sdV0D00KVlyd2XqdgEbHuz/OPv3BEPgDMJ8YKrcMNPt4/AAJVNrnUWve62Txol7wOGF0rbTiQPhG6JATbcAG7XN0tec2Tee3q4nLePSUvWuzHGS4jZjcfy4gbs0PKlxijGncrp/UYDHYc4uaypnMOkM52YkjM+bzSUZLpGmCBLzBqKy5n6wNYDg6LREW05uugsQ78DkVD375dwJXcAaKiUhSJkdqfPM0rP2lKaghY+FT8D6NrqPMBnGY7ELEO1sMhxHXL1P6kzMJWWReuJy6eW71rwjo7J7mp9Z8IDaLBndgFagiUf1zU8J5/aZ+wtOsB+JBetA2zwEvw2pqm1o3qOoEyMmMYt0sEv/pxQIaLKRL35Iia4UY2JeUvQ7g3k0ipiLD7mXJJP56MChWGCbDZ5lVxkO6CqzjD2zQHWYFJn9DqwGUpc/IuYOhUd/e0ZsPWjFQoBcp58UiTi7JSPjFroiAbqVR4qegEYSRimE8wIJb8ovaK6HM7pJuTNHJO9NKHuxl9jLt0U7ApAxlXPxF0T7xrjVpaKfqjOI0OwZTxmRgwo5DLkuWJaQsWtE0thxEacxKWg8hhx/Fs4KNsEkZ6LckDgtstyE0lZOgt2jgbs9suTOlIJDLsQLNP1g7tdxJ5qy1kjqCbYL5q0SDw9u379Vs3VbBaf/g6ssAvIvr1byH50C/rb2MP7zOHt0H3T2AVIG5LFR9E2TcrOCbdL6PFLjqP+yYAeRVg1lqnjcjosOY7wZcMYGDOCM3YeP6w52mGJJ4gXcSruXOk1iRQmDHA7hnDawhF2cHRSCQN8plbSvStObsWUw+6HZKAobVO1TNePbuTdpMR3LcWaAcGh7OgJfpgdfZhLYrhtIvKTYHEBBBEdoC6oIbRUtXtd7AK4JmolN1vmGWfptZKqGsmrxZkchvsW9cdVIpxyz2Xp5I/SpmMAJb9wAeRNQGwyYMNtnL2yI8zfydGE8Y7+B0lXGGXBZchaSMuFGI0RRqSsd78HI3y+3mWo10jNifGE0KnKWT0QIX4KC7rkqkHtkqmq1qriIxmKcGzkziSdCiwim5GT/bhxuezETkYkdzHc0jpJFIEtDJMOlzkAwcj6HX65d7f3ym7u2+ix25RZNtLulrOl1uhLLAMv2CFm/a20IHyP5yBBc9aShAzBRL/d1AJuF/jUxma7kYDshP0wMVaPBz9bmg5pu/VgNL3cT1NQL/xaGemKmqadEW55BcbJda/taahhNIgUdiFZU4gbNwIbD95zG/Qtj9Yhvbsf7Gj9eDuafihMsiGntyYtOIxvonBAG1K8EQi3EAZfL3Uvb6ROH3Xv/EVLQpu+eeeS9VI9jgC5QY53AuTrPY4/3rxlqUYbHGfLbicf9VElSMo7dgv5cdTjmJK2wWHslHosQdvxUyev3GnsoqjALtQDREnolieZeDTC10Y3HHspaZXV67QnqvNBieCvdYjsOZeZPCH/Ofn5++/J07enby6ekVNuLJfzhpsFlFgKH8VFqLnK3hdoXyQMs2VnHo+wzfjFkYwxrTJ7FffVf7pdjWHQ3Rj0yCcb+nyX68Iw7b+r++05/hCnWMyUylib9E2mGBWputPtEPKBlrwxfgWiNDG84oJqL56c2HR3iOG7Hi+vwntueHnMTiP9TPlP7iC0XsSdvpibS56vzuKN3HfXMawRKg17/t/gJMJPBmchOG6gV5ZRxl2ZSudMDBiEbJDVSs+p5H/uyaqW+Y7CbZl9AKf7Z2qE3TOuo7Wkmbr+/OKWw9fCt/jyvYu2spp/BSrsglENpNZQqopLGi2464mnC2o5SGtuTI8X9JjUvqUPSqxv/Qh1poPrrs4TJ7hqqi02Q9qQul+sHrHZURA2t5GoMyhBUwtlkSypbM/5cMLnl3bFLnh2odWSl13zsPA9WtciaKqDgxGa/7hnbVunjSs4GyJ5eSQquyVDrz+7HiEzOjwUMyeX3EfPF7uK+0gLuE7pTDkU/K6aJ1yjztT7Ua8Seh4h1OuoqLFSQ4xV2kt8B60CS3G1J/itifvWkzj1FS9LAceTcu9wvdvKucj29uTeQXKuHY9xHHIvwmq9DkNy3UZnn5NaULdl7n1WmoBkel2PefkxFfII9uQtMuh0Z1v+qowl7yhbcDli0pU0k+T4ZpfXnyRm+tcanPhw+pFvcmYm5G1Ja/IZ/+H1o1JJX3f6z+HjSRZ0CU5zEkA1+dKAXhPsQWhqJQ20GlW8ONXRW+BvjiMvQw885iBr3naBlJ5835dvHM+WpCOgujlAH0Jz1NtiilOe8jrMds9421p6q4mRsw3Dw8sN0Y2UUTvWPO9eHh959m2kRmrsAsQiWJj5N4KSFZelWhliamB8xpn75HmsTjDkyQ4viCPP47vJuSFPsSMsSLZ5hjB0+azHLdJIfMffwpyyNflkthvfdhHYareQNnl2rVvhCAb7yGvfN7UQFaxVw0PmXsQBx7s+AJHq/61KUyznGbJvm+z8CvVYd16vXkcoRgqjBy385gBij5PXO0ZqyPANrvdW1p0h6eNdQIfUHMdh1wUMtvdmk5Dpt2GwQ/GGFDcXP2PZQMqRgKMVbkhyCTMug68ehRN29atoPdJ0ELE7qFAsE24bB8yO+pdaMHY+29y0h15KI70pOx+2tZQtqiO3wN+sigwnA+uovx1ZhrxMuUw3QSzp3XAkY1Fh3sczIqT6ZTu4Lb6N9qa8PzK1c4B13rfvBqxrqtsz5f78fEPKasEHrdSJux3OlvXJ77cizyafWeLbWii9zrfhfzM1lf92Y8eYFpHtLuqteh57mhxb/vYCod9A24OpRAOq2n7r+6kaPQUFSKtVfYjoKFUzHTgXbnXGw5rO2oYbyhEQR1/dcdx7eKKqmsp1dx/x2uE4fW+vLEG7Z6jgcqbiSgE1V7lrhG6QHztWZIvZCvJ2RZ99yZUj8EsjxJr8R0MFn3EoySnWPXvnYBSVFUwLptQVf6Cg++8wJX79jf1MxZg2n7zb7CYcXjcWVe4DR5jefNc/dEuEKTvBHe198hPycV170jeeA8ccv4Pjm6dhViRtJruDtsPBOyL0ExNrW7uLzDFcdZ1yuY2d9yzWSrfefgwxf3g7suW9XjmJj1PLizrvHKI9rHAr3+i5b9HUSmXSRLaRcuu4/SA1tXHXJJMFNSmj/T3AOpTTJ4bcaJFwm3tQE+5KZ4wWjU7lDenBNKALOk9nU25AJ3+etkEnTX/cBh1OfQbBAtcWJKpW6Y0TBz/Zae4UvYWGnVSZ1BqVX+IYtYRbMvcjLovq1Yvw3ycBhRfhP0JeU8ztTwXoeHZeIOcBo+eemH7wHD2uvVFrA3LKMBDNmVRczkDrkbjrkO6j0NVX/G9kfdQ9ewQk277Es942RK4UhrVV1isVWeJox+/Mx+3dsfuIGcS6/6d/wDBBa3zgJ68XoI/jj3A6e8h4enqCox+fkRNcP44aaHukZikjfD4BHYZ/wlYW5p7mvJA1dNxjZG/D3aJPTK9T9N6d5n8e6pW8e2uU+G6TS/5n3FvDrzLJlPN/nBEJc2W538B6Qc3IBCjDjt1WqLeVfvHx4YJuq7NNgBokuOycsbZxelt/E09IMXx+jIqK7f5G3dTDj6ODlp004cY0yZVOhIzJUvm8dfeLoSCGoHVWH+hgU/rS88wtTi4xOL1POh0lQ6LrDB6iyE8vMbVz/2PUk56HIXl36bkHx3ERaowoljlf9N2QanBkR5EpC3f0aJO8TaPJBZhfQbCoMzU3+GYzrqT/IKFs/YkYjNcpTc4v3/zj3QW5cO8U+U2OTF/ZYJupkvoQbD+uVBxbFENsAezKHOREvp0QztuDLDZ0ruvX2bUIwzTQMIJwIwX3aLmg+aAp5AMouR6PrivIqNGAOFtqm6NN+OxjuaSCl/4gRpDYFYRH62q9TxAix65gbXbFdqKT3yaQJoa9sLY2BccZtFlA41bmYAijj+A28blsK1+U5nZ9w41iqqqy9om7Jd4ej+AQipfgr7gGsWtppnaxrASVhTEPNfDWrexl+O+B2rZGK4qtLzUuasWPkVYdQ9hjQBADRCpuDSBb2YJKOWickbvdVFgVERmJ2R6pbXP3sISZh7+/ffM+vHsvdpbvHhSr9K7vP3nPNm6uiqUSTS4GvGnnOMsw56abjN2O820kt4Y89UiYZ9itAwt724m6O+AJIh2lRjSZpNnbgOsnyW1IF5hsFx0sQWOmwKwRhCnJoLbOUL70ezjSXmG1yil9PeOdwd6O0HaI1kpbohx/f/33N7EU3CjbU587pefHT7DcLTDYcrFOqW92Em0U8/ez3y7OL8g7el1xWXZjvePb6mg7ehrm1hDFEbICGQPq9pHVqU/xksXk6dm+yrGYHa9g86GL8FuSs6sdW86yIJXPT0OX3oDFXgzF8TblgXsFtBRX/+XrhrvCHFkONcnUtxv9Jc6EfqDsxjCuGq34Lqhb+eLe58Q0kRR1asjfjNVKzv9tKii7EtxYKP/2IvztefcplzNg8Y9mXMOKiqgiQ6ei9xtCZUmMIiPHUsOcG6vXzrI/prCoqV2EZv0dDmQXhwGS6JQ6Fpq+ENrXazGle13IO32ywxyk1eu//N8AAAD//1PCu98=" +} diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md new file mode 100644 index 00000000000..4de9f128593 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/README.md @@ -0,0 +1,7 @@ +# rapid7 module + +This is a module for Rapid7 NeXpose logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 +at 2020-07-13 17:55:40.743386 +0000 UTC. + diff --git a/x-pack/filebeat/module/rapid7/_meta/config.yml b/x-pack/filebeat/module/rapid7/_meta/config.yml new file mode 100644 index 00000000000..1e9d383ffe5 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/_meta/config.yml @@ -0,0 +1,19 @@ +- module: rapid7 + nexpose: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9517 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/rapid7/_meta/docs.asciidoc b/x-pack/filebeat/module/rapid7/_meta/docs.asciidoc new file mode 100644 index 00000000000..c17f8e05826 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: rapid7 +:has-dashboards: false + +== Rapid7 module + +experimental[] + +This is a module for receiving Rapid7 NeXpose logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nexpose + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nexpose` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nexpose" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9517` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/rapid7/_meta/fields.yml b/x-pack/filebeat/module/rapid7/_meta/fields.yml new file mode 100644 index 00000000000..7e68584af5e --- /dev/null +++ b/x-pack/filebeat/module/rapid7/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: rapid7 + title: Rapid7 NeXpose + description: > + rapid7 fields. + fields: diff --git a/x-pack/filebeat/module/rapid7/fields.go b/x-pack/filebeat/module/rapid7/fields.go new file mode 100644 index 00000000000..54c2c9ea600 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package rapid7 + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "rapid7", asset.ModuleFieldsPri, AssetRapid7); err != nil { + panic(err) + } +} + +// AssetRapid7 returns asset data. +// This is the base64 encoded gzipped contents of module/rapid7. +func AssetRapid7() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZztbVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dE05qX//YnQiy3Al6TD/hv8h7+USsDfyKkBMM0ry1X8jX5658IIeE3ZMZBlGbyJxL+6zV+6P73HZG0gtdEgl0pfTXh0oKeUQYT9/fua4SoJeiV5hZeE6ub/id2XcNrh+JK6bL39xJmtBG2wCVfkxkVBrY+HmDb/u89rYCoGbELaBEjHWJktQAN+JnVdDbjjCyoIVMASdTUgF5CORnQpw29AzFzrZr69qTsMnWzLGItqdgib3z1sfVjS2wWqcx86+/7VxjfsMGufFxw475HuCGNgZJYRRitbRP4r+mKVGAMnbt/U0uYqsA4opX7fAc0IW/VnJwCUyXoOCEeFt9F6lByWriwBGkLR1piwAHhzNwPLDfIc6akBWmNux9cGkulbdEwURwtrw5BsKR294Mhdtzj5JYg1JLVgrMFocSAMVxJsuDWEEreg/2dWwnGtLs/GRyNjlizUI0oiYQlaDKF7tzVVBsg78BShxolM62q3lJP36q5eXFB2RVY82wA/pRrYFasnxMb8KbkA3hh4U+47KE5iTJSwBLEAZwUSu7ezy1OnkKtgVEbMClhxiWUREmBaFk6FUAqWsexqsy8SHZh9uzxu3DPz09/IEsqmnDjeQnS8hkPpxOuKbNEqLnfLz3YCKSOO/DhtOD33HbUVFvOGkE1/j5s7GT0ZAxAH3RSYidjAHn8pIxuyfK4e/Ly/+/J/j1xq+bZkPtdXzX9V4GE7G7Lo8FuSQ8RetlR02BUo1mmt/f+bMt1/++HmbHUQgXSPkbkaFNyWzBBd+7wI0EPpNXrx4jYwulUjxExLg9DLK/G1EqOx3vSSqCHSI+8bJsBlCltqBG9JmZn9r7YugUcNgM9ZKAk3M+K2NFDBtBvsCLGubjjWjkSF2XPqxJln2fXgMxE7CMRDt6ZfewYanUj+ZcGNmq07ugPf1pvG7UnSjL3OFCrHrtlOyJuljyvOOxz98Qtw2ec0f59fqvm5GwJ0pJLFM6kkSVoZ4JoCIJqQPqMX0NJDFgHZOvH22uYcYOl3YQB7HsbLN0mDEDfaVOGnsD0/qXDDuaArjvw5G48WCiTSV/tn8tflbF9ESl2T6QBWXI5bz80sWPT8yF9PfzlhxywwY9GGXt+sfyJ0LLUTlaOXfdd5g6ot+prZe7yVW72vvp/l72OW/llw65c8I60vresJJTM+RJk5yT7ehUBx6LD/Bd5LZDyMSp/X0dEY9Shoep1oeFLhr3uBw9xg5Hu6Rq5fOaXJhd4kZ4Hb7al5OO6BsLoUIJMgQC3C9Dk07m0P7wiSpNfhKL2x5dkSg2eojZANuPzRqPqdwPdh6i7XzHdGAbNZ3wm8C+4X89VLjfbPuu4XfmrdzAovaK6zKbU9SRaj+w+J88vPm/pe5RoEHR3Swkxa2OhCo9oQNtBW4A/qcYzz/1baT7nkor2N9vayg18yKV/7UmMOL/4/CrCgoD+gBP3Z0GH0ZDLKV6fzUEdKo6Hvj4LoCXoo8Suf8WlyPnpfaKkHt9+sBTBHBYrfdRONsGK7H422ipa5xtFCy+KM11OlBDArNJfowB23HuAnBt35rghzLMOSofplqL6Vu2qLWQPox+hxVex6WNRVStlMNmtUpJM14NNI0TDlwaMdQANr2qxDvvkvuwEPQHKFsTwEsjT74ld6Ia8/PnnZ2RFDTEAsltlDycehfJ6C06YWkkD+VjBvppTwVQjbedTaKqpF3ruKpsoBPKUTtUSeszgMppZ2Yo3YzXQavT+sK/m2Dwwq6Dkza6eloJR38Q0x86xwGeE2382L7//4c/Gi/QXNQrQFul/Dqj5p7MH39I1aPKSnElGa9MIH1lxJuWd5HoM+j2DH5HcytgqP74k/+7IfU5+/JH8O2FKO30ZqQiLPif/Xdj/6b7IDdlmyjfRLZSqhEdr68oVFIwKMaXsKq8G7JGTyuK1odbbFY6JIMtacWnRNLEQT3DGw1GA1ipTftpGHzQ1ME4FYoyYGqu006zl2msd7oMlFbz0ByOGFCEz1cjSvTACEHku50E5ujF5cftGDCCniAWG67AnbDSyC2uhaPlY3rmADjH8DyAVWM1ZxOoIpnD/y2gL++e+FcLu2ad2o9GqWbttE/KrWrmtGdqcXBKlnTFmFbkCqG9g2qN48b4SpmnFwJhiycuizBV1PWslzxwkaGrxkpeOgz27cMm1bahwRvuW711GXBy84s7sxlg5MsNTEa76+SnRTlobdKgg06ieg+2+diMnjM6U9PTgnPCZcPs5obOEgoaC//y09b1+gEpZIJfhvDMN+NBO12OC0v2vDcR8BYGXsFJhasFzZjY8anPe8IHa/yh0MydzM553vHXuDQhnvT11rdUSnpD/GhFGL15mXDxAjN6t6oyji5M3F0H3ZVQ69vCqVnpX4yX4RH51aRDN43B/fPJPFRriaLrHXKnbpnyz+cnGYPd6DlrmE/Ly51dkhXyvgEpChYj7CtCpj2rSxn9EVqDBg6WWCKDGEiV3ykW2mfjgauLXzcTIXc0Rtg28+13pEhmHWU3AFlIJNV/vBuJmXA+0WEJ+JmxBNWXWM9Fd6jXij05zSRoZcnrEls98tKI2dUG3D9TnDCLsiV2iRVE5JVPJNoyg6WpUpqFk3VErKUON1ccoZPA5KMYa3UI0lsqS6pJIpSsq+B+x/F6lqyh/ypDlcDCLVDMdPEl3YtIG6w6ZF4LPACmOGPgGmJLliIK92e7C2Jx+lj0EcclUVQuw0QMw6kSlqMBbzXfEYK/eTNsHOsiXbu3ocR47ytsnc/T4VUraRaJt2tSnpsp52WQ5lQ/E+DNZ5mC7A/mHkrm7LewRi271VsX06bUfdzk8EFHZbvQbYuHahstHlqBNr5yi3JcHFtnf+x62NdBUZG7K9JjSJZT53sGQZBOeKdOt2OoYbaZN98V+fH34WmlVTRBqg0X5hoGkmiuv1leNsPw7y0ETWteirX7Z9LKpqKTzWGkuIQLDO6296JHyuBrC7RND1Er6yJilVb3rGQwYu9UcisPbZw1hC+6sG1WCmZB3jbFoJvWBultJ7UheLrVw4CbtFWCzmcN7CcfQhHCT2wU97zTMQINk/kBQp1qXfMlLp9ngeYgLsstWkH3cYV6cyOua66NRuNlPHwu6dieRW7H2xBon9Jy+5pDCA7rfN5pw00ddOM+dNO7k2WSwZJdOpprUEqgaKHL3hdjxP/VVQQ3ySwPN0Y6SO93+FG3k44oagkiUI+cGkfshNVMTKgVbDM0g0+aVzfD6zqscuNZFBlTrIof2XKcURdtAXyaHmkFX6r0iD2NC7piP0Tdm8Fze6c05VGzeJNcOCRZsHoidbgipHUGUDZT4FIq1aUTusNOIFaUay1QFLzwOnfGCWdlqNjghVAYWbBmQIwcElqC5zVk6soewdvVQBNiL7Oxz+eQtXhz0DvSvdFfp4qBh3KkGxmd8Y/jEtVsfzBnrqRJ05fzZTJEN6FyMvNwUTLQuqjIEWaJ4B7P5WJvwedtK71uCSpPfLkNqLDdtQsCuXw3Xb3dorErS1MrwhILjVmcLzWlZ+g5TmMrf3t3RLjyNsEW+1kV3FEWyqUBzdldZFKXtCFVsewjrV7J1N8OLJX+/B6QtQZZKh4TZvZSp6b8eoHtNG9pV038Bi9vRDrH8teADdjsJuh8xL+lz9qr7ZnghQ9V/EDPBy7WgXW6xVJZQsggdL+IJtELNizZR5UGEensQ7yzUj9EzZUv2/Q3TrbBrNYqPuOKvBGfr3Ldnj1y4QARCc20p1iNyuRE586bjDPzQCEDE4uJUSQvXuTXWDqFz6f11m36otCyN+z98VKloEYo1gLnhcWYLKudQSFjllgVjgUtY9UL9qIRYq/m0sdCTEMMcfeNRd9p6//mLiw5T02TCruOc4NnaVu5jGhqCu/lFHpm+/hYxbrECzDGsbThoNjlfegl6Qi7Bb0pjQE/oHLCVd8h0nynd4jCA3YLxejvD3xP/+17fCqXJVKuV+6z9a9A1vdk12k/6vLyg2qZ203WAU3tUwp1Sg+rQY90pJcpObcx1pVQNIaCY6y1+IwkVoG2XXaQ3i4a/+fBWEB+9JgCYhBRRmEsilfxOQw1oyezLfkCz4ZhPDmu0dhems1dwJ1GPe8F9hK0N/wwoW3G7CMqyl/XkFBecYrWJJEp+N1fuv/e8BKikFBHFMSPdtBcMfIEIOCTVjDjpYDmYCbncyJTdwQb9yqo8GJ/4cr7GOCPGl4z6ZJsyiN/AeEqYaIxtD2T4x2Cb8CfcuJ0MNdHBv+EUX/x0XAU6uvbjb1jcovdtmfIpZU9uMrwclqeIBaHGKMbRX+p2I2pP4oa95VfwmlBSL9aGMypIyc3Vc1JrnInynIBlT+KKMtX0kNrLOz70vs5G0wosaENqarCLl8FGDr4XAVNV5aSY2graD0trwLK96p5/Dx5K4+vtYYaHyYtvpqq6Gd7BDNtGyYrLUq1CPi1TkkFtn3eZFKPMGJA5a4RYky8NFd75WaqKchmkhuwtJNTI09X3eqZSl/aQ7lTCt1xeQRlqgdpEdGrQOxUMFPfJNx1qE17u2zgx6AqRVdT1Jzt5t8QuAi16v10+FF6/1cHzSi6H7Xq6oDPoiu8OdsrtYg1rIrb+/O/XtH9MrGnPuMh/xzuSf8HVumusoWwYkDZyBHF3mwHNqSgir2m2R+QSl2zV5t33sfcAuhdm1C8A7Moc1HIghcc4rO4eugU1i+6GOrUwUmXYsIXP/G1rbLoyw5MW0k6LMEdIt8zEaOZ+1f17WGlKnDyXhGPOXSOZAKrdn7AR3ga1UEAYvJ26Ley8OfrghV8z7PP0qF8spqopl13f7P6DFcpG9R1eryXXjTm2p6+vjSAC4x6/4wRII1fixK/uezKOe0q9BZfdNd6xz3uZz0/Jey9pnobGDcRP2wtFvw63Z3G92jugH8KX33M/n58iS0PJWycmht6D7YicTwP0JEz8IXKyYMVN3EhdmnXOXvbbUd1QoO3Vhb1+bOmN7yOeGsf6k25hcn56oyabyj93gybrEHspy41GOyEnvj4z9DsV/oP92iwiqLe/8cM3wR03bWxXuals9xg1UoDxnFH+QVkpsqSa06kYVAH6pgxcklrQEUFgQJqs/VG2NrSvqvqVJ05SOQ2jrS/kbp8vX5xf7OrQJLSM9R6FsbrsAwcK3roWchNp8UiSc2nJJZ9LisJi5IjWSudsXvtkIL/cIb1odTeFXR3xPx0ivbuMp6xUkYPz/rePhEsmmhKcOAuDbN3PJ+Tp2TWtagGvyYV3iHiwKL0ncb8IRuaOHttE59TmaYljxs2VU7kPwOsOpXg9N+b78DR84OZqT8jVaj6fg843wi7Oss/9WEDAAbXThQazUKJ0p8fb6iOTRrdC70fwLAxj70EqP/3gdYxnXTOO89N4Gcmto/NMVXVx5Lwr3JWQe4VjXL1/zzTT7xw6SmJ96gzHzaiyYWNWWlBLHyhrrI95Jy2Vxs4DTq63+I1MiaO6XFH9MBl6w676TrrS8BA5IkZaIz91QpSSd5S1/ZTjyq0TQUe1Y5T8rlVQ9X4p5G3N5EOtNVCTPDfYWGqbVIpz54+iXDyY2eEWn6prwssX4++Xe1mbY2DoMPo0aHzs74LDIn5123cs8/S9wSE/Hc7dO+Q541I1qWKcvToSM09+p5wkTel0GHhkf0oMOHdnxq0j8UYIJ/eIaRgDY2aNIGdufcJUCcYdibbZb9yy4LKE68QMENzYwzTPe8oWXBhNMd0iMQWN8c2Kai4wgyfiwfPxdzknFJn4nfttlDKZ4RyqqW8u9EAacVidPO3yOWvQpg5Ft17CDFgWVIRNQnzb4enZSJGhd3MN3+PcCSVe+eqSvIKvyn/bfUi5NKQES7mIOBmmqrG9342QpsTRczNbjy3t8tgQj/GH1EJVi2zZPG9ICTMaQkCh82Ubww/Zmk4rXoIWdI2FXFaFx5U8jdxI9wFa3eHXMGurwL2v3lhuG2zMSKKEbWyDYcOm+17XpFGsnn+H0dSYZpBVTFWVu095jtGJh054L9m31mrJS+8/a7vIVWBGE6FKxQ4PNN7dW/YLFxutkfXz8uKqwXWNSU8PI+vb1fPK+n+p6YF+p4PJ+99qGgIw8dtV83yNc08xodjv/OXFOTkfKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0nfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGRyh8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9Lz757jltIAqTNa6BNX0vgk/9mkKsvLXtwrQvceMIjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4cO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNbofK+XKj1EzVXCLgc7JXaFaY5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyaFb5yecz8jTUSnxuhNOVp1xgAQfmgZ1d18q4bz4j3w0dDXI3CnMl1UpuGUIGWIPNLJbb0EcmbTJ6BBfcblroSVvl/j6UJr2FOWVr8mnUXBN8qulDFOWHhbdYzCWpKJczTSvYm45RU41Te/P3SdhSLi9wWfJelT45etMWsJd1FkGK3KB9YaqAY0QuC2m7b9x7WJFfG4mm5DtVgiBPuVxOvn1OuGLPydT9H7j/o5KKteFm8m08vmhZXcwEHUzOT61DbWv4JxcEF0VfF8rJdTv8Ss32NmqwKium/q/TgGfbBsGAdgc5itCySit3dzD7/O53qoF89AnA3377+d3vbz6cffutz7ldUk356JlcKX2VsmT5xgv2e7tgP8I26gSjMrUSEWp20nYp6Z4Dytxzsc5gwsyUBmk4SylAeq6kDBhX6b0gkfhAKqDFivLhcOJ7ewew93lqoO76pC5RN80006Ww09JYnbryHeu1sznE+m9psne0rfnI5yQ9tNhlMxhsoNKEYpNN3Uuod3EgZnzU0dSSms0Reyip0W5EETJ3y3viQvngfoJ3d1w45IP+/2G46kZl9pP/HuSIlT0ffUBkL5IPcjjaOO4+/JQ6QtLW1s727NKntstob7PssE/mM3S7DU7uzZHptmU1P0Y8DIu+ZpQLx+u2mctFkBnnp/3aNuzE5cxBC/NIC4PxrMI257pwKuIB9BySeI3p1qH66ERVVSN3PVED7ORhjZvui917uLZ/g7hO3eFmDtOs74vbJZXlf6h41GyDm6WWHyIZ7o3dcOEt5Exjas64SpYleiwLHrFfUS2HQYfHjrqRVV2oXML48v27C/Kb96NuklLjiHw5airB5X++JV8a0CO9WxshCw27nTrzJjf0HKJr8qEtOoumdXVaOkv4kPaBqtRjBBzQ+iDH0U1QbSQ4dm+4ZfoBDVRQXWXYLQc2g3uB1gkLkDugTZlsKu0WzLTdrrZAl9TuaoX3hTsFyRYV1anKSjq465oOxhffO/pE2SCdKgnMYpH8LDCYpS2g6gDP5thqKQNYNf1XBqg1TT4Jw3ecSn68MOhe8NQPTujcVoFTPZMjLQvKcDBK+vITB9vIhMZ7D/B0Xi9/ktd2kfx9Z7JgVhelSdp3vQfdQT4s8nQLwEtBk0sMWYCcc5mwKHIIOkdutCxmhVlxy5LLD1nMhFoZWqXPXenDlnaZD3qGqAuTBZc5xQmXNehquk6W8D6AXbOrPMCXVOQ4K7wuaq2sKtKHpBD68qcCPY7pYYtsd1OoeVHmYLYDnD7/jcmioteFtancBtuA3YkWkOFRqLjMhDSX+ZCuhSnEVBSpw6JbsL/PCDx5Z/Ae7NS9EPuwU1f19mH/nBH2q4yw/y0j7P+REfaf88C2qhZ0CjlESgc9vXkmi6oRqHxP1xneyRZ4fZVBL6kawedVnUf7dlomFfPUSUgBMs+hlBj4wtL7RmRhfEJihh00muWxJh3gPNakWZumzjCLlMmurDqLqWqVdaYHXGcQIVZZZ5jlgo1mTRbgjeTXkkplgGU4hMtXjiuZHoXlK1XbBdAyg1tNVXXBRAYftgOcIUiCcPV0bdO7RR1kkwVy3RQZYhpMc8sZFRkKiExB5yDZOmHWVR+2pGL9B5TTHHgvC2wDmgWybweTB2ufWJsF+nReL1/l8UGbYsrtn7M0GmOmSDsrbgewVslFtclyzREqMJ2+ys14H3+yWVs9wGAX3s+f3jnigaPalwW47yafroNcD/aMC8hhw5hilmMT+SxlcfY24By6gSl4jUmKRRZRx+vlT6Wx9aCZfyLYRrMssAWfQQ4zxqCjuYKSJysY3YbNZZ5TUqmyEWCYysHtAJzPM8gmVZsVtUln/vegxzLIkwDWMOfGapreE7KBnUHj01DnYrXOxmuDnch1JvnqM/P9Ec8A3WqgVQZF0pcC5UI7n3K9WihuCj9hNj30NdU0ywEvRwphU0Be+vn2qeFyY6lMPue4NHba6FTDAluo4GcF5YDaJMc1vR7d1iSnBouTG2bph10f2mlgH8w5LcvUd4CXqcOqbeugDG8RrwqmlaqydCVygDOYabwq8iRHho5HOdhcXyVvz1Sb9C1LeW1qzRMDFdRy2yTPPhNcQroWOxuoJulEnQ4uFt+md2sJ5bueFjOhkj/nHfAMKf/O5k0udRzQDBLH2dAZUE2emyDUPMvRlfMsF7hWOrUAq6bNPMc1q7hhOcRCZbIc2BxzICRYbK6UHG5yGe4bQKfO+PNQU6fjydUqtQWSpaJM+QHQyS1RlV4zUprPi8g8rnvDXUnQ6d+suvBDeZODTTqZegPWj3jNcsgyFG6GmTiphUEAm1oa1IV3JCVHlxrjPizYIlWd/wA0XNc8eSCgBl3NNZV20HM3BeRVFsDpn17fiezTp50poAkAazUvqKkTDgzog9Y0NVQNVOTQ7zQw5IPvOpoJeHomO8hpW7j2ICtdZsA4vSPTZPANG+8bzpAPYCB1IoAfeJzBODHwJf0BiDVoTQY1gyll+DyD4DV1ai+b0SzHPdCsTK5IG81iXXETALbpRmz1YTYmeVfNJZOpCyWi02LvC9Q36UxNvp3b9MfKA00f0etmeqaGu66Td2ttymmWPPRGiwxvYWNAFyVPXfWeZWxFGxnKwQbLjKVVam/wsuDSWDrLoBksubY51PBlLTO0brJKNzKlmzXWFi3SUfRNYxX50EgyWLrLHsk4LO8zFbwkJxpKbskJ1WXoZmiw/XscHT85KyOXxiaEIhgcok+wvwFTgsRKdbp8CC7zce6sqoVaw2Cw4I38m6kmWVPvW54xx0PvM8J5ZxrmcE0quttoYROLlfNmdxhIdiQFNzicoV09bD02UCKmqWulLRk2HiVktaCWcEtqDbOxo3CPtNy7DKGIMT5YHR0KhMvQ2X2kL7TgMvdE/h6qbrU+noZYNQe7AD3ZfN8sVDN40QiRsATdjSOyitRUGyDvwFKcCO7vKu1Y8PStmpsXF77s9Rk5DSO+nhO7iEwpwmbAHyCMPka0JXkP9nduJZj4Pg8PdRbmzXBkd3eLcHFPrAGq2WLCJY/ihzN3j9Bfe0d84iwMTIZ4IWgjcdbvvME5rm0T93gD951+7Xtoyt+Ou6Opa8Id5hePGPtuI4qENU2367yKy5KPcG3xVoy5C44xjXpEIG0G173HCdVSjEy8xO65GceBY/9cA5Zo+NKAsXuadh+erXz3XvleZcCxPH5VL7F3PVJd3um2O2UfTh4jjI1t/R07tJvXUcpTzv6/eb6hW+z8tBUKuHb8bKDVkC6J945H2D0uU2qA+HTtDhsyuFXdLoVfPAy+shsF32GutG9fH2UjIdQQA4Djzuj+eVWaSkPZEcb7DjpM+6Ulqr2bQ8MajRPQ9iFdg664VzeOhfRmST+Ygy+5gDkQAUsQhBrD59Jv3GZef/zoY0vmB5TfuP6ekz59kEnPDrNG8i8N7I5JpPHL18P3sI6Jh01BaTUaXvoLyZSUgLkVZMXtYkxQEBKpDOk0dg0HlRfd2bRw7ER50j1RQs05o4I4DEZMH8TiYbHDpUbGND4c7+rF2sTR66WzrdROVmvqB54KTk2xUNltAm/EdeYazlLZDDVyUrE/gifeD4D4S+OwxTctDGJhAqievBFGOUN8676dYrCc/Bp+MSFv5Lr71wC6RVveSEtoOWGqqhsLOi6Gs7jxHWH5zLNvdvcCZyxubQi3/2xefv/Dn53te9rbjpZj30TRDue0SBsxu63jhq5Bk3/rfHLmRUADkYvf+tT1P/nPvNzgvHXq9+7HgcnLN8m2J7sDU9w6E/L+t49njnbQ4J0n6C8tuWEaairZ2mmVQT0Tu7kgBDn0nHx895qcS/vjy+fk/P3p2T9ek0/n0r76iTxdLdZEArcL0IQtlAmj0pTWwCx+64dX/+u/PXsS5QjYRUYZt8sPlKmTisbH8ZjMp++O1/zSn8XzFqn4FS8fF9J92XQD5gc2jLv1Ax/Dd0cx3Vgnn7m2DRXk7Zv3UWT/UBLy+bIOOxn/R0mYxHnr0P1qRCgScrPwxC14jG/wnn2YUwsr+gAj0vF0X5A3ZanRT+tPeQyd7ullVX1onPO+sZDzk3cX/lUaDY9V1Bwx+rHlVPKaani7yfmFQ2XE++V4eOAkiCQ8dGuP87DVxAo/Xeu4AqKHLi1L7r5MxSZg25vlH3/njngAnEmIF1yFG366fQQGqGxyrbPodbd90ih5HzC8UNp2InkgdEsMsOEGcLu+WfKaI/Pe08PlvH1MWrLejTFeQsxuPJYXN2CHli81RjHuVE7vNxroOMTJZU3lHCad6cSUnPF5o6Ek0zXCBFli1lBcztQHth4YFI2OaMvRRWcZ+h2IhLp/v4QruQNAQ6UsFCGzO32eUXrWltIUtPCp+BlA11bnAT7LcCRmGaqFRY7rkKv/SZ2BqbQsWk9cPrV814J3dEx2V+s7Ex5Agz2zC9ASLPm4ruE5+dQ+Y2/RAfYjuWgdYIOX4LcxTa0d1XMEZWLENG6RDn7x54QKEVUm6s0XMcGNakzMW4J2byCXVhFj8THnknw6HxUoDBNks8mr5CLbAVV1hrFvDrAGkzqj14HNUOLiX8TUqejob8+ArR+tUAiQ8+STIhFnp3xk1EJHNFCv8lDRC8BIwjCdYEYo+UXpFdXlcE43IW/mmOylCXU3/hpz6aZgVwAyrnom7pp41xi3slT0Q3UeGYIt4zEzYkAhlyHPFdMSKm6dWAojNuIkLgWVx4jj38JB2SaI9FyUAwK3XZabSMrSWbBzNGC3X57UkUpg2IVgma4f3O0i9lRbzhpBNcF+0aRF4unZ9eu3aq5ms/j0d2CFXUD27d1C9qNb0N/GHt5nDm+H7pvGLkDakCw+irZpUnZOuF1Cj19yHPVPBvQowqqxTB2X02HJcYQvG8bAmBGcsfP4Yc3RDks8QbyIU3HnSq9JpDBhgNsxhNMWjrCDo5NKGOAztZLuXXFyK6Ycdj8kA0Vpm6plun50I+8mJb5rKdYMCA5lR0/ww+zow1wSw20TkZ8EiwsgiOgAdUENoaWq3etiF8A1USu52TLPOEuvlVTVSF4tzuQw3LeoP64S4ZR7Lksnf5Q2HQMo+YULIG8CYpMBG27j7JUdYf5OjiaMd/Q/SLrCKAsuQ9ZCWi7EaIwwImW9+z0Y4fP1LkO9RmpOjCeETlXO6oEI8VNY0CVXDWqXTFW1VhUfyVCEYyN3JulUYBHZjJzsx43LZSd2MiK5i+GW1kmiCGxhmHS4zAEIRtbv8Mu9u71XdnPfRo/dpsyykXa3nC21Rl9iGXjBDjHrb6UF4Xs8Bwmas5YkZAgm+u2mFnC7wKc2NtuNBGQn7IeJsXo8+NnSdEjbrQej6eV+moJ64dfKSFfUNO2McMsrME6ue21PQw2jQaSwC8maQty4Edh48J7boG95tA7p3f1gR+vH29H0Q2GSDTm9NWnBYXwThQPakOKNQLiFMPh6qXt5I3X6qHvnL1oS2vTNO5esl+pxBMgNcrwTIF/vcfzx5i1LNdrgOFt2O/mojypBUt6xW8iPox7HlLQNDmOn1GMJ2o6fOnnlTmMXRQV2oR4gSkK3PMnEoxG+Nrrh2EtJq6xepz1RnQ9KBH+tQ2TPuczkCfnH5OfvvydP356+uXhGTrmxXM4bbhZQYil8FBeh5ip7X6B9kTDMlp15PMI24xdHMsa0yuxV3Ff/6XY1hkF3Y9Ajn2zo812uC8O0/67ut+f4Q5xiMVMqY23SN5liVKTqTrdDyAda8sb4FYjSxPCKC6q9eHJi090hhu96vLwK77nh5TE7jfQz5T+5g9B6EXf6Ym4ueb46izdy313HsEaoNOz5f4OTCD8ZnIXguIFeWUYZd2UqnTMxYBCyQVYrPaeS/7Enq1rmOwq3ZfYBnO6fqRF2z7iO1pJm6vrzi1sOXwvf4sv3LtrKav4VqLALRjWQWkOpKi5ptOCuJ54uqOUgrbkxPV7QY1L7lj4osb71I9SZDq67Ok+c4KqpttgMaUPqfrF6xGZHQdjcRqLOoARNLZRFsqSyPefDCZ9f2hW74NmFVkteds3DwvdoXYugqQ4ORmj+4561bZ02ruBsiOTlkajslgy9/ux6hMzo8FDMnFxyHz1f7CruIy3gOqUz5VDwu2qecI06U+9HvUroeYRQr6OixkoNMVZpL/EdtAosxdWe4Lcm7ltP4tRXvCwFHE/KvcP1bivnItvbk3sHybl2PMZxyL0Iq/U6DMl1G519TmpB3Za591lpApLpdT3m5cdUyCPYk7fIoNOdbfmrMpa8o2zB5YhJV9JMkuObXV5/kpjpX2tw4sPpR77JmZmQtyWtyWf8h9ePSiV93ek/h48nWdAlOM1JANXkSwN6TbAHoamVNNBqVPHiVEdvgb85jrwMPfCYg6x52wVSevJ9X75xPFuSjoDq5gB9CM1Rb4spTnnK6zDbPeNta+mtJkbONgwPLzdEN1JG7VjzvHt5fOTZt5EaqbELEItgYebfCEpWXJZqZYipgfEZZ+6T57E6wZAnO7wgjjyP7ybnhjzFjrAg2eYZwtDlsx63SCPxHX8Lc8rW5JPZbnzbRWCr3ULa5Nm1boUjGOwjr33f1EJUsFYND5l7EQcc7/oARKr/typNsZxnyL5tsvMr1GPdeb16HaEYKYwetPCbA4g9Tl7vGKkhwze43ltZd4akj3cBHVJzHIddFzDY3ptNQqbfhsEOxRtS3Fz8jGUDKUcCjla4IcklzLgMvnoUTtjVr6L1SNNBxO6gQrFMuG0cMDvqX2rB2Plsc9MeeimN9KbsfNjWUraojtwCf7MqMpwMrKP+dmQZ8jLlMt0EsaR3w5GMRYV5H8+IkOqX7eC2+Dbam/L+yNTOAdZ5374bsK6pbs+U+/PzDSmrBR+0Uifudjhb1ie/34o8m3xmiW9rofQ634b/xdRU/vXGjjEtIttd1Fv1PPY0Obb85QVCv4G2B1OJBlS1/db3UzV6CgqQVqv6ENFRqmY6cC7c6oyHNZ21DTeUIyCOvrrjuPfwRFU1levuPuK1w3H63l5ZgnbPUMHlTMWVAmquctcI3SA/dqzIFrMV5O2KPvuSK0fgl0aINfnPhgo+41CSU6x79s7BKCormBZMqSv+QEH332FK/Pob+5mKMW0+ebfZTTi8biyq3AeOML35rn/olghTdoI72vvkJ+TjuvakbzwHjjl+B8c3T8OsSNpMdgdth4N3ROgnJta2dheZY7jqOuVyGzvvWayVbr39GGL+8HZky3u9chIfp5YXdd45RHtY4Va+0XPfoqmVyqSJbCPl1nH7QWpq465JJgtqUkb7e4B1KKdPDLnRIuE296Am3JXOGC0ancob0oNpQBd0ns6m3IBO/jxtg06a/rgNOpz6DIIFri1IVK3SGycOfrLT3Cl6Cw07qTKpNSq/xDFqCbdk7kdcFtWrF+G/TwIKL8J/hLymmNufCtDx7LxAzgNGzz0x/eA5elx7o9YG5JRhIJozqbicgdYjcdch3Uehq6/438j6qHv2CEi2fYlnvW2IXCkMa6usVyqyxNGO35mP27tj9xEziHX/T3+HYYLW+MBPXi9AH8cf4XT2kPH09ARHPz4jJ7h+HDXQ9kjNUkb4fAI6DP+ErSzMPc15IWvouMfI3oa7RZ+YXqfovTvN/zjUK3n31ijx3SaX/I+4t4ZfZZIp538/IxLmynK/gfWCmpEJUIYdu61Qbyv94uPDBd1WZ5sANUhw2TljbeP0tv4mnpBi+PwYFRXb/Y26qYcfRwctO2nCjWmSK50IGZOl8nnr7hdDQQxB66w+0MGm9KXnmVucXGJwep90OkqGRNcZPESRn15iauf+x6gnPQ9D8u7Scw+O4yLUGFEsc77ouyHV4MiOIlMW7ujRJnmbRpMLML+CYFFnam7wzWZcSf9BQtn6EzEYr1OanF+++fu7C3Lh3inymxyZvrLBNlMl9SHYflypOLYohtgC2JU5yIl8OyGctwdZbOhc16+zaxGGaaBhBOFGCu7RckHzQVPIB1ByPR5dV5BRowFxttQ2R5vw2cdySQUv/UGMILErCI/W1XqfIESOXcHa7IrtRCe/TSBNDHthbW0KjjNos4DGrczBEEYfwW3ic9lWvijN7fqGG8VUVWXtE3dLvD0ewSEUL8FfcQ1i19JM7WJZCSoLYx5q4K1b2cvw3wO1bY1WFFtfalzUih8jrTqGsMeAIAaIVNwaQLayBZVy0Dgjd7upsCoiMhKzPVLb5u5hCTMPf3/75n14917sLN89KFbpXd9/8p5t3FwVSyWaXAx4085xlmHOTTcZux3n20huDXnqkTDPsFsHFva2E3V3wBNEOkqNaDJJs7cB10+S25AuMNkuOliCxkyBWSMIU5JBbZ2hfOn3cKS9wmqVU/p6xjuDvR2h7RCtlbZEOf7++h9vYim4UbanPndKz4+fYLlbYLDlYp1S3+wk2ijmb2e/XZxfkHf0uuKy7MZ6x7fV0Xb0NMytIYojZAUyBtTtI6tTn+Ili8nTs32VYzE7XsHmQxfhtyRnVzu2nGVBKp+fhi69AYu9GIrjbcoD9wpoKa7+y9cNd4U5shxqkqlvN/pLnAn9QNmNYVw1WvFdULfyxb3PiWkiKerUkL8Yq5Wc/3UqKLsS3Fgo//Ii/O159ymXM2Dxj2Zcw4qKqCJDp6L3G0JlSYwiI8dSw5wbq9fOsj+msKipXYRm/R0OZBeHAZLolDoWmr4Q2tdrMaV7Xcg7fbLDHKTV6z/93wAAAP//cyu42Q==" +} diff --git a/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml b/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/input.yml b/x-pack/filebeat/module/rapid7/nexpose/config/input.yml new file mode 100644 index 00000000000..40fb8a664b9 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Rapid7" + product: "Nexpose" + type: "Vulnerability" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/rapid7/nexpose/config/liblogparser.js + - ${path.home}/module/rapid7/nexpose/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} [%{p0}"); + +var dup2 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}"); + +var dup3 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}"); + +var dup4 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup5 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], +}); + +var dup6 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}"); + +var dup7 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}"); + +var dup8 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}"); + +var dup9 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("hfld1"), + constant(" "), + field("payload"), + ], +}); + +var dup10 = call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + ], +}); + +var dup11 = setc("eventcategory","1614000000"); + +var dup12 = setc("ec_activity","Scan"); + +var dup13 = setc("ec_theme","TEV"); + +var dup14 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup15 = setf("msg","$MSG"); + +var dup16 = setf("obj_name","hobj_name"); + +var dup17 = setc("obj_type","Asset"); + +var dup18 = setc("eventcategory","1614030000"); + +var dup19 = setc("ec_outcome","Error"); + +var dup20 = setc("eventcategory","1605000000"); + +var dup21 = setc("ec_activity","Start"); + +var dup22 = setc("ec_outcome","Success"); + +var dup23 = setc("eventcategory","1611000000"); + +var dup24 = setc("ec_activity","Stop"); + +var dup25 = setc("action","Shutting down"); + +var dup26 = setc("action","shutting down"); + +var dup27 = setc("ec_outcome","Failure"); + +var dup28 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}"); + +var dup29 = setf("fld17","hfld17"); + +var dup30 = setf("group_object","hsite"); + +var dup31 = setf("shost","hshost"); + +var dup32 = setf("sport","hsport"); + +var dup33 = setf("protocol","hprotocol"); + +var dup34 = setf("fld18","hinfo"); + +var dup35 = setc("ec_subject","Service"); + +var dup36 = setc("event_description","Nexpose is changing the database port number"); + +var dup37 = setc("event_state","DONE"); + +var dup38 = setc("event_description","Nexpose is executing data transfer process"); + +var dup39 = setc("event_description","Nexpose is installing the database"); + +var dup40 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}"); + +var dup41 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var dup42 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var dup43 = setc("ec_outcome","Unknown"); + +var dup44 = setc("eventcategory","1701000000"); + +var dup45 = setc("ec_subject","User"); + +var dup46 = setc("ec_activity","Logon"); + +var dup47 = setc("ec_theme","Authentication"); + +var dup48 = setc("eventcategory","1401030000"); + +var dup49 = setc("ec_subject","NetworkComm"); + +var dup50 = setc("ec_subject","Group"); + +var dup51 = setc("ec_activity","Detect"); + +var dup52 = setc("ec_theme","Configuration"); + +var dup53 = setc("eventcategory","1801010000"); + +var dup54 = setf("obj_type","messageid"); + +var dup55 = setc("event_description","Cannot preload incremental pool with a connection"); + +var dup56 = setc("eventcategory","1605030000"); + +var dup57 = setc("ec_activity","Modify"); + +var dup58 = setc("action","Replaced conf values"); + +var dup59 = setc("service","fld1"); + +var dup60 = linear_select([ + dup7, + dup8, +]); + +var dup61 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var dup62 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var dup63 = linear_select([ + dup41, + dup42, +]); + +var dup64 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var dup65 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup15, +])); + +var dup66 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var dup67 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup15, +])); + +var dup68 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup25, +])); + +var dup69 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([ + dup20, + dup14, + dup15, + dup59, +])); + +var hdr1 = match("HEADER#0:0031", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] %{hfld39}[Thread: %{messageid}] [Started: %{hfld40}] [Duration: %{hfld41}] %{payload}", processor_chain([ + setc("header_id","0031"), +])); + +var part1 = match("HEADER#1:0022/1_0", "nwparser.p0", "%{hpriority}] %{hfld39}[%{p0}"); + +var select1 = linear_select([ + part1, + dup2, + dup3, +]); + +var part2 = match("HEADER#1:0022/2", "nwparser.p0", "Thread: %{hfld17}] %{messageid->} %{payload}"); + +var all1 = all_match({ + processors: [ + dup1, + select1, + part2, + ], + on_success: processor_chain([ + setc("header_id","0022"), + ]), +}); + +var hdr2 = match("HEADER#2:0028", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid}: %{payload}", processor_chain([ + setc("header_id","0028"), + dup4, +])); + +var hdr3 = match("HEADER#3:0017", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0017"), + dup5, +])); + +var hdr4 = match("HEADER#4:0024", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{hfld41->} %{messageid->} completed %{payload}", processor_chain([ + setc("header_id","0024"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" completed "), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#5:0018", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0018"), + dup5, +])); + +var hdr6 = match("HEADER#6:0029", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Silo ID: %{hfld22}] [Site: %{hsite}] [Site ID: %{hinfo}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0029"), + dup5, +])); + +var hdr7 = match("HEADER#7:0019", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0019"), + dup5, +])); + +var hdr8 = match("HEADER#8:0020", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0020"), + dup5, +])); + +var hdr9 = match("HEADER#9:0021", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0021"), + dup5, +])); + +var hdr10 = match("HEADER#10:0023", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0023"), + dup5, +])); + +var hdr11 = match("HEADER#11:0036", "message", "%NEXPOSE-%{hfld49}: %{hfld1}: %{messageid->} %{hfld2->} %{payload}", processor_chain([ + setc("header_id","0036"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("hfld2"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr12 = match("HEADER#12:0001", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} [%{hobj_name}] %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr13 = match("HEADER#13:0037", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hfld1->} '%{hfld2}' - %{hfld1->} %{payload}", processor_chain([ + setc("header_id","0037"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("hfld1"), + constant(" '"), + field("hfld2"), + constant("' - "), + field("hfld1"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr14 = match("HEADER#14:0002", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} %{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr15 = match("HEADER#15:0003", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{hfld41}) %{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup5, +])); + +var hdr16 = match("HEADER#16:0030", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] %{messageid}: %{payload}", processor_chain([ + setc("header_id","0030"), + dup4, +])); + +var hdr17 = match("HEADER#17:0040", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Principal: %{username}] [%{messageid}: %{payload}", processor_chain([ + setc("header_id","0040"), +])); + +var part3 = match("HEADER#18:0034/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] %{messageid->} %{hfld21->} %{payload}"); + +var all2 = all_match({ + processors: [ + dup6, + dup60, + part3, + ], + on_success: processor_chain([ + setc("header_id","0034"), + ]), +}); + +var part4 = match("HEADER#19:0035/1_0", "nwparser.p0", "%{hpriority}] [%{p0}"); + +var select2 = linear_select([ + part4, + dup2, + dup3, +]); + +var part5 = match("HEADER#19:0035/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] %{messageid->} %{hfld21->} %{payload}"); + +var all3 = all_match({ + processors: [ + dup1, + select2, + part5, + ], + on_success: processor_chain([ + setc("header_id","0035"), + ]), +}); + +var hdr18 = match("HEADER#20:0004", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + dup5, +])); + +var part6 = match("HEADER#21:0032/2", "nwparser.p0", "Thread: %{hfld17}] [Silo ID: %{hfld18}] [Report: %{hobj_name}] [%{messageid->} Config ID: %{hfld19}] %{payload}"); + +var all4 = all_match({ + processors: [ + dup6, + dup60, + part6, + ], + on_success: processor_chain([ + setc("header_id","0032"), + ]), +}); + +var hdr19 = match("HEADER#22:0038", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{messageid}: %{hfld1->} %{payload}", processor_chain([ + setc("header_id","0038"), + dup9, +])); + +var hdr20 = match("HEADER#23:0039", "message", "%NEXPOSE-%{hfld49}: %{messageid}: %{hfld1->} %{payload}", processor_chain([ + setc("header_id","0039"), + dup9, +])); + +var hdr21 = match("HEADER#24:0005", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld48->} %{hfld41->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + dup5, +])); + +var hdr22 = match("HEADER#25:0006", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] [%{messageid}] %{payload}", processor_chain([ + setc("header_id","0006"), +])); + +var part7 = match("HEADER#26:0033/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] [%{p0}"); + +var part8 = match("HEADER#26:0033/3_0", "nwparser.p0", "%{hfld20}] [%{hfld21}] [%{hfld22}] [%{hfld23}]%{p0}"); + +var part9 = match("HEADER#26:0033/3_1", "nwparser.p0", "%{hfld20}] [%{hfld21}]%{p0}"); + +var part10 = match("HEADER#26:0033/3_2", "nwparser.p0", "%{hfld20}]%{p0}"); + +var select3 = linear_select([ + part8, + part9, + part10, +]); + +var part11 = match("HEADER#26:0033/4", "nwparser.p0", "%{} %{messageid->} %{hfld24->} %{payload}"); + +var all5 = all_match({ + processors: [ + dup6, + dup60, + part7, + select3, + part11, + ], + on_success: processor_chain([ + setc("header_id","0033"), + ]), +}); + +var hdr23 = match("HEADER#27:0007", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0007"), + dup5, +])); + +var hdr24 = match("HEADER#28:0008", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{messageid}) %{payload}", processor_chain([ + setc("header_id","0008"), +])); + +var hdr25 = match("HEADER#29:0009", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{fld41->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0009"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("fld41"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr26 = match("HEADER#30:0010", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid}: %{payload}", processor_chain([ + setc("header_id","0010"), + dup4, +])); + +var hdr27 = match("HEADER#31:0011", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid}(%{hobj_name}): %{payload}", processor_chain([ + setc("header_id","0011"), +])); + +var hdr28 = match("HEADER#32:0012", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{hfld41->} %{hfld42->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0012"), + dup5, +])); + +var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{payload}", processor_chain([ + setc("header_id","0013"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + constant("_"), + field("msgIdPart3"), + ], + }), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld45"), + constant(" ("), + field("hfld46"), + constant(") - "), + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant(" "), + field("msgIdPart3"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{payload}", processor_chain([ + setc("header_id","0014"), + dup10, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld45"), + constant(" ("), + field("hfld46"), + constant(") - "), + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr31 = match("HEADER#35:0015", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{messageid->} %{payload}", processor_chain([ + setc("header_id","0015"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld45"), + constant(" ("), + field("hfld46"), + constant(") - "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2}(U) %{payload}", processor_chain([ + setc("header_id","0016"), + dup10, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld45"), + constant(" ("), + field("hfld46"), + constant(") - "), + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant("(U) "), + field("payload"), + ], + }), +])); + +var hdr33 = match("HEADER#37:0026", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Constructor threw %{payload}", processor_chain([ + setc("header_id","0026"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" Constructor threw "), + field("payload"), + ], + }), +])); + +var hdr34 = match("HEADER#38:0027", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Called method %{payload}", processor_chain([ + setc("header_id","0027"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" Called method "), + field("payload"), + ], + }), +])); + +var hdr35 = match("HEADER#39:0025", "message", "%NEXPOSE-%{hfld49}: %{hfld41->} %{hfld42->} %{messageid->} frames %{payload}", processor_chain([ + setc("header_id","0025"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" frames "), + field("payload"), + ], + }), +])); + +var hdr36 = match("HEADER#40:9999", "message", "%NEXPOSE-%{hfld49}: %{payload}", processor_chain([ + setc("header_id","9999"), + setc("messageid","NEXPOSE_GENERIC"), +])); + +var select4 = linear_select([ + hdr1, + all1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + hdr14, + hdr15, + hdr16, + hdr17, + all2, + all3, + hdr18, + all4, + hdr19, + hdr20, + hdr21, + hdr22, + all5, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + hdr28, + hdr29, + hdr30, + hdr31, + hdr32, + hdr33, + hdr34, + hdr35, + hdr36, +]); + +var part12 = match("MESSAGE#0:NOT_VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - NOT VULNERABLE VERSION .", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg1 = msg("NOT_VULNERABLE_VERSION", part12); + +var part13 = match("MESSAGE#1:VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - VULNERABLE VERSION .", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg2 = msg("VULNERABLE_VERSION", part13); + +var part14 = match("MESSAGE#2:NOT_VULNERABLE", "nwparser.payload", "%{signame->} - NOT VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg3 = msg("NOT_VULNERABLE", part14); + +var part15 = match("MESSAGE#3:NOT_VULNERABLE:01", "nwparser.payload", "%{signame->} - NOT VULNERABLE(U) [UNIQUE ID: %{fld45}]", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg4 = msg("NOT_VULNERABLE:01", part15); + +var part16 = match("MESSAGE#4:NOT_VULNERABLE:02", "nwparser.payload", "%{signame->} - NOT VULNERABLE .", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg5 = msg("NOT_VULNERABLE:02", part16); + +var select5 = linear_select([ + msg3, + msg4, + msg5, +]); + +var part17 = match("MESSAGE#5:VULNERABLE", "nwparser.payload", "%{signame->} - VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg6 = msg("VULNERABLE", part17); + +var part18 = match("MESSAGE#6:VULNERABLE:01", "nwparser.payload", "%{signame->} - VULNERABLE .", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg7 = msg("VULNERABLE:01", part18); + +var select6 = linear_select([ + msg6, + msg7, +]); + +var part19 = match("MESSAGE#7:ERROR", "nwparser.payload", "%{signame->} - ERROR [UNIQUE ID: %{fld45}] - %{context}", processor_chain([ + dup18, + dup12, + dup13, + dup19, + dup14, + dup15, + dup16, + dup17, +])); + +var msg8 = msg("ERROR", part19); + +var part20 = match("MESSAGE#8:ERROR:01", "nwparser.payload", "%{signame->} - ERROR - %{context}", processor_chain([ + dup18, + dup12, + dup13, + dup19, + dup14, + dup15, + dup16, + dup17, +])); + +var msg9 = msg("ERROR:01", part20); + +var select7 = linear_select([ + msg8, + msg9, +]); + +var part21 = match("MESSAGE#9:ExtMgr", "nwparser.payload", "Initialization successful.%{}", processor_chain([ + dup20, + dup21, + dup13, + dup22, + dup14, + dup15, + setc("event_description","Initialization successful"), +])); + +var msg10 = msg("ExtMgr", part21); + +var part22 = match("MESSAGE#10:ExtMgr:01", "nwparser.payload", "initializing...%{}", processor_chain([ + dup20, + dup21, + dup13, + dup14, + dup15, + setc("event_description","initializing"), +])); + +var msg11 = msg("ExtMgr:01", part22); + +var part23 = match("MESSAGE#11:ExtMgr:02", "nwparser.payload", "Shutdown successful.%{}", processor_chain([ + dup23, + dup24, + dup13, + dup22, + dup14, + dup15, + setc("event_description","Shutdown successful."), +])); + +var msg12 = msg("ExtMgr:02", part23); + +var part24 = match("MESSAGE#12:ExtMgr:03", "nwparser.payload", "Shutting down...%{}", processor_chain([ + dup23, + dup24, + dup13, + dup14, + dup15, + dup25, +])); + +var msg13 = msg("ExtMgr:03", part24); + +var select8 = linear_select([ + msg10, + msg11, + msg12, + msg13, +]); + +var part25 = match("MESSAGE#13:ScanMgr", "nwparser.payload", "Shutting down %{info}", processor_chain([ + dup20, + dup24, + dup13, + dup14, + dup15, + dup25, +])); + +var msg14 = msg("ScanMgr", part25); + +var part26 = match("MESSAGE#14:ScanMgr:01", "nwparser.payload", "shutting down...%{}", processor_chain([ + dup23, + dup24, + dup13, + dup14, + dup15, + dup26, +])); + +var msg15 = msg("ScanMgr:01", part26); + +var part27 = match("MESSAGE#15:ScanMgr:02", "nwparser.payload", "Scan %{fld30->} is being stopped.", processor_chain([ + dup20, + dup12, + dup13, + dup27, + dup14, + dup15, +])); + +var msg16 = msg("ScanMgr:02", part27); + +var select9 = linear_select([ + msg14, + msg15, + msg16, +]); + +var part28 = match("MESSAGE#16:NSE", "nwparser.payload", "Logging initialized %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Logging initialized"), +])); + +var msg17 = msg("NSE", part28); + +var part29 = match("MESSAGE#17:NSE:01/1_0", "nwparser.p0", "Initializing %{p0}"); + +var part30 = match("MESSAGE#17:NSE:01/1_1", "nwparser.p0", "initializing %{p0}"); + +var select10 = linear_select([ + part29, + part30, +]); + +var part31 = match("MESSAGE#17:NSE:01/2", "nwparser.p0", "%{} %{fld30}"); + +var all6 = all_match({ + processors: [ + dup28, + select10, + part31, + ], + on_success: processor_chain([ + dup20, + dup14, + dup15, + setc("action","Initializing"), + ]), +}); + +var msg18 = msg("NSE:01", all6); + +var part32 = match("MESSAGE#18:NSE:02", "nwparser.payload", "shutting down %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + dup26, +])); + +var msg19 = msg("NSE:02", part32); + +var part33 = match("MESSAGE#19:NSE:03", "nwparser.payload", "NeXpose scan engine initialization completed.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","NeXpose scan engine initialization completed."), +])); + +var msg20 = msg("NSE:03", part33); + +var part34 = match("MESSAGE#20:NSE:04", "nwparser.payload", "disabling promiscuous on all devices...%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","disabling promiscuous on all devices"), +])); + +var msg21 = msg("NSE:04", part34); + +var part35 = match("MESSAGE#213:NSE:05", "nwparser.payload", "NSE connection failure%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg22 = msg("NSE:05", part35); + +var part36 = match("MESSAGE#328:NSE:07", "nwparser.payload", "NSE DN is %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg23 = msg("NSE:07", part36); + +var select11 = linear_select([ + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, +]); + +var part37 = match("MESSAGE#21:Console", "nwparser.payload", "NSE Name: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg24 = msg("Console", part37); + +var part38 = match("MESSAGE#22:Console:01", "nwparser.payload", "NSE Identifier: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg25 = msg("Console:01", part38); + +var part39 = match("MESSAGE#23:Console:02", "nwparser.payload", "NSE version: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg26 = msg("Console:02", part39); + +var part40 = match("MESSAGE#24:Console:03", "nwparser.payload", "Last update: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg27 = msg("Console:03", part40); + +var part41 = match("MESSAGE#25:Console:04", "nwparser.payload", "VM version: %{fld30}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg28 = msg("Console:04", part41); + +var part42 = match("MESSAGE#26:Console:05", "nwparser.payload", "log rotation completed%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","log rotation completed"), +])); + +var msg29 = msg("Console:05", part42); + +var part43 = match("MESSAGE#27:Console:06", "nwparser.payload", "rotating logs...%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","rotating logs"), +])); + +var msg30 = msg("Console:06", part43); + +var select12 = linear_select([ + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, +]); + +var part44 = match("MESSAGE#28:ProtocolFper", "nwparser.payload", "Loaded %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Loaded"), +])); + +var msg31 = msg("ProtocolFper", part44); + +var part45 = match("MESSAGE#29:Nexpose", "nwparser.payload", "Closing service: %{fld30}", processor_chain([ + dup20, + dup35, + dup24, + dup14, + dup15, + dup16, + dup17, + setc("action","Closing service"), +])); + +var msg32 = msg("Nexpose", part45); + +var part46 = match("MESSAGE#30:Nexpose:01", "nwparser.payload", "Freeing %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, + setc("action","Freeing"), +])); + +var msg33 = msg("Nexpose:01", part46); + +var part47 = match("MESSAGE#31:Nexpose:02", "nwparser.payload", "starting %{fld30}", processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + dup16, + dup17, + setc("action","starting"), +])); + +var msg34 = msg("Nexpose:02", part47); + +var part48 = match("MESSAGE#32:Nexpose:03", "nwparser.payload", "%{fld31->} nodes completed, %{fld32->} active, %{fld33->} pending.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg35 = msg("Nexpose:03", part48); + +var part49 = match("MESSAGE#373:Backup_completed", "nwparser.payload", "Nexpose system backup completed successfully in %{info}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Backup completed"), +])); + +var msg36 = msg("Backup_completed", part49); + +var part50 = match("MESSAGE#408:Nexpose:04", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}. DONE.", processor_chain([ + dup20, + dup14, + dup15, + dup36, + dup37, +])); + +var msg37 = msg("Nexpose:04", part50); + +var part51 = match("MESSAGE#409:Nexpose:05", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}.", processor_chain([ + dup20, + dup14, + dup15, + dup36, +])); + +var msg38 = msg("Nexpose:05", part51); + +var part52 = match("MESSAGE#410:Nexpose:06", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new->} DONE.", processor_chain([ + dup20, + dup14, + dup15, + dup38, + dup37, +])); + +var msg39 = msg("Nexpose:06", part52); + +var part53 = match("MESSAGE#411:Nexpose:07", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new}", processor_chain([ + dup20, + dup14, + dup15, + dup38, +])); + +var msg40 = msg("Nexpose:07", part53); + +var part54 = match("MESSAGE#412:Nexpose:08", "nwparser.payload", "Nexpose is installing the %{db_name->} database. DONE.", processor_chain([ + dup20, + dup14, + dup15, + dup39, + dup37, +])); + +var msg41 = msg("Nexpose:08", part54); + +var part55 = match("MESSAGE#413:Nexpose:09", "nwparser.payload", "Nexpose is installing the %{db_name->} database to %{directory->} using PostgreSQL binaries from package %{filename}.%{fld1}.", processor_chain([ + dup20, + dup14, + dup15, + dup39, +])); + +var msg42 = msg("Nexpose:09", part55); + +var part56 = match("MESSAGE#414:Nexpose:10", "nwparser.payload", "Nexpose is moving %{change_old->} to %{change_new}.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Nexpose is moving a directory"), +])); + +var msg43 = msg("Nexpose:10", part56); + +var part57 = match("MESSAGE#415:Nexpose:11", "nwparser.payload", "%{event_description->} DONE.", processor_chain([ + dup20, + dup14, + dup15, + dup37, +])); + +var msg44 = msg("Nexpose:11", part57); + +var msg45 = msg("Nexpose:12", dup61); + +var select13 = linear_select([ + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, +]); + +var part58 = match("MESSAGE#33:Shutting", "nwparser.payload", "Shutting down %{fld30}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + dup25, +])); + +var msg46 = msg("Shutting", part58); + +var part59 = match("MESSAGE#34:shutting:01", "nwparser.payload", "Interrupted, %{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg47 = msg("shutting:01", part59); + +var part60 = match("MESSAGE#35:shutting", "nwparser.payload", "shutting down %{fld30}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + dup26, +])); + +var msg48 = msg("shutting", part60); + +var part61 = match("MESSAGE#36:Shutdown", "nwparser.payload", "Shutdown successful.%{}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + dup25, +])); + +var msg49 = msg("Shutdown", part61); + +var part62 = match("MESSAGE#37:Security", "nwparser.payload", "Security Console shutting down.%{}", processor_chain([ + dup23, + dup14, + dup15, + dup29, + dup25, +])); + +var msg50 = msg("Security", part62); + +var part63 = match("MESSAGE#261:Security:02", "nwparser.payload", "Security Console restarting from an auto-update%{}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg51 = msg("Security:02", part63); + +var part64 = match("MESSAGE#296:Security:06", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Security Console started", processor_chain([ + dup20, + dup15, +])); + +var msg52 = msg("Security:06", part64); + +var part65 = match("MESSAGE#297:Security:03/0", "nwparser.payload", "%{}Security Console %{p0}"); + +var part66 = match("MESSAGE#297:Security:03/1_0", "nwparser.p0", "started %{}"); + +var part67 = match("MESSAGE#297:Security:03/1_1", "nwparser.p0", "web interface ready. %{info->} "); + +var select14 = linear_select([ + part66, + part67, +]); + +var all7 = all_match({ + processors: [ + part65, + select14, + ], + on_success: processor_chain([ + dup20, + dup15, + ]), +}); + +var msg53 = msg("Security:03", all7); + +var part68 = match("MESSAGE#426:Security:04", "nwparser.payload", "Security Console is launching in Maintenance Mode. %{action}.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Security Console is launching in Maintenance Mode"), +])); + +var msg54 = msg("Security:04", part68); + +var part69 = match("MESSAGE#427:Security:05", "nwparser.payload", "Security Console update failed.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Security Console update failed"), +])); + +var msg55 = msg("Security:05", part69); + +var select15 = linear_select([ + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, +]); + +var part70 = match("MESSAGE#38:Web", "nwparser.payload", "Web server stopped%{}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("action","Stopped"), +])); + +var msg56 = msg("Web", part70); + +var part71 = match("MESSAGE#304:Web:02", "nwparser.payload", "Web %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg57 = msg("Web:02", part71); + +var select16 = linear_select([ + msg56, + msg57, +]); + +var part72 = match("MESSAGE#39:Done", "nwparser.payload", "Done shutting down.%{}", processor_chain([ + dup23, + dup14, + dup15, + dup16, + dup17, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + dup26, +])); + +var msg58 = msg("Done", part72); + +var part73 = match("MESSAGE#282:Done:02", "nwparser.payload", "Done with statistics generation [Started: %{fld1}] [Duration: %{fld2}].", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg59 = msg("Done:02", part73); + +var select17 = linear_select([ + msg58, + msg59, +]); + +var part74 = match("MESSAGE#40:Queueing:01", "nwparser.payload", "Queueing %{protocol->} port scan", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg60 = msg("Queueing:01", part74); + +var part75 = match("MESSAGE#41:Queueing", "nwparser.payload", "Queueing %{fld30}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, + setc("action","Queueing"), +])); + +var msg61 = msg("Queueing", part75); + +var select18 = linear_select([ + msg60, + msg61, +]); + +var part76 = match("MESSAGE#42:Performing/0", "nwparser.payload", "Performing %{p0}"); + +var part77 = match("MESSAGE#42:Performing/1_0", "nwparser.p0", "form %{p0}"); + +var part78 = match("MESSAGE#42:Performing/1_1", "nwparser.p0", "query %{p0}"); + +var select19 = linear_select([ + part77, + part78, +]); + +var part79 = match("MESSAGE#42:Performing/2", "nwparser.p0", "%{}injection against %{info}"); + +var all8 = all_match({ + processors: [ + part76, + select19, + part79, + ], + on_success: processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, + setc("action","Performing injection"), + ]), +}); + +var msg62 = msg("Performing", all8); + +var part80 = match("MESSAGE#43:Performing:01", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, +])); + +var msg63 = msg("Performing:01", part80); + +var select20 = linear_select([ + msg62, + msg63, +]); + +var part81 = match("MESSAGE#44:Trying", "nwparser.payload", "Trying %{fld30->} injection %{fld31}", processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, + setc("action","Trying injection"), +])); + +var msg64 = msg("Trying", part81); + +var part82 = match("MESSAGE#45:Rewrote", "nwparser.payload", "Rewrote to %{url}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var msg65 = msg("Rewrote", part82); + +var msg66 = msg("SPIDER", dup62); + +var msg67 = msg("Preparing", dup62); + +var part83 = match("MESSAGE#48:Scan", "nwparser.payload", "Scan started by: \"%{username}\" %{fld34}", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + setc("action","scan started"), +])); + +var msg68 = msg("Scan", part83); + +var part84 = match("MESSAGE#49:Scan:01", "nwparser.payload", "Scan [%{fld35}] completed in %{fld36}", processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + setc("action","scan completed"), +])); + +var msg69 = msg("Scan:01", part84); + +var part85 = match("MESSAGE#50:Scan:03", "nwparser.payload", "Scan for site %{fld11->} started by Schedule[%{info}].", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg70 = msg("Scan:03", part85); + +var part86 = match("MESSAGE#51:Scan:04", "nwparser.payload", "Scan startup took %{fld24->} seconds", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg71 = msg("Scan:04", part86); + +var part87 = match("MESSAGE#52:Scan:06/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE VERSION"); + +var all9 = all_match({ + processors: [ + dup40, + dup63, + part87, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg72 = msg("Scan:06", all9); + +var part88 = match("MESSAGE#53:Scan:05/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE"); + +var all10 = all_match({ + processors: [ + dup40, + dup63, + part88, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg73 = msg("Scan:05", all10); + +var part89 = match("MESSAGE#54:Scan:07/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE VERSION"); + +var all11 = all_match({ + processors: [ + dup40, + dup63, + part89, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg74 = msg("Scan:07", all11); + +var part90 = match("MESSAGE#55:Scan:09/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE [UNIQUE ID: %{fld13}]"); + +var all12 = all_match({ + processors: [ + dup40, + dup63, + part90, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg75 = msg("Scan:09", all12); + +var part91 = match("MESSAGE#56:Scan:08/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE"); + +var all13 = all_match({ + processors: [ + dup40, + dup63, + part91, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg76 = msg("Scan:08", all13); + +var part92 = match("MESSAGE#57:Scan:10", "nwparser.payload", "Scan for site %{fld12->} started by \"%{username}\".", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg77 = msg("Scan:10", part92); + +var part93 = match("MESSAGE#58:Scan:11", "nwparser.payload", "Scan stopped: \"%{username}\"", processor_chain([ + dup18, + dup12, + dup13, + dup14, + dup15, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg78 = msg("Scan:11", part93); + +var part94 = match("MESSAGE#59:Scan:12", "nwparser.payload", "Scan Engine shutting down...%{}", processor_chain([ + dup23, + dup12, + dup13, + dup19, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg79 = msg("Scan:12", part94); + +var part95 = match("MESSAGE#60:Scan:13", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Scan synopsis inconsistency resolved.", processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + setc("event_description","Scan synopsis inconsistency resolved"), +])); + +var msg80 = msg("Scan:13", part95); + +var part96 = match("MESSAGE#62:Scan:15/0", "nwparser.payload", "Silo ID: %{fld1}] [Scan ID: %{fld2}] Scan for site %{audit_object->} - %{p0}"); + +var part97 = match("MESSAGE#62:Scan:15/1_0", "nwparser.p0", "Non-Windows Systems Audit%{p0}"); + +var part98 = match("MESSAGE#62:Scan:15/1_1", "nwparser.p0", "Audit%{p0}"); + +var select21 = linear_select([ + part97, + part98, +]); + +var part99 = match("MESSAGE#62:Scan:15/2", "nwparser.p0", "%{}restored. %{info}"); + +var all14 = all_match({ + processors: [ + part96, + select21, + part99, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + setc("event_description","Scan for site restored"), + ]), +}); + +var msg81 = msg("Scan:15", all14); + +var part100 = match("MESSAGE#63:Scan:02", "nwparser.payload", "%{event_description}", processor_chain([ + dup11, + dup12, + dup13, + dup22, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg82 = msg("Scan:02", part100); + +var select22 = linear_select([ + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, +]); + +var part101 = match("MESSAGE#61:Scan:14", "nwparser.payload", "Scan ID: %{fld1}] Inconsistency discovered for scan. %{info}", processor_chain([ + dup18, + dup12, + dup13, + dup43, + dup14, + dup15, + setc("event_description","Inconsistency discovered for scan"), +])); + +var msg83 = msg("Scan:14", part101); + +var part102 = match("MESSAGE#64:Site", "nwparser.payload", "Site saved.%{}", processor_chain([ + dup44, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg84 = msg("Site", part102); + +var part103 = match("MESSAGE#65:Authenticated", "nwparser.payload", "Authenticated: %{username}", processor_chain([ + setc("eventcategory","1401060000"), + dup45, + dup46, + dup47, + dup22, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg85 = msg("Authenticated", part103); + +var part104 = match("MESSAGE#66:Authentication", "nwparser.payload", "Authentication failed. Login information is missing.%{}", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg86 = msg("Authentication", part104); + +var part105 = match("MESSAGE#67:Authentication:01", "nwparser.payload", "Authentication failed for %{username}: Access denied.", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg87 = msg("Authentication:01", part105); + +var part106 = match("MESSAGE#68:Authentication:02", "nwparser.payload", "Authentication failed. User account may be invalid or disabled.%{}", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg88 = msg("Authentication:02", part106); + +var part107 = match("MESSAGE#69:Authentication:03", "nwparser.payload", "%{info}", processor_chain([ + setc("eventcategory","1304000000"), + dup45, + dup46, + dup47, + dup14, + dup15, + dup16, + dup29, +])); + +var msg89 = msg("Authentication:03", part107); + +var select23 = linear_select([ + msg86, + msg87, + msg88, + msg89, +]); + +var part108 = match("MESSAGE#70:User", "nwparser.payload", "User (%{username}) is over the limit (%{fld12}) for failed login attempts.", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg90 = msg("User", part108); + +var part109 = match("MESSAGE#265:User:04", "nwparser.payload", "User name: %{username}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg91 = msg("User:04", part109); + +var select24 = linear_select([ + msg90, + msg91, +]); + +var msg92 = msg("persistent-xss", dup61); + +var part110 = match("MESSAGE#72:Adding:01", "nwparser.payload", "Adding user to datastore: %{username}", processor_chain([ + setc("eventcategory","1402020200"), + dup45, + setc("ec_activity","Create"), + dup47, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("obj_type","User"), +])); + +var msg93 = msg("Adding:01", part110); + +var msg94 = msg("Adding", dup62); + +var select25 = linear_select([ + msg93, + msg94, +]); + +var msg95 = msg("credentials", dup62); + +var msg96 = msg("SPIDER-XSS", dup62); + +var msg97 = msg("Processing", dup62); + +var msg98 = msg("but", dup62); + +var msg99 = msg("j_password", dup62); + +var msg100 = msg("j_username", dup62); + +var msg101 = msg("osspi_defaultTargetLocation", dup62); + +var part111 = match("MESSAGE#81:spider-parse-robot-exclusions", "nwparser.payload", "spider-parse-robot-exclusions: %{fld40->} Malformed HTTP %{fld41}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var msg102 = msg("spider-parse-robot-exclusions", part111); + +var msg103 = msg("Cataloged", dup62); + +var msg104 = msg("Dumping", dup62); + +var msg105 = msg("Form", dup62); + +var msg106 = msg("Relaunching", dup62); + +var msg107 = msg("main", dup62); + +var msg108 = msg("SystemFingerprint", dup62); + +var part112 = match("MESSAGE#88:Searching", "nwparser.payload", "Searching for %{service->} domain %{fld11}...", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg109 = msg("Searching", part112); + +var msg110 = msg("TCPSocket", dup62); + +var part113 = match("MESSAGE#90:connected", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup49, + dup14, + dup15, + dup16, + dup17, +])); + +var msg111 = msg("connected", part113); + +var part114 = match("MESSAGE#91:Failed", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup49, + dup27, + dup14, + dup15, +])); + +var msg112 = msg("Failed", part114); + +var part115 = match("MESSAGE#92:Attempting:01", "nwparser.payload", "Attempting to authenticate user %{username->} from %{saddr}.", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg113 = msg("Attempting:01", part115); + +var msg114 = msg("Attempting", dup64); + +var select26 = linear_select([ + msg113, + msg114, +]); + +var part116 = match("MESSAGE#94:Recursively:01", "nwparser.payload", "Recursively listing files on %{service}[%{info}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg115 = msg("Recursively:01", part116); + +var msg116 = msg("Recursively", dup62); + +var select27 = linear_select([ + msg115, + msg116, +]); + +var msg117 = msg("building", dup62); + +var msg118 = msg("Sending", dup62); + +var msg119 = msg("sending", dup64); + +var part117 = match("MESSAGE#99:creating", "nwparser.payload", "creating new connection to %{obj_name}", processor_chain([ + dup20, + dup49, + dup14, + dup15, + dup17, +])); + +var msg120 = msg("creating", part117); + +var part118 = match("MESSAGE#100:Trusted", "nwparser.payload", "Trusted MAC address checking is disabled%{}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg121 = msg("Trusted", part118); + +var part119 = match("MESSAGE#101:signon_type", "nwparser.payload", "signon_type: %{fld40}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var msg122 = msg("signon_type", part119); + +var msg123 = msg("list-user-directory", dup62); + +var msg124 = msg("dcerpc-get-ms-blaster-codes", dup62); + +var msg125 = msg("Could", dup62); + +var part120 = match("MESSAGE#105:Asserting", "nwparser.payload", "Asserting software fingerprint name=%{obj_name}, version=%{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("obj_type","Software Fingerprint"), +])); + +var msg126 = msg("Asserting", part120); + +var part121 = match("MESSAGE#106:Asserting:01", "nwparser.payload", "Asserting run entry: %{service}: %{filename}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg127 = msg("Asserting:01", part121); + +var part122 = match("MESSAGE#107:Asserting:02", "nwparser.payload", "Asserting network interface: %{sinterface->} with IP: %{saddr->} and netmask: %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg128 = msg("Asserting:02", part122); + +var part123 = match("MESSAGE#108:Asserting:03", "nwparser.payload", "Asserting highest MDAC version of %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg129 = msg("Asserting:03", part123); + +var msg130 = msg("Asserting:04", dup62); + +var select28 = linear_select([ + msg126, + msg127, + msg128, + msg129, + msg130, +]); + +var part124 = match("MESSAGE#110:Determining:01", "nwparser.payload", "Determining version of file %{filename->} (%{application})", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg131 = msg("Determining:01", part124); + +var msg132 = msg("Determining", dup62); + +var select29 = linear_select([ + msg131, + msg132, +]); + +var part125 = match("MESSAGE#112:Webmin", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup35, + dup27, + dup14, + dup15, + dup16, + dup17, +])); + +var msg133 = msg("Webmin", part125); + +var part126 = match("MESSAGE#113:Running:02", "nwparser.payload", "Running unresolved %{service}", processor_chain([ + dup20, + dup35, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg134 = msg("Running:02", part126); + +var part127 = match("MESSAGE#114:Running:01", "nwparser.payload", "Running %{protocol->} service %{service}", processor_chain([ + dup20, + dup35, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg135 = msg("Running:01", part127); + +var part128 = match("MESSAGE#115:Running", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup35, + dup14, + dup15, + dup16, + dup17, +])); + +var msg136 = msg("Running", part128); + +var select30 = linear_select([ + msg134, + msg135, + msg136, +]); + +var part129 = match("MESSAGE#116:path:/0_0", "nwparser.payload", "Service path:%{p0}"); + +var part130 = match("MESSAGE#116:path:/0_1", "nwparser.payload", "path:%{p0}"); + +var select31 = linear_select([ + part129, + part130, +]); + +var part131 = match("MESSAGE#116:path:/1", "nwparser.p0", "%{} %{filename}"); + +var all15 = all_match({ + processors: [ + select31, + part131, + ], + on_success: processor_chain([ + dup20, + dup15, + ]), +}); + +var msg137 = msg("path:", all15); + +var part132 = match("MESSAGE#117:path:01", "nwparser.payload", "Service path is insecure.%{}", processor_chain([ + dup20, + dup15, + setc("info","Service path is insecure."), +])); + +var msg138 = msg("path:01", part132); + +var part133 = match("MESSAGE#118:Service", "nwparser.payload", "Service %{service->} %{action->} on Provider: %{fld2}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg139 = msg("Service", part133); + +var part134 = match("MESSAGE#119:ServiceFingerprint", "nwparser.payload", "Service running: %{event_description}", processor_chain([ + dup20, + dup35, + dup14, + dup15, + dup16, + dup17, +])); + +var msg140 = msg("ServiceFingerprint", part134); + +var msg141 = msg("path", dup65); + +var select32 = linear_select([ + msg137, + msg138, + msg139, + msg140, + msg141, +]); + +var msg142 = msg("using", dup61); + +var part135 = match("MESSAGE#122:Found:01", "nwparser.payload", "Found group: CIFS Group %{group}", processor_chain([ + dup20, + dup50, + dup51, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg143 = msg("Found:01", part135); + +var part136 = match("MESSAGE#123:Found:02", "nwparser.payload", "Found user: CIFS User %{username}", processor_chain([ + dup20, + dup45, + dup51, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg144 = msg("Found:02", part136); + +var part137 = match("MESSAGE#124:Found:03", "nwparser.payload", "Found user %{username}", processor_chain([ + dup20, + dup45, + dup51, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg145 = msg("Found:03", part137); + +var part138 = match("MESSAGE#125:Found:04", "nwparser.payload", "Found interface %{sinterface}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg146 = msg("Found:04", part138); + +var part139 = match("MESSAGE#126:Found:05", "nwparser.payload", "Found DHCP-assigned WINS server: %{saddr}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg147 = msg("Found:05", part139); + +var msg148 = msg("Found", dup62); + +var select33 = linear_select([ + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, +]); + +var part140 = match("MESSAGE#128:FTP", "nwparser.payload", "FTP name: %{fld40}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var msg149 = msg("FTP", part140); + +var part141 = match("MESSAGE#129:Starting:02", "nwparser.payload", "Starting Office fingerprinting with dir %{directory}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg150 = msg("Starting:02", part141); + +var part142 = match("MESSAGE#130:Starting:01", "nwparser.payload", "Starting scan against %{fld11->} (%{fld12}) with scan template: %{fld13}.", processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg151 = msg("Starting:01", part142); + +var msg152 = msg("Starting", dup62); + +var select34 = linear_select([ + msg150, + msg151, + msg152, +]); + +var msg153 = msg("loading", dup61); + +var part143 = match("MESSAGE#133:trying", "nwparser.payload", "trying the next key: %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg154 = msg("trying", part143); + +var msg155 = msg("Retrieving", dup64); + +var part144 = match("MESSAGE#135:Got", "nwparser.payload", "Got version: %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, +])); + +var msg156 = msg("Got", part144); + +var msg157 = msg("unexpected", dup64); + +var part145 = match("MESSAGE#137:checking:03", "nwparser.payload", "checking version of '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg158 = msg("checking:03", part145); + +var part146 = match("MESSAGE#138:No", "nwparser.payload", "No closed UDP ports, IP fingerprinting may be less accurate%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg159 = msg("No", part146); + +var part147 = match("MESSAGE#139:No:01", "nwparser.payload", "No credentials available%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg160 = msg("No:01", part147); + +var part148 = match("MESSAGE#140:No:02", "nwparser.payload", "No access to %{directory->} with %{service}[%{info}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg161 = msg("No:02", part148); + +var part149 = match("MESSAGE#141:No:03", "nwparser.payload", "No approved updates found for processing.%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg162 = msg("No:03", part149); + +var msg163 = msg("No:04", dup61); + +var select35 = linear_select([ + msg159, + msg160, + msg161, + msg162, + msg163, +]); + +var part150 = match("MESSAGE#142:Applying", "nwparser.payload", "Applying update ID %{fld12}.", processor_chain([ + dup44, + dup52, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg164 = msg("Applying", part150); + +var part151 = match("MESSAGE#143:Update", "nwparser.payload", "Update ID %{fld12->} applied successfully.", processor_chain([ + dup44, + dup52, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg165 = msg("Update", part151); + +var part152 = match("MESSAGE#227:Update:02", "nwparser.payload", "Update ID %{fld1}, for product ID %{id}, %{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg166 = msg("Update:02", part152); + +var msg167 = msg("Update:03", dup61); + +var select36 = linear_select([ + msg165, + msg166, + msg167, +]); + +var part153 = match("MESSAGE#144:Installing", "nwparser.payload", "Installing directory %{directory}.", processor_chain([ + dup20, + dup52, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg168 = msg("Installing", part153); + +var part154 = match("MESSAGE#145:Installing:01", "nwparser.payload", "Installing file, %{filename}.", processor_chain([ + dup20, + dup52, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg169 = msg("Installing:01", part154); + +var part155 = match("MESSAGE#405:Installing:02", "nwparser.payload", "Installing Postgres files into %{directory->} from %{info}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Installing Postgres files"), +])); + +var msg170 = msg("Installing:02", part155); + +var select37 = linear_select([ + msg168, + msg169, + msg170, +]); + +var part156 = match("MESSAGE#146:Resolving", "nwparser.payload", "Resolving additional DNS records%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg171 = msg("Resolving", part156); + +var part157 = match("MESSAGE#147:DNS", "nwparser.payload", "DNS name: %{obj_name}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("obj_type","DNS"), +])); + +var msg172 = msg("DNS", part157); + +var part158 = match("MESSAGE#148:Scanning", "nwparser.payload", "Scanning %{fld23->} %{protocol->} ports", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg173 = msg("Scanning", part158); + +var msg174 = msg("param:", dup64); + +var part159 = match("MESSAGE#150:Windows", "nwparser.payload", "Windows %{obj_name->} dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg175 = msg("Windows", part159); + +var part160 = match("MESSAGE#151:Windows:01", "nwparser.payload", "Windows Media Player version: %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg176 = msg("Windows:01", part160); + +var msg177 = msg("Windows:02", dup61); + +var select38 = linear_select([ + msg175, + msg176, + msg177, +]); + +var msg178 = msg("Parsed", dup64); + +var part161 = match("MESSAGE#153:JRE", "nwparser.payload", "JRE version %{version->} is installed", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg179 = msg("JRE", part161); + +var msg180 = msg("Microsoft", dup64); + +var part162 = match("MESSAGE#155:MDAC", "nwparser.payload", "MDAC version: %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg181 = msg("MDAC", part162); + +var part163 = match("MESSAGE#156:Name", "nwparser.payload", "Name Server: %{saddr}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg182 = msg("Name", part163); + +var msg183 = msg("Flash", dup64); + +var msg184 = msg("Skipping", dup64); + +var part164 = match("MESSAGE#159:Closing", "nwparser.payload", "Closing service: %{service->} (source: %{info})", processor_chain([ + dup20, + dup35, + dup24, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg185 = msg("Closing", part164); + +var part165 = match("MESSAGE#238:Closing:03", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld3}] Closing connection to scan engine.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Closing connection to scan engine"), +])); + +var msg186 = msg("Closing:03", part165); + +var msg187 = msg("Closing:02", dup61); + +var select39 = linear_select([ + msg185, + msg186, + msg187, +]); + +var part166 = match("MESSAGE#160:key", "nwparser.payload", "key does not exist: %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg188 = msg("key", part166); + +var part167 = match("MESSAGE#161:Listing", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup50, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg189 = msg("Listing", part167); + +var msg190 = msg("Getting", dup64); + +var part168 = match("MESSAGE#163:Version:", "nwparser.payload", "Version: %{version}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg191 = msg("Version:", part168); + +var msg192 = msg("IE", dup64); + +var part169 = match("MESSAGE#165:Completed", "nwparser.payload", "Completed %{protocol->} port scan (%{dclass_counter1->} open ports): %{fld11->} seconds", processor_chain([ + dup20, + dup12, + dup13, + dup22, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","No. of Open ports"), +])); + +var msg193 = msg("Completed", part169); + +var part170 = match("MESSAGE#291:Completed:01", "nwparser.payload", "Completed %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg194 = msg("Completed:01", part170); + +var part171 = match("MESSAGE#344:Completed:02", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of asset group synopses.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed computation of asset group synopses"), +])); + +var msg195 = msg("Completed:02", part171); + +var part172 = match("MESSAGE#345:Completed:03", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of site synopsis.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed computation of site synopsis"), +])); + +var msg196 = msg("Completed:03", part172); + +var part173 = match("MESSAGE#346:Completed:04", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed recomputation of synopsis data.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed recomputation of synopsis data"), +])); + +var msg197 = msg("Completed:04", part173); + +var part174 = match("MESSAGE#347:Completed:05", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([ + dup18, + dup12, + dup13, + dup43, + dup14, + dup15, +])); + +var msg198 = msg("Completed:05", part174); + +var part175 = match("MESSAGE#348:Completed:06", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([ + dup18, + dup12, + dup13, + dup43, + dup14, + dup15, +])); + +var msg199 = msg("Completed:06", part175); + +var part176 = match("MESSAGE#460:Completed:07", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] [Started: %{fld5}T%{fld6}] [Duration: %{fld7}] Completed purging sub-scan results.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed purging sub-scan results"), +])); + +var msg200 = msg("Completed:07", part176); + +var part177 = match("MESSAGE#461:Completed:08", "nwparser.payload", "SiteID: %{fld1}] [Scan ID: %{fld2}] [Started: %{fld3}T%{fld4}] [Duration: %{fld5}] Completed computation of synopsis.", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Completed computation of synopsis"), +])); + +var msg201 = msg("Completed:08", part177); + +var select40 = linear_select([ + msg193, + msg194, + msg195, + msg196, + msg197, + msg198, + msg199, + msg200, + msg201, +]); + +var part178 = match("MESSAGE#166:Retrieved", "nwparser.payload", "Retrieved XML version %{version->} for file %{filename}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg202 = msg("Retrieved", part178); + +var part179 = match("MESSAGE#167:CIFS", "nwparser.payload", "CIFS Name Service name: %{service}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg203 = msg("CIFS", part179); + +var msg204 = msg("Cached:", dup64); + +var msg205 = msg("Enumerating", dup64); + +var part180 = match("MESSAGE#170:Checking:01", "nwparser.payload", "Checking for approved updates.%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg206 = msg("Checking:01", part180); + +var msg207 = msg("Checking:02", dup64); + +var select41 = linear_select([ + msg206, + msg207, +]); + +var part181 = match("MESSAGE#172:CSIDL_SYSTEMX86", "nwparser.payload", "CSIDL_SYSTEMX86 dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg208 = msg("CSIDL_SYSTEMX86", part181); + +var part182 = match("MESSAGE#173:CSIDL_SYSTEM", "nwparser.payload", "CSIDL_SYSTEM dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg209 = msg("CSIDL_SYSTEM", part182); + +var part183 = match("MESSAGE#174:office", "nwparser.payload", "office root dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg210 = msg("office", part183); + +var part184 = match("MESSAGE#175:Exchange", "nwparser.payload", "Exchange root dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg211 = msg("Exchange", part184); + +var part185 = match("MESSAGE#176:SQL", "nwparser.payload", "SQL Server root dir is: '%{directory}'", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg212 = msg("SQL", part185); + +var part186 = match("MESSAGE#177:starting", "nwparser.payload", "starting %{service}", processor_chain([ + dup20, + dup12, + dup13, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg213 = msg("starting", part186); + +var part187 = match("MESSAGE#178:Host", "nwparser.payload", "Host type (from MAC %{smacaddr}): %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg214 = msg("Host", part187); + +var part188 = match("MESSAGE#268:Host:01", "nwparser.payload", "Host Address: %{saddr}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg215 = msg("Host:01", part188); + +var part189 = match("MESSAGE#269:Host:02", "nwparser.payload", "Host FQDN: %{fqdn}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg216 = msg("Host:02", part189); + +var select42 = linear_select([ + msg214, + msg215, + msg216, +]); + +var part190 = match("MESSAGE#179:Advertising", "nwparser.payload", "Advertising %{service->} service", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg217 = msg("Advertising", part190); + +var part191 = match("MESSAGE#180:IP", "nwparser.payload", "IP fingerprint:%{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg218 = msg("IP", part191); + +var part192 = match("MESSAGE#181:Updating:01", "nwparser.payload", "Updating file, %{filename}.", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg219 = msg("Updating:01", part192); + +var part193 = match("MESSAGE#182:Updating", "nwparser.payload", "Updating %{info}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg220 = msg("Updating", part193); + +var select43 = linear_select([ + msg219, + msg220, +]); + +var part194 = match("MESSAGE#183:Updated", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} vulnerabilities in %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Number of vulnerabilities"), +])); + +var msg221 = msg("Updated", part194); + +var part195 = match("MESSAGE#184:Updated:01", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} assets in %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Number of assets"), +])); + +var msg222 = msg("Updated:01", part195); + +var part196 = match("MESSAGE#185:Updated:02", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} sites in %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Number of sites"), +])); + +var msg223 = msg("Updated:02", part196); + +var part197 = match("MESSAGE#186:Updated:03", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} groups in %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Number of groups"), +])); + +var msg224 = msg("Updated:03", part197); + +var part198 = match("MESSAGE#260:Updated:04/0", "nwparser.payload", "Started: %{fld2}] [Duration: %{fld3}] Updated risk scores for %{fld1->} %{p0}"); + +var part199 = match("MESSAGE#260:Updated:04/1_0", "nwparser.p0", "vulnerabilities.%{}"); + +var part200 = match("MESSAGE#260:Updated:04/1_1", "nwparser.p0", "assets.%{}"); + +var part201 = match("MESSAGE#260:Updated:04/1_2", "nwparser.p0", "sites.%{}"); + +var part202 = match("MESSAGE#260:Updated:04/1_3", "nwparser.p0", "groups.%{}"); + +var select44 = linear_select([ + part199, + part200, + part201, + part202, +]); + +var all16 = all_match({ + processors: [ + part198, + select44, + ], + on_success: processor_chain([ + dup20, + dup15, + ]), +}); + +var msg225 = msg("Updated:04", all16); + +var part203 = match("MESSAGE#311:Updated:06/0", "nwparser.payload", "%{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Updated %{p0}"); + +var part204 = match("MESSAGE#311:Updated:06/1_0", "nwparser.p0", "scan risk scores%{p0}"); + +var part205 = match("MESSAGE#311:Updated:06/1_1", "nwparser.p0", "risk scores for site%{p0}"); + +var select45 = linear_select([ + part204, + part205, +]); + +var part206 = match("MESSAGE#311:Updated:06/2", "nwparser.p0", ".%{}"); + +var all17 = all_match({ + processors: [ + part203, + select45, + part206, + ], + on_success: processor_chain([ + dup11, + dup14, + dup15, + setc("event_description","Updated risk scores"), + ]), +}); + +var msg226 = msg("Updated:06", all17); + +var msg227 = msg("Updated:05", dup65); + +var select46 = linear_select([ + msg221, + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, +]); + +var part207 = match("MESSAGE#187:Started", "nwparser.payload", "Started auto-update.%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg228 = msg("Started", part207); + +var msg229 = msg("Started:02", dup61); + +var select47 = linear_select([ + msg228, + msg229, +]); + +var part208 = match("MESSAGE#188:Executing", "nwparser.payload", "Executing job JobID[%{info}] Risk and daily history updater for silo %{fld12}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg230 = msg("Executing", part208); + +var part209 = match("MESSAGE#189:Executing:01", "nwparser.payload", "Executing job JobID[%{info}] Auto-update retriever", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg231 = msg("Executing:01", part209); + +var part210 = match("MESSAGE#190:Executing:02", "nwparser.payload", "Executing job JobID[%{info}] %{fld1->} retention updater-default", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg232 = msg("Executing:02", part210); + +var part211 = match("MESSAGE#191:Executing:04", "nwparser.payload", "Executing job JobID[%{info}] %{obj_type}: %{obj_name}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg233 = msg("Executing:04", part211); + +var part212 = match("MESSAGE#326:Executing:03", "nwparser.payload", "Executing SQL: %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg234 = msg("Executing:03", part212); + +var select48 = linear_select([ + msg230, + msg231, + msg232, + msg233, + msg234, +]); + +var part213 = match("MESSAGE#192:A", "nwparser.payload", "A set of SSH administrative credentials have failed verification.%{}", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg235 = msg("A", part213); + +var part214 = match("MESSAGE#193:Administrative:01", "nwparser.payload", "Administrative credentials failed (access denied).%{}", processor_chain([ + dup48, + dup45, + dup46, + dup47, + dup27, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg236 = msg("Administrative:01", part214); + +var part215 = match("MESSAGE#194:Administrative", "nwparser.payload", "Administrative credentials for %{service->} will be used.", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg237 = msg("Administrative", part215); + +var select49 = linear_select([ + msg236, + msg237, +]); + +var part216 = match("MESSAGE#195:Initializing:01", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld2}] Initializing remote scan engine (%{dhost}).", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Initializing remote scan engine"), +])); + +var msg238 = msg("Initializing:01", part216); + +var part217 = match("MESSAGE#196:Initializing/1_0", "nwparser.p0", "Initializing %{service}."); + +var part218 = match("MESSAGE#196:Initializing/1_1", "nwparser.p0", "Initializing JDBC drivers %{}"); + +var part219 = match("MESSAGE#196:Initializing/1_2", "nwparser.p0", "%{event_description}"); + +var select50 = linear_select([ + part217, + part218, + part219, +]); + +var all18 = all_match({ + processors: [ + dup28, + select50, + ], + on_success: processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + ]), +}); + +var msg239 = msg("Initializing", all18); + +var select51 = linear_select([ + msg238, + msg239, +]); + +var msg240 = msg("Creating", dup64); + +var msg241 = msg("Loading", dup64); + +var part220 = match("MESSAGE#199:Loaded", "nwparser.payload", "Loaded %{dclass_counter1->} policy checks for scan.", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","No. of policies"), +])); + +var msg242 = msg("Loaded", part220); + +var msg243 = msg("Loaded:01", dup66); + +var select52 = linear_select([ + msg242, + msg243, +]); + +var part221 = match("MESSAGE#200:Finished", "nwparser.payload", "Finished locating %{dclass_counter1->} live nodes. [Started: %{fld11}] [Duration: %{fld12}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","No. of live nodes"), +])); + +var msg244 = msg("Finished", part221); + +var part222 = match("MESSAGE#201:Finished:01", "nwparser.payload", "Finished loading %{service}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg245 = msg("Finished:01", part222); + +var part223 = match("MESSAGE#202:Finished:02", "nwparser.payload", "Finished resolving DNS records%{}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg246 = msg("Finished:02", part223); + +var msg247 = msg("Finished:03", dup67); + +var select53 = linear_select([ + msg244, + msg245, + msg246, + msg247, +]); + +var msg248 = msg("CheckProcessor:", dup64); + +var msg249 = msg("Locating", dup64); + +var part224 = match("MESSAGE#205:TCP", "nwparser.payload", "TCP port scanner is using: %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg250 = msg("TCP", part224); + +var part225 = match("MESSAGE#206:UDP", "nwparser.payload", "UDP port scanner is using: %{fld11}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg251 = msg("UDP", part225); + +var part226 = match("MESSAGE#207:Queued", "nwparser.payload", "Queued live nodes for scanning: %{dclass_counter1}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, + setc("dclass_counter1_string","Live nodes"), +])); + +var msg252 = msg("Queued", part226); + +var msg253 = msg("Reading", dup64); + +var msg254 = msg("Registering", dup64); + +var part227 = match("MESSAGE#210:Registered", "nwparser.payload", "Registered session [%{fld12}] for IP [%{saddr}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg255 = msg("Registered", part227); + +var part228 = match("MESSAGE#219:Registered:02", "nwparser.payload", "Registered session for principal name [%{username}] for IP [%{saddr}]", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg256 = msg("Registered:02", part228); + +var select54 = linear_select([ + msg255, + msg256, +]); + +var part229 = match("MESSAGE#211:Seeing", "nwparser.payload", "Seeing if %{saddr->} is a valid network node", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var msg257 = msg("Seeing", part229); + +var part230 = match("MESSAGE#212:Logging", "nwparser.payload", "Logging initialized. [Name = %{obj_name}] [Level = %{fld11}] [Timezone = %{fld12}]", processor_chain([ + dup20, + dup14, + dup15, + dup16, +])); + +var msg258 = msg("Logging", part230); + +var msg259 = msg("Firefox", dup64); + +var msg260 = msg("nodes", dup64); + +var msg261 = msg("common", dup67); + +var msg262 = msg("jess.JessException:", dup67); + +var part231 = match("MESSAGE#218:Successfully", "nwparser.payload", "Successfully %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg263 = msg("Successfully", part231); + +var msg264 = msg("Establishing", dup61); + +var msg265 = msg("Response", dup61); + +var msg266 = msg("Auto-update", dup61); + +var msg267 = msg("Approved:03", dup61); + +var msg268 = msg("HHH000436:", dup61); + +var msg269 = msg("Staged", dup61); + +var msg270 = msg("Refreshing", dup61); + +var msg271 = msg("Activation", dup61); + +var msg272 = msg("Acknowledging", dup61); + +var msg273 = msg("Acknowledged", dup61); + +var msg274 = msg("Validating", dup61); + +var msg275 = msg("Patching", dup61); + +var msg276 = msg("JAR", dup61); + +var msg277 = msg("Destroying", dup61); + +var msg278 = msg("Invocation", dup61); + +var msg279 = msg("Using", dup61); + +var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1->} shutdown complete, %{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg280 = msg("Route:01", part232); + +var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1->} started and consuming from: %{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg281 = msg("Route:02", part233); + +var select55 = linear_select([ + msg280, + msg281, +]); + +var msg282 = msg("Deploying", dup61); + +var msg283 = msg("Generating", dup61); + +var msg284 = msg("Staging", dup61); + +var msg285 = msg("Removing", dup61); + +var msg286 = msg("At", dup61); + +var msg287 = msg("An", dup61); + +var msg288 = msg("The", dup61); + +var msg289 = msg("Downloading", dup61); + +var msg290 = msg("Downloaded", dup61); + +var msg291 = msg("Restarting", dup61); + +var msg292 = msg("Requested", dup61); + +var part234 = match("MESSAGE#257:Freeing", "nwparser.payload", "Freeing session for principal name [%{username}]", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg293 = msg("Freeing", part234); + +var part235 = match("MESSAGE#258:Freeing:01", "nwparser.payload", "Freeing %{dclass_counter1->} current sessions.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg294 = msg("Freeing:01", part235); + +var select56 = linear_select([ + msg293, + msg294, +]); + +var part236 = match("MESSAGE#259:Kill", "nwparser.payload", "Kill session for principal name [%{username}]", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg295 = msg("Kill", part236); + +var part237 = match("MESSAGE#262:Created:01", "nwparser.payload", "Created temporary directory %{filename}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg296 = msg("Created:01", part237); + +var part238 = match("MESSAGE#331:Created:02", "nwparser.payload", "Created %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg297 = msg("Created:02", part238); + +var select57 = linear_select([ + msg296, + msg297, +]); + +var part239 = match("MESSAGE#263:Product", "nwparser.payload", "Product Version: %{version}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg298 = msg("Product", part239); + +var part240 = match("MESSAGE#264:Current", "nwparser.payload", "Current directory: %{filename}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg299 = msg("Current", part240); + +var part241 = match("MESSAGE#308:Current:01", "nwparser.payload", "Current DB_VERSION = %{version}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg300 = msg("Current:01", part241); + +var select58 = linear_select([ + msg299, + msg300, +]); + +var part242 = match("MESSAGE#266:Super", "nwparser.payload", "Super user: %{result}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg301 = msg("Super", part242); + +var part243 = match("MESSAGE#267:Computer", "nwparser.payload", "Computer name: %{hostname}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg302 = msg("Computer", part243); + +var part244 = match("MESSAGE#270:Operating", "nwparser.payload", "Operating system: %{os}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg303 = msg("Operating", part244); + +var part245 = match("MESSAGE#271:CPU", "nwparser.payload", "CPU speed: %{fld1}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg304 = msg("CPU", part245); + +var part246 = match("MESSAGE#272:Number", "nwparser.payload", "Number of CPUs: %{dclass_counter1}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg305 = msg("Number", part246); + +var part247 = match("MESSAGE#273:Total", "nwparser.payload", "Total %{fld1}: %{fld2}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg306 = msg("Total", part247); + +var part248 = match("MESSAGE#320:Total:02", "nwparser.payload", "Total %{dclass_counter1->} routes, of which %{dclass_counter2->} is started.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg307 = msg("Total:02", part248); + +var select59 = linear_select([ + msg306, + msg307, +]); + +var part249 = match("MESSAGE#274:Available", "nwparser.payload", "Available %{fld1}: %{fld2}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg308 = msg("Available", part249); + +var part250 = match("MESSAGE#275:Disk", "nwparser.payload", "Disk space used by %{fld1}: %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg309 = msg("Disk", part250); + +var part251 = match("MESSAGE#276:JVM", "nwparser.payload", "JVM %{fld1}: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg310 = msg("JVM", part251); + +var part252 = match("MESSAGE#277:Pausing", "nwparser.payload", "Pausing ProtocolHandler [%{info}]", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg311 = msg("Pausing", part252); + +var part253 = match("MESSAGE#278:Policy", "nwparser.payload", "Policy %{policyname->} replaces %{fld1}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg312 = msg("Policy", part253); + +var part254 = match("MESSAGE#420:Policy:01", "nwparser.payload", "Policy benchmark %{policyname->} in %{info->} with hash %{fld1->} is not valid builtin content and will not load.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Policy benchmark is not valid builtin content and will not load"), +])); + +var msg313 = msg("Policy:01", part254); + +var select60 = linear_select([ + msg312, + msg313, +]); + +var part255 = match("MESSAGE#279:Bulk", "nwparser.payload", "Bulk %{action->} %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg314 = msg("Bulk", part255); + +var part256 = match("MESSAGE#280:Importing", "nwparser.payload", "%{action->} %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg315 = msg("Importing", part256); + +var part257 = match("MESSAGE#281:Imported", "nwparser.payload", "%{action->} %{dclass_counter1->} new categories, categorized %{fld1->} vulnerabilities and %{fld2->} tags.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg316 = msg("Imported", part257); + +var msg317 = msg("Imported:01", dup65); + +var select61 = linear_select([ + msg316, + msg317, +]); + +var part258 = match("MESSAGE#283:Compiling", "nwparser.payload", "Compiling %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg318 = msg("Compiling", part258); + +var part259 = match("MESSAGE#284:Vulnerability", "nwparser.payload", "Vulnerability %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg319 = msg("Vulnerability", part259); + +var part260 = match("MESSAGE#285:Truncating", "nwparser.payload", "Truncating %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg320 = msg("Truncating", part260); + +var part261 = match("MESSAGE#286:Synchronizing", "nwparser.payload", "Synchronizing %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg321 = msg("Synchronizing", part261); + +var part262 = match("MESSAGE#287:Parsing", "nwparser.payload", "Parsing %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg322 = msg("Parsing", part262); + +var part263 = match("MESSAGE#288:Remapping", "nwparser.payload", "Remapping %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg323 = msg("Remapping", part263); + +var part264 = match("MESSAGE#289:Remapped", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Remapped %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg324 = msg("Remapped", part264); + +var part265 = match("MESSAGE#290:Database", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Database %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg325 = msg("Database", part265); + +var part266 = match("MESSAGE#428:Database:01", "nwparser.payload", "Database %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg326 = msg("Database:01", part266); + +var select62 = linear_select([ + msg325, + msg326, +]); + +var part267 = match("MESSAGE#292:Accepting", "nwparser.payload", "Accepting %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg327 = msg("Accepting", part267); + +var part268 = match("MESSAGE#293:VERSION:03", "nwparser.payload", "VERSION %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg328 = msg("VERSION:03", part268); + +var part269 = match("MESSAGE#294:Detected", "nwparser.payload", "Detected %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg329 = msg("Detected", part269); + +var part270 = match("MESSAGE#295:Telling", "nwparser.payload", "Telling %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg330 = msg("Telling", part270); + +var part271 = match("MESSAGE#298:Stopping", "nwparser.payload", "Stopping %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg331 = msg("Stopping", part271); + +var part272 = match("MESSAGE#299:removing", "nwparser.payload", "removing %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg332 = msg("removing", part272); + +var part273 = match("MESSAGE#300:Enabling", "nwparser.payload", "Enabling %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg333 = msg("Enabling", part273); + +var part274 = match("MESSAGE#301:Granting", "nwparser.payload", "Granting %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg334 = msg("Granting", part274); + +var part275 = match("MESSAGE#302:Version", "nwparser.payload", "Version %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg335 = msg("Version", part275); + +var part276 = match("MESSAGE#303:Configuring", "nwparser.payload", "Configuring %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg336 = msg("Configuring", part276); + +var part277 = match("MESSAGE#305:Scheduler", "nwparser.payload", "Scheduler %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg337 = msg("Scheduler", part277); + +var part278 = match("MESSAGE#341:Scheduler:01", "nwparser.payload", "Silo: %{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Scheduler started.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Scheduler started"), +])); + +var msg338 = msg("Scheduler:01", part278); + +var part279 = match("MESSAGE#429:Scheduler:02", "nwparser.payload", "%{fld1}: %{fld2}] Scheduler %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg339 = msg("Scheduler:02", part279); + +var select63 = linear_select([ + msg337, + msg338, + msg339, +]); + +var part280 = match("MESSAGE#306:PostgreSQL", "nwparser.payload", "PostgreSQL %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg340 = msg("PostgreSQL", part280); + +var part281 = match("MESSAGE#307:Cleaning", "nwparser.payload", "Cleaning %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg341 = msg("Cleaning", part281); + +var part282 = match("MESSAGE#462:Cleaning:01", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] Cleaning up sub-scan results.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Cleaning up sub-scan results"), +])); + +var msg342 = msg("Cleaning:01", part282); + +var select64 = linear_select([ + msg341, + msg342, +]); + +var part283 = match("MESSAGE#309:Installed:01/0", "nwparser.payload", "Installed DB%{p0}"); + +var part284 = match("MESSAGE#309:Installed:01/1_0", "nwparser.p0", "_VERSION after upgrade%{p0}"); + +var part285 = match("MESSAGE#309:Installed:01/1_1", "nwparser.p0", " VERSION %{p0}"); + +var select65 = linear_select([ + part284, + part285, +]); + +var part286 = match("MESSAGE#309:Installed:01/2", "nwparser.p0", "%{}= %{version}"); + +var all19 = all_match({ + processors: [ + part283, + select65, + part286, + ], + on_success: processor_chain([ + dup20, + dup14, + dup15, + ]), +}); + +var msg343 = msg("Installed:01", all19); + +var part287 = match("MESSAGE#310:Inserted", "nwparser.payload", "Inserted %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg344 = msg("Inserted", part287); + +var part288 = match("MESSAGE#313:Deleted", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Deleted %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg345 = msg("Deleted", part288); + +var msg346 = msg("Default", dup66); + +var msg347 = msg("Apache", dup66); + +var msg348 = msg("JMX", dup66); + +var msg349 = msg("AllowUseOriginalMessage", dup66); + +var part289 = match("MESSAGE#321:Initialized", "nwparser.payload", "Initialized PolicyCheckService with %{dclass_counter1->} benchmarks, containing %{fld1->} policies. The total check count is %{dclass_counter2}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg350 = msg("Initialized", part289); + +var part290 = match("MESSAGE#322:Initialized:01", "nwparser.payload", "Initialized %{dclass_counter1->} policy benchmarks in total.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg351 = msg("Initialized:01", part290); + +var part291 = match("MESSAGE#379:Initialized_Scheduler", "nwparser.payload", "Initialized Scheduler Signaller of type: %{obj_type->} %{obj_name}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Initialized Scheduler Signaller"), +])); + +var msg352 = msg("Initialized_Scheduler", part291); + +var select66 = linear_select([ + msg350, + msg351, + msg352, +]); + +var msg353 = msg("Error", dup66); + +var part292 = match("MESSAGE#324:Graceful", "nwparser.payload", "Graceful shutdown of %{dclass_counter1->} routes completed in %{dclass_counter2->} seconds", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg354 = msg("Graceful", part292); + +var msg355 = msg("StreamCaching", dup61); + +var msg356 = msg("Local", dup66); + +var part293 = match("MESSAGE#329:DB_VERSION", "nwparser.payload", "DB_VERSION = %{version}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg357 = msg("DB_VERSION", part293); + +var part294 = match("MESSAGE#330:Populating", "nwparser.payload", "Populating %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg358 = msg("Populating", part294); + +var part295 = match("MESSAGE#332:EventLog", "nwparser.payload", "EventLog %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg359 = msg("EventLog", part295); + +var part296 = match("MESSAGE#333:Making", "nwparser.payload", "Making %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg360 = msg("Making", part296); + +var part297 = match("MESSAGE#334:Setting", "nwparser.payload", "Setting %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg361 = msg("Setting", part297); + +var part298 = match("MESSAGE#335:initdb", "nwparser.payload", "initdb %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg362 = msg("initdb", part298); + +var part299 = match("MESSAGE#336:Verifying", "nwparser.payload", "Verifying %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg363 = msg("Verifying", part299); + +var msg364 = msg("OS", dup66); + +var part300 = match("MESSAGE#338:Benchmark", "nwparser.payload", "Benchmark %{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg365 = msg("Benchmark", part300); + +var part301 = match("MESSAGE#339:Report:01", "nwparser.payload", "Report Config ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup29, + dup54, + dup16, +])); + +var msg366 = msg("Report:01", part301); + +var part302 = match("MESSAGE#340:Report", "nwparser.payload", "Report Config ID: %{fld1}] %{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup29, + dup54, + dup16, +])); + +var msg367 = msg("Report", part302); + +var select67 = linear_select([ + msg366, + msg367, +]); + +var part303 = match("MESSAGE#342:Cannot_preload", "nwparser.payload", "Engine ID: %{fld1}] [Engine Name: %{fld2}] Cannot preload incremental pool with a connection %{fld3}", processor_chain([ + dup53, + dup14, + dup15, + dup55, +])); + +var msg368 = msg("Cannot_preload", part303); + +var part304 = match("MESSAGE#343:Cannot_preload:01", "nwparser.payload", "Cannot preload incremental pool with a connection%{fld3}", processor_chain([ + dup53, + dup14, + dup15, + dup55, +])); + +var msg369 = msg("Cannot_preload:01", part304); + +var select68 = linear_select([ + msg368, + msg369, +]); + +var part305 = match("MESSAGE#349:ERROR:02", "nwparser.payload", "ERROR: syntax error at or near \"%{fld1}\"", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Syntax error"), +])); + +var msg370 = msg("ERROR:02", part305); + +var part306 = match("MESSAGE#350:QuartzRepeaterBuilder", "nwparser.payload", "QuartzRepeaterBuilder failed to add schedule to ScanConfig: null%{}", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","QuartzRepeaterBuilder failed to add schedule"), +])); + +var msg371 = msg("QuartzRepeaterBuilder", part306); + +var part307 = match("MESSAGE#351:Backing_up", "nwparser.payload", "Backing up %{event_source}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Backing up"), +])); + +var msg372 = msg("Backing_up", part307); + +var part308 = match("MESSAGE#352:Not_configured", "nwparser.payload", "com.rapid.nexpose.scanpool.stateInterval is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid.nexpose.scanpool.stateInterval is not configured"), +])); + +var msg373 = msg("Not_configured", part308); + +var part309 = match("MESSAGE#353:Not_configured:01", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured"), +])); + +var msg374 = msg("Not_configured:01", part309); + +var part310 = match("MESSAGE#354:Not_configured:02", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured"), +])); + +var msg375 = msg("Not_configured:02", part310); + +var part311 = match("MESSAGE#355:Not_configured:03", "nwparser.payload", "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured"), +])); + +var msg376 = msg("Not_configured:03", part311); + +var part312 = match("MESSAGE#356:Not_configured:04", "nwparser.payload", "com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured"), +])); + +var msg377 = msg("Not_configured:04", part312); + +var part313 = match("MESSAGE#357:Not_configured:05", "nwparser.payload", "com.rapid7.nexpose.nsc.dbcc is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.dbcc is not configured"), +])); + +var msg378 = msg("Not_configured:05", part313); + +var part314 = match("MESSAGE#358:Not_configured:06", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured"), +])); + +var msg379 = msg("Not_configured:06", part314); + +var part315 = match("MESSAGE#359:Not_configured:07", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured"), +])); + +var msg380 = msg("Not_configured:07", part315); + +var part316 = match("MESSAGE#360:Not_configured:08", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured"), +])); + +var msg381 = msg("Not_configured:08", part316); + +var part317 = match("MESSAGE#361:Not_configured:09", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured"), +])); + +var msg382 = msg("Not_configured:09", part317); + +var part318 = match("MESSAGE#362:Not_configured:10", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured"), +])); + +var msg383 = msg("Not_configured:10", part318); + +var part319 = match("MESSAGE#363:Not_configured:11", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured"), +])); + +var msg384 = msg("Not_configured:11", part319); + +var part320 = match("MESSAGE#364:Not_configured:12", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.readTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nse.nscClient.readTimeout is not configured"), +])); + +var msg385 = msg("Not_configured:12", part320); + +var part321 = match("MESSAGE#365:Not_configured:13", "nwparser.payload", "com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured"), +])); + +var msg386 = msg("Not_configured:13", part321); + +var part322 = match("MESSAGE#366:Not_configured:14", "nwparser.payload", "com.rapid7.nexpose.scan.consolidation.delay is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.consolidation.delay is not configured"), +])); + +var msg387 = msg("Not_configured:14", part322); + +var part323 = match("MESSAGE#367:Not_configured:15", "nwparser.payload", "com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured"), +])); + +var msg388 = msg("Not_configured:15", part323); + +var part324 = match("MESSAGE#368:Not_configured:16", "nwparser.payload", "com.rapid7.nexpose.scan.usescanpool is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.usescanpool is not configured"), +])); + +var msg389 = msg("Not_configured:16", part324); + +var part325 = match("MESSAGE#369:Not_configured:17", "nwparser.payload", "com.rapid7.nsc.workflow.timeout is not configured - returning default value %{resultcode}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nsc.workflow.timeout is not configured"), +])); + +var msg390 = msg("Not_configured:17", part325); + +var part326 = match("MESSAGE#370:Delivered", "nwparser.payload", "Delivered mail to %{to}: %{fld1->} %{fld2->} %{mail_id->} [InternalId=%{fld3}] Queued mail for delivery", processor_chain([ + dup56, + dup14, + dup15, + setc("action","Queued mail for delivery"), +])); + +var msg391 = msg("Delivered", part326); + +var part327 = match("MESSAGE#371:Engine_update", "nwparser.payload", "Engine update thread pool shutting down.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Engine update thread pool shutting down"), +])); + +var msg392 = msg("Engine_update", part327); + +var part328 = match("MESSAGE#372:Freed_triggers", "nwparser.payload", "Freed %{fld1->} triggers from 'acquired' / 'blocked' state.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Freed triggers from 'acquired' / 'blocked' state"), +])); + +var msg393 = msg("Freed_triggers", part328); + +var part329 = match("MESSAGE#374:Upgrade_completed", "nwparser.payload", "PG Upgrade has completed succesfully%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Upgrade has completed succesfully"), +])); + +var msg394 = msg("Upgrade_completed", part329); + +var part330 = match("MESSAGE#375:PG", "nwparser.payload", "%{fld1}: %{process->} %{param}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg395 = msg("PG", part330); + +var select69 = linear_select([ + msg394, + msg395, +]); + +var part331 = match("MESSAGE#376:DEFAULT_SCHEDULER", "nwparser.payload", "DEFAULT SCHEDULER: %{obj_name}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","DEFAULT SCHEDULER"), +])); + +var msg396 = msg("DEFAULT_SCHEDULER", part331); + +var part332 = match("MESSAGE#377:Context_loader", "nwparser.payload", "Context loader config file is jar:file:%{filename}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Context loader config file"), +])); + +var msg397 = msg("Context_loader", part332); + +var part333 = match("MESSAGE#378:Copied_file", "nwparser.payload", "Copied %{filename->} file from %{directory->} to %{info}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Copied file"), +])); + +var msg398 = msg("Copied_file", part333); + +var part334 = match("MESSAGE#380:Java", "nwparser.payload", "Java HotSpot(TM) %{info}", processor_chain([ + dup20, + dup15, + setc("event_description","Console VM version"), +])); + +var msg399 = msg("Java", part334); + +var part335 = match("MESSAGE#381:Changing", "nwparser.payload", "Changing permissions of %{obj_type->} '%{obj_name}' to %{change_new}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Changing permissions"), +])); + +var msg400 = msg("Changing", part335); + +var part336 = match("MESSAGE#382:Changing:01", "nwparser.payload", "Changing the new database AUTH method to %{change_new}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Changing new database AUTH method"), +])); + +var msg401 = msg("Changing:01", part336); + +var select70 = linear_select([ + msg400, + msg401, +]); + +var part337 = match("MESSAGE#383:Job_execution", "nwparser.payload", "Job execution threads will use class loader of thread: %{info}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Job execution threads will use class loader"), +])); + +var msg402 = msg("Job_execution", part337); + +var part338 = match("MESSAGE#384:Initialized:02", "nwparser.payload", "JobStoreCMT initialized.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","JobStoreCMT initialized"), +])); + +var msg403 = msg("Initialized:02", part338); + +var part339 = match("MESSAGE#385:Initialized:03", "nwparser.payload", "Quartz scheduler '%{obj_name}' %{event_description}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Quartz scheduler initialized"), +])); + +var msg404 = msg("Initialized:03", part339); + +var part340 = match("MESSAGE#386:Created:03", "nwparser.payload", "Quartz Scheduler %{version->} created.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Quartz Scheduler created."), +])); + +var msg405 = msg("Created:03", part340); + +var part341 = match("MESSAGE#387:Scheduler_version", "nwparser.payload", "Quartz scheduler version: %{version}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg406 = msg("Scheduler_version", part341); + +var select71 = linear_select([ + msg404, + msg405, + msg406, +]); + +var part342 = match("MESSAGE#388:Recovering", "nwparser.payload", "Recovering %{fld1->} %{event_description}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Recovering jobs"), +])); + +var msg407 = msg("Recovering", part342); + +var part343 = match("MESSAGE#389:Recovery", "nwparser.payload", "Recovery complete.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Recovery"), + setc("disposition","Complete"), +])); + +var msg408 = msg("Recovery", part343); + +var part344 = match("MESSAGE#390:Removed", "nwparser.payload", "Removed %{fld1->} 'complete' triggers.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Removed triggers"), +])); + +var msg409 = msg("Removed", part344); + +var part345 = match("MESSAGE#391:Removed:01", "nwparser.payload", "Removed %{fld1->} stale fired job entries.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Removed job entries"), +])); + +var msg410 = msg("Removed:01", part345); + +var select72 = linear_select([ + msg409, + msg410, +]); + +var part346 = match("MESSAGE#392:Restoring", "nwparser.payload", "%{action}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg411 = msg("Restoring", part346); + +var part347 = match("MESSAGE#393:Upgrading", "nwparser.payload", "Upgrading database%{fld1}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Upgrading database"), +])); + +var msg412 = msg("Upgrading", part347); + +var part348 = match("MESSAGE#394:Exploits", "nwparser.payload", "Exploits are up to date.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Exploits are up to date"), +])); + +var msg413 = msg("Exploits", part348); + +var part349 = match("MESSAGE#395:Failure", "nwparser.payload", "Failure communicating with NSE @ %{dhost}:%{dport}.", processor_chain([ + dup53, + dup49, + dup27, + dup14, + dup15, + setc("event_description","Failure communicating with NSE"), +])); + +var msg414 = msg("Failure", part349); + +var part350 = match("MESSAGE#396:Renamed", "nwparser.payload", "Renamed %{filename->} to %{info}", processor_chain([ + dup20, + dup57, + dup22, + dup14, + dup15, +])); + +var msg415 = msg("Renamed", part350); + +var part351 = match("MESSAGE#397:Reinitializing", "nwparser.payload", "Reinitializing web server for maintenance mode...%{}", processor_chain([ + dup20, + dup57, + dup22, + dup14, + dup15, + setc("event_description","Reinitializing web server for maintenance mode"), +])); + +var msg416 = msg("Reinitializing", part351); + +var part352 = match("MESSAGE#398:Replaced", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} file with new auth method: %{change_new}.", processor_chain([ + dup20, + dup57, + dup22, + dup14, + dup15, + dup58, +])); + +var msg417 = msg("Replaced", part352); + +var part353 = match("MESSAGE#399:Replaced:01", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} with new setting values", processor_chain([ + dup20, + dup57, + dup22, + dup14, + dup15, + dup58, +])); + +var msg418 = msg("Replaced:01", part353); + +var select73 = linear_select([ + msg417, + msg418, +]); + +var part354 = match("MESSAGE#400:System", "nwparser.payload", "System is running low on memory: %{fld1}MB total (%{fld2}MB free)", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","System is running low on memory"), +])); + +var msg419 = msg("System", part354); + +var part355 = match("MESSAGE#401:System:01", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup14, + dup15, + dup30, + dup31, + dup32, + dup33, +])); + +var msg420 = msg("System:01", part355); + +var select74 = linear_select([ + msg419, + msg420, +]); + +var part356 = match("MESSAGE#402:Analyzing", "nwparser.payload", "Analyzing the database.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Analyzing the database"), +])); + +var msg421 = msg("Analyzing", part356); + +var part357 = match("MESSAGE#403:Connection", "nwparser.payload", "Connection to the new database was successful. %{action}.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Connection to the new database was successful"), +])); + +var msg422 = msg("Connection", part357); + +var part358 = match("MESSAGE#404:Handling", "nwparser.payload", "Handling %{fld1->} trigger(s) that missed their scheduled fire-time.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Handling trigger(s) that missed their scheduled fire-time"), +])); + +var msg423 = msg("Handling", part358); + +var part359 = match("MESSAGE#406:LDAP", "nwparser.payload", "LDAP authentication requires resolution%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","LDAP authentication requires resolution"), +])); + +var msg424 = msg("LDAP", part359); + +var part360 = match("MESSAGE#407:Maintenance", "nwparser.payload", "Maintenance Task Started%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Maintenance Task Started"), +])); + +var msg425 = msg("Maintenance", part360); + +var msg426 = msg("Migration", dup61); + +var msg427 = msg("Mobile", dup68); + +var msg428 = msg("ConsoleScanImporter", dup68); + +var part361 = match("MESSAGE#421:Postgres:01", "nwparser.payload", "%{event_description}. Cleaning up. %{directory}", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Cleaning up"), +])); + +var msg429 = msg("Postgres:01", part361); + +var part362 = match("MESSAGE#422:Succesfully", "nwparser.payload", "Succesfully %{event_description->} to %{dport}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg430 = msg("Succesfully", part362); + +var part363 = match("MESSAGE#423:Unzipped", "nwparser.payload", "%{action->} %{fld1->} bytes into %{directory}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg431 = msg("Unzipped", part363); + +var part364 = match("MESSAGE#424:vacuumdb", "nwparser.payload", "%{process->} executed with a return value of %{resultcode}.", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg432 = msg("vacuumdb", part364); + +var part365 = match("MESSAGE#425:Processed_vuln", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Processed vuln check types for %{fld5->} vuln checks.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Processed vuln check types"), +])); + +var msg433 = msg("Processed_vuln", part365); + +var part366 = match("MESSAGE#430:Reflections", "nwparser.payload", "Reflections %{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var msg434 = msg("Reflections", part366); + +var part367 = match("MESSAGE#431:CorrelationAttributes", "nwparser.payload", "0.16: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg435 = msg("CorrelationAttributes", part367); + +var part368 = match("MESSAGE#432:CorrelationAttributes:01", "nwparser.payload", "0.49: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg436 = msg("CorrelationAttributes:01", part368); + +var part369 = match("MESSAGE#433:CorrelationAttributes:02", "nwparser.payload", "0.245: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg437 = msg("CorrelationAttributes:02", part369); + +var part370 = match("MESSAGE#434:CorrelationAttributes:03", "nwparser.payload", "0.325: %{info}", processor_chain([ + dup20, + dup15, +])); + +var msg438 = msg("CorrelationAttributes:03", part370); + +var msg439 = msg("ConsoleProductInfoProvider", dup69); + +var msg440 = msg("NSXAssetEventHandler", dup69); + +var msg441 = msg("ProductNotificationService", dup69); + +var msg442 = msg("AssetEventHandler", dup69); + +var msg443 = msg("SiteEventHandler", dup69); + +var msg444 = msg("UserEventHandler", dup69); + +var msg445 = msg("VulnerabilityExceptionEventHandler", dup69); + +var msg446 = msg("TagEventHandler", dup69); + +var msg447 = msg("AssetGroupEventHandler", dup69); + +var msg448 = msg("ScanEventHandler", dup69); + +var part371 = match("MESSAGE#445:Not_configured:18", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured"), +])); + +var msg449 = msg("Not_configured:18", part371); + +var part372 = match("MESSAGE#446:Not_configured:19", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured"), +])); + +var msg450 = msg("Not_configured:19", part372); + +var part373 = match("MESSAGE#447:Not_configured:20", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured"), +])); + +var msg451 = msg("Not_configured:20", part373); + +var part374 = match("MESSAGE#448:Not_configured:21", "nwparser.payload", "com.rapid7.nexpose.nse.excludedFileSystems is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nse.excludedFileSystems is not configured"), +])); + +var msg452 = msg("Not_configured:21", part374); + +var part375 = match("MESSAGE#449:Not_configured:22", "nwparser.payload", "com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured"), +])); + +var msg453 = msg("Not_configured:22", part375); + +var part376 = match("MESSAGE#450:Not_configured:23", "nwparser.payload", "com.rapid7.nexpose.scan.logMemory.interval is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.logMemory.interval is not configured"), +])); + +var msg454 = msg("Not_configured:23", part376); + +var part377 = match("MESSAGE#451:Not_configured:24", "nwparser.payload", "com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured"), +])); + +var msg455 = msg("Not_configured:24", part377); + +var part378 = match("MESSAGE#452:Not_configured:25", "nwparser.payload", "com.rapid7.scan.perTestDurationLogging is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.scan.perTestDurationLogging is not configured"), +])); + +var msg456 = msg("Not_configured:25", part378); + +var part379 = match("MESSAGE#453:Not_configured:26", "nwparser.payload", "com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured"), +])); + +var msg457 = msg("Not_configured:26", part379); + +var part380 = match("MESSAGE#454:Not_configured:27", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured - returning default value %{result}.", processor_chain([ + dup56, + dup14, + dup15, + setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured"), +])); + +var msg458 = msg("Not_configured:27", part380); + +var part381 = match("MESSAGE#455:Spring", "nwparser.payload", "%{process->} detected on classpath: [%{fld2}]", processor_chain([ + dup20, + dup14, + dup15, + setc("action","detected"), +])); + +var msg459 = msg("Spring", part381); + +var part382 = match("MESSAGE#456:Storing", "nwparser.payload", "%{fld1}] [%{fld2}] Storing scan details for %{event_type}.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Storing scan details"), +])); + +var msg460 = msg("Storing", part382); + +var part383 = match("MESSAGE#457:Clearing", "nwparser.payload", "Clearing object tracker after %{dclass_counter1->} hits and %{dclass_counter2->} misses.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","Clearing object tracker"), +])); + +var msg461 = msg("Clearing", part383); + +var part384 = match("MESSAGE#458:All", "nwparser.payload", "%{fld1}] [%{fld2}] All scan engines are up to date.", processor_chain([ + dup20, + dup14, + dup15, + setc("result","All scan engines are up to date"), +])); + +var msg462 = msg("All", part384); + +var part385 = match("MESSAGE#459:New", "nwparser.payload", "New Provider %{audit_object->} discovered.", processor_chain([ + dup20, + dup14, + dup15, + setc("action","New Provider discovered"), +])); + +var msg463 = msg("New", part385); + +var part386 = match("MESSAGE#463:Session", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] Session created.", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Session created"), +])); + +var msg464 = msg("Session", part386); + +var part387 = match("MESSAGE#464:Debug", "nwparser.payload", "Debug logging is not enabled for this scan.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Debug logging is not enabled"), +])); + +var msg465 = msg("Debug", part387); + +var msg466 = msg("Debug:01", dup61); + +var select75 = linear_select([ + msg465, + msg466, +]); + +var part388 = match("MESSAGE#466:ACES", "nwparser.payload", "ACES logging is not enabled.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","ACES logging is not enabled"), +])); + +var msg467 = msg("ACES", part388); + +var msg468 = msg("ACES:01", dup61); + +var select76 = linear_select([ + msg467, + msg468, +]); + +var part389 = match("MESSAGE#468:Invulnerable", "nwparser.payload", "Invulnerable Data Storage is on.%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Invulnerable Data Storage is on"), +])); + +var msg469 = msg("Invulnerable", part389); + +var part390 = match("MESSAGE#469:Nmap", "nwparser.payload", "Nmap ARP Ping for local networks%{}", processor_chain([ + dup20, + dup14, + dup15, + setc("event_description","Nmap ARP Ping for local networks"), +])); + +var msg470 = msg("Nmap", part390); + +var part391 = match("MESSAGE#470:Nmap:01", "nwparser.payload", "%{event_description}", processor_chain([ + setc("eventcategory","1801000000"), + dup14, + dup15, +])); + +var msg471 = msg("Nmap:01", part391); + +var select77 = linear_select([ + msg470, + msg471, +]); + +var part392 = match("MESSAGE#471:Cause/0_0", "nwparser.payload", "Authentication %{result->} for principal %{fld}] %{info}"); + +var part393 = match("MESSAGE#471:Cause/0_1", "nwparser.payload", " %{result}] %{info}"); + +var select78 = linear_select([ + part392, + part393, +]); + +var all20 = all_match({ + processors: [ + select78, + ], + on_success: processor_chain([ + setc("eventcategory","1301000000"), + dup14, + dup15, + ]), +}); + +var msg472 = msg("Cause", all20); + +var part394 = match("MESSAGE#472:NEXPOSE_GENERIC", "nwparser.payload", "%{fld1}", processor_chain([ + setc("eventcategory","1901000000"), + dup15, +])); + +var msg473 = msg("NEXPOSE_GENERIC", part394); + +var chain1 = processor_chain([ + select4, + msgid_select({ + "0.16": msg435, + "0.245": msg437, + "0.325": msg438, + "0.49": msg436, + "A": msg235, + "ACES": select76, + "Accepting": msg327, + "Acknowledged": msg273, + "Acknowledging": msg272, + "Activation": msg271, + "Adding": select25, + "Administrative": select49, + "Advertising": msg217, + "All": msg462, + "AllowUseOriginalMessage": msg349, + "An": msg287, + "Analyzing": msg421, + "Apache": msg347, + "Applying": msg164, + "Approved": msg267, + "Asserting": select28, + "AssetEventHandler": msg442, + "AssetGroupEventHandler": msg447, + "At": msg286, + "Attempting": select26, + "Authenticated": msg85, + "Authentication": select23, + "Auto-update": msg266, + "Available": msg308, + "Backing": msg372, + "Benchmark": msg365, + "Bulk": msg314, + "CIFS": msg203, + "CPU": msg304, + "CSIDL_SYSTEM": msg209, + "CSIDL_SYSTEMX86": msg208, + "Cached:": msg204, + "Cannot": select68, + "Cataloged": msg103, + "Cause": msg472, + "Changing": select70, + "CheckProcessor:": msg248, + "Checking": select41, + "Cleaning": select64, + "Clearing": msg461, + "Closing": select39, + "Compiling": msg318, + "Completed": select40, + "Computer": msg302, + "Configuring": msg336, + "Connection": msg422, + "Console": select12, + "ConsoleProductInfoProvider": msg439, + "ConsoleScanImporter": msg428, + "Context": msg397, + "Copied": msg398, + "Could": msg125, + "Created": select57, + "Creating": msg240, + "Current": select58, + "DB_VERSION": msg357, + "DEFAULT": msg396, + "DNS": msg172, + "Database": select62, + "Debug": select75, + "Default": msg346, + "Deleted": msg345, + "Delivered": msg391, + "Deploying": msg282, + "Destroying": msg277, + "Detected": msg329, + "Determining": select29, + "Disk": msg309, + "Done": select17, + "Downloaded": msg290, + "Downloading": msg289, + "Dumping": msg104, + "ERROR": select7, + "ERROR:": msg370, + "Enabling": msg333, + "Engine": msg392, + "Enumerating": msg205, + "Error": msg353, + "Establishing": msg264, + "EventLog": msg359, + "Exchange": msg211, + "Executing": select48, + "Exploits": msg413, + "ExtMgr": select8, + "FTP": msg149, + "Failed": msg112, + "Failure": msg414, + "Finished": select53, + "Firefox": msg259, + "Flash": msg183, + "Form": msg105, + "Found": select33, + "Freed": msg393, + "Freeing": select56, + "Generating": msg283, + "Getting": msg190, + "Got": msg156, + "Graceful": msg354, + "Granting": msg334, + "HHH000436:": msg268, + "Handling": msg423, + "Host": select42, + "IE": msg192, + "IP": msg218, + "Imported": select61, + "Importing": msg315, + "Inconsistency": msg83, + "Initialized": select66, + "Initializing": select51, + "Inserted": msg344, + "Installed": msg343, + "Installing": select37, + "Interrupted,": msg47, + "Invocation": msg278, + "Invulnerable": msg469, + "JAR": msg276, + "JMX": msg348, + "JRE": msg179, + "JVM": msg310, + "Java": msg399, + "Job": msg402, + "JobStoreCMT": msg403, + "Kill": msg295, + "LDAP": msg424, + "Listing": msg189, + "Loaded": select52, + "Loading": msg241, + "Local": msg356, + "Locating": msg249, + "Logging": msg258, + "MDAC": msg181, + "Maintenance": msg425, + "Making": msg360, + "Microsoft": msg180, + "Migration": msg426, + "Mobile": msg427, + "NEXPOSE_GENERIC": msg473, + "NOT_VULNERABLE": select5, + "NOT_VULNERABLE_VERSION": msg1, + "NSE": select11, + "NSXAssetEventHandler": msg440, + "Name": msg182, + "New": msg463, + "Nexpose": select13, + "Nmap": select77, + "No": select35, + "Number": msg305, + "OS": msg364, + "Operating": msg303, + "PG": select69, + "Parsed": msg178, + "Parsing": msg322, + "Patching": msg275, + "Pausing": msg311, + "Performing": select20, + "Policy": select60, + "Populating": msg358, + "PostgreSQL": msg340, + "Postgres": msg429, + "Preparing": msg67, + "Processed": msg433, + "Processing": msg97, + "Product": msg298, + "ProductNotificationService": msg441, + "ProtocolFper": msg31, + "Quartz": select71, + "QuartzRepeaterBuilder": msg371, + "Queued": msg252, + "Queueing": select18, + "Reading": msg253, + "Recovering": msg407, + "Recovery": msg408, + "Recursively": select27, + "Reflections": msg434, + "Refreshing": msg270, + "Registered": select54, + "Registering": msg254, + "Reinitializing": msg416, + "Relaunching": msg106, + "Remapped": msg324, + "Remapping": msg323, + "Removed": select72, + "Removing": msg285, + "Renamed": msg415, + "Replaced": select73, + "Report": select67, + "Requested": msg292, + "Resolving": msg171, + "Response": msg265, + "Restarting": msg291, + "Restoring": msg411, + "Retrieved": msg202, + "Retrieving": msg155, + "Rewrote": msg65, + "Route:": select55, + "Running": select30, + "SPIDER": msg66, + "SPIDER-XSS": msg96, + "SQL": msg212, + "Scan": select22, + "ScanEventHandler": msg448, + "ScanMgr": select9, + "Scanning": msg173, + "Scheduler": select63, + "Searching": msg109, + "Security": select15, + "Seeing": msg257, + "Sending": msg118, + "Service": select32, + "Session": msg464, + "Setting": msg361, + "Shutdown": msg49, + "Shutting": msg46, + "Site": msg84, + "SiteEventHandler": msg443, + "Skipping": msg184, + "Spring": msg459, + "Staged": msg269, + "Staging": msg284, + "Started": select47, + "Starting": select34, + "Stopping": msg331, + "Storing": msg460, + "StreamCaching": msg355, + "Succesfully": msg430, + "Successfully": msg263, + "Super": msg301, + "Synchronizing": msg321, + "System": select74, + "SystemFingerprint": msg108, + "TCP": msg250, + "TCPSocket": msg110, + "TagEventHandler": msg446, + "Telling": msg330, + "The": msg288, + "Total": select59, + "Truncating": msg320, + "Trusted": msg121, + "Trying": msg64, + "UDP": msg251, + "Unzipped": msg431, + "Update": select36, + "Updated": select46, + "Updating": select43, + "Upgrading": msg412, + "User": select24, + "UserEventHandler": msg444, + "Using": msg279, + "VERSION": msg328, + "VULNERABLE": select6, + "VULNERABLE_VERSION": msg2, + "Validating": msg274, + "Verifying": msg363, + "Version": msg335, + "Version:": msg191, + "Vulnerability": msg319, + "VulnerabilityExceptionEventHandler": msg445, + "Web": select16, + "Webmin": msg133, + "Windows": select38, + "building": msg117, + "but": msg98, + "checking": msg158, + "com.rapid.nexpose.scanpool.stateInterval": msg373, + "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout": msg374, + "com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout": msg375, + "com.rapid7.nexpose.datastore.connection.evictionThreadTime": msg376, + "com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout": msg377, + "com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size": msg449, + "com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size": msg458, + "com.rapid7.nexpose.nsc.dbcc": msg378, + "com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond": msg450, + "com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration": msg451, + "com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize": msg379, + "com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize": msg380, + "com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation": msg381, + "com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled": msg382, + "com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval": msg383, + "com.rapid7.nexpose.nse.excludedFileSystems": msg452, + "com.rapid7.nexpose.nse.nscClient.connectTimeout": msg384, + "com.rapid7.nexpose.nse.nscClient.readTimeout": msg385, + "com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout": msg386, + "com.rapid7.nexpose.scan.consolidation.delay": msg387, + "com.rapid7.nexpose.scan.lifecyclemonitor.delay": msg388, + "com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable": msg453, + "com.rapid7.nexpose.scan.logMemory.interval": msg454, + "com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations": msg455, + "com.rapid7.nexpose.scan.usescanpool": msg389, + "com.rapid7.nsc.workflow.timeout": msg390, + "com.rapid7.scan.perTestDurationLogging": msg456, + "com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism": msg457, + "common": msg261, + "connected": msg111, + "creating": msg120, + "credentials": msg95, + "dcerpc-get-ms-blaster-codes": msg124, + "initdb": msg362, + "j_password": msg99, + "j_username": msg100, + "jess.JessException:": msg262, + "key": msg188, + "list-user-directory": msg123, + "loading": msg153, + "main": msg107, + "nodes": msg260, + "office": msg210, + "osspi_defaultTargetLocation": msg101, + "param:": msg174, + "persistent-xss": msg92, + "removing": msg332, + "sending": msg119, + "shutting": msg48, + "signon_type": msg122, + "spider-parse-robot-exclusions": msg102, + "starting": msg213, + "trying": msg154, + "unexpected": msg157, + "using": msg142, + "vacuumdb": msg432, + }), +]); + +var hdr37 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}"); + +var part395 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}"); + +var part396 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}"); + +var hdr38 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}"); + +var part397 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}"); + +var part398 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}"); + +var part399 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}"); + +var part400 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}"); + +var part401 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var part402 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var select79 = linear_select([ + dup7, + dup8, +]); + +var part403 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var part404 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup17, +])); + +var select80 = linear_select([ + dup41, + dup42, +]); + +var part405 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup16, + dup29, + dup30, + dup31, + dup32, + dup33, + dup34, +])); + +var part406 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup15, +])); + +var part407 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([ + dup20, + dup14, + dup15, +])); + +var part408 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup15, +])); + +var part409 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([ + dup20, + dup14, + dup15, + dup25, +])); + +var part410 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([ + dup20, + dup14, + dup15, + dup59, +])); diff --git a/x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml b/x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml new file mode 100644 index 00000000000..d558e7071ea --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Rapid7 NeXpose + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/rapid7/nexpose/manifest.yml b/x-pack/filebeat/module/rapid7/nexpose/manifest.yml new file mode 100644 index 00000000000..a011a93d869 --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["rapid7.nexpose", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9517 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log new file mode 100644 index 00000000000..ed2f7ef05fa --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log @@ -0,0 +1,100 @@ +%NEXPOSE-nci: SiteEventHandler deny +%NEXPOSE-iin: persistent-xss +%NEXPOSE-tenima: Telling laboreet +%NEXPOSE-giatq: SPIDER-XSS +%NEXPOSE-lupt: 2016-3-26T10:20:16 [xea] [Thread: qua] [Site: luptatev] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value admi. +%NEXPOSE-isaute: tcup +%NEXPOSE-ofdeFini: Using +%NEXPOSE-emulla: mpori +%NEXPOSE-nisiuta: 2016-5-22T2:30:33 [tvolu] ecte[Thread: Migration] [Started: tinvolu] [Duration: iurer] iciadese +%NEXPOSE-iumtotam: Invocation: +%NEXPOSE-tectobe: Nequepo ConsoleScanImporter: +%NEXPOSE-tur: roi credentials: +%NEXPOSE-equatu: upta +%NEXPOSE-itam: str Approved: +%NEXPOSE-ionemu: eetdolo +%NEXPOSE-amcol: 2016-8-30T3:48:33 [adeser] [Thread: oin] [Site: mvenia] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value madminim. +%NEXPOSE-siutaliq: dutp +%NEXPOSE-isau: HHH000436: +%NEXPOSE-rumwrit: Skipping +%NEXPOSE-eri: 2016-10-26T7:58:50 [quunt] [Thread: olori] [Site: mquae] Freed eriti triggers from 'acquired' / 'blocked' state. +%NEXPOSE-ssecil: nodes: +%NEXPOSE-dquia: 2016-11-24T10:03:59 [temporin] [Thread: dol] [Site: tatione] SiteEventHandler deny +%NEXPOSE-nsec: quidolor j_password: +%NEXPOSE-veniamq: 2016-12-23T12:09:07 [occ] oloreseo[Thread: Mobile] [Started: iruredol] [Duration: veniamqu] licaboN +%NEXPOSE-nse: 2017/01/06T07:11:41 [modoc] [Thread: boNem] [Site: iumt] Database tsed +%NEXPOSE-enim: 2017-1-20T2:14:16 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa +%NEXPOSE-msequ: uat +%NEXPOSE-ataevita: oremqu +%NEXPOSE-oremi: ugitsedq +%NEXPOSE-ipsaqu: TagEventHandler cancel +%NEXPOSE-tiaecon: Acknowledged: +%NEXPOSE-itametc: ProductNotificationService: allow +%NEXPOSE-olori: ido +%NEXPOSE-lpaquiof: Activation 2017-5-14T10:34:50 oloreeu +%NEXPOSE-umfugi: 2017-5-29T5:37:24 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide +%NEXPOSE-olu: 2017-6-12T12:39:58 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect +%NEXPOSE-magnam: 2017-6-26T7:42:33 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti +%NEXPOSE-assi: 2017-7-11T2:45:07 [eserun] [Thread: rvelill] [Site: lupta] Default +%NEXPOSE-tatevel: midestl +%NEXPOSE-ufugi: An 2017-8-8T4:50:15 cin +%NEXPOSE-onofdeF: 2017-8-22T11:52:50 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr +%NEXPOSE-orsitam: 2017-9-6T6:55:24 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers. +%NEXPOSE-aea: 2017/09/20T13:57:58 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo +%NEXPOSE-uatu: Shutting down ' +%NEXPOSE-ende: DEFAULT SCHEDULER: ' +%NEXPOSE-mexerci: 2017-11-2T11:05:41 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame. +%NEXPOSE-exe: Reading +%NEXPOSE-eddoei: Benchmark lorumw +%NEXPOSE-ctionofd: j_password: +%NEXPOSE-boreetd: tNe +%NEXPOSE-ntocca: 2018-1-12T10:18:32 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm. +%NEXPOSE-iadeseru: Adding +%NEXPOSE-eosqui: iatquo +%NEXPOSE-iqu: Establishing 2018-2-24T7:26:15 quamqua +%NEXPOSE-diduntut: 2018/03/11T02:28:49 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut +%NEXPOSE-aturve: Error 2018-3-25T9:31:24 edqui +%NEXPOSE-Loremip: Requested: +%NEXPOSE-nge: 2018/04/22T23:36:32 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen +%NEXPOSE-tur: The: +%NEXPOSE-mipsa: 2018-5-21T1:41:41 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex +%NEXPOSE-exerc: Retrieving +%NEXPOSE-uaturQ: but: +%NEXPOSE-dolor: 2018-7-3T10:49:23 [equunt] [Thread: mto] [Site: iae] Invocation +%NEXPOSE-magnido: mcolab +%NEXPOSE-tiumd: Dumping +%NEXPOSE-orisnis: umq +%NEXPOSE-intoc: 2018-8-29T2:59:40 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid +%NEXPOSE-uisno: enat +%NEXPOSE-oriss: imadmin suntexpl JVM frames : urve +%NEXPOSE-lupta: utla +%NEXPOSE-ntore: 2018-10-25T7:09:57 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept +%NEXPOSE-ostr: amcorp 0.49: iadolo +%NEXPOSE-mali: 2018-11-23T9:15:06 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni +%NEXPOSE-upt: 2018-12-7T4:17:40 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine. +%NEXPOSE-eosqu: reetdolo +%NEXPOSE-ten: 2019-1-5T6:22:49 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel +%NEXPOSE-Neq: rcita +%NEXPOSE-quatD: 2019-2-2T8:27:57 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud +%NEXPOSE-atquo: 2019-2-17T3:30:32 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape +%NEXPOSE-Malor: 2019-3-3T10:33:06 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown. +%NEXPOSE-pta: 2019-3-17T5:35:40 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq +%NEXPOSE-ptate: oloreeu credentials: +%NEXPOSE-iscinge: Populating ora +%NEXPOSE-orincidi: ScanEventHandler: cancel +%NEXPOSE-mSecti: Updating ius +%NEXPOSE-aturExc: 2019-5-28T4:48:31 [rsit] intocca[Thread: No] [Started: equuntu] [Duration: ntutlab] eaq +%NEXPOSE-ipis: 2019-6-11T11:51:06 [nsecte] [Thread: miurere] [Site: tat] persistent-xss +%NEXPOSE-olupta: 2019-6-25T6:53:40 [ape] amestqu[Thread: Activation] [Started: luptas] [Duration: ariatu] psumqui +%NEXPOSE-uunturm: 2019-7-10T1:56:14 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow +%NEXPOSE-agn: Stopping eritinvo +%NEXPOSE-uisaut: 2019-8-7T4:01:23 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo +%NEXPOSE-ctobeat: common +%NEXPOSE-olab: remagnam Destroying: +%NEXPOSE-adipi: idid Destroying: +%NEXPOSE-lore: 2019-10-3T8:11:40 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru +%NEXPOSE-mco: 2019-10-18T3:14:14 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer. +%NEXPOSE-tenim: 2019-11-1T10:16:48 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono +%NEXPOSE-tempori: sedquian +%NEXPOSE-umfu: No +%NEXPOSE-nisi: credentials: diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json new file mode 100644 index 00000000000..741cde33d3f --- /dev/null +++ b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json @@ -0,0 +1,1855 @@ +[ + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nci: SiteEventHandler deny", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 0, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iin: persistent-xss ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 36, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tenima: Telling laboreet", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 66, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-giatq: SPIDER-XSS ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 100, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-lupt: 2016-3-26T10:20:16 [xea] [Thread: qua] [Site: luptatev] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value admi.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 128, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-isaute: tcup", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 308, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ofdeFini: Using ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 330, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-emulla: mpori", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 356, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Migration", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nisiuta: 2016-5-22T2:30:33 [tvolu] ecte[Thread: Migration] [Started: tinvolu] [Duration: iurer] iciadese", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 379, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "iciadese", + "rsa.internal.messageid": "Migration", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iumtotam: Invocation: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 493, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tectobe: Nequepo ConsoleScanImporter: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 525, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tur: roi credentials: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 573, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-equatu: upta", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 605, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-itam: str Approved: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 627, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ionemu: eetdolo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 657, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-amcol: 2016-8-30T3:48:33 [adeser] [Thread: oin] [Site: mvenia] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value madminim.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 682, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-siutaliq: dutp", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 856, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-isau: HHH000436: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 880, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-rumwrit: Skipping ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 907, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-eri: 2016-10-26T7:58:50 [quunt] [Thread: olori] [Site: mquae] Freed eriti triggers from 'acquired' / 'blocked' state.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 935, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ssecil: nodes: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1062, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-dquia: 2016-11-24T10:03:59 [temporin] [Thread: dol] [Site: tatione] SiteEventHandler deny", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1087, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nsec: quidolor j_password: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1187, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.action": "Shutting down", + "event.code": "Mobile", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-veniamq: 2016-12-23T12:09:07 [occ] oloreseo[Thread: Mobile] [Started: iruredol] [Duration: veniamqu] licaboN", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1224, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "licaboN", + "rsa.internal.messageid": "Mobile", + "rsa.misc.action": [ + "Shutting down" + ], + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nse: 2017/01/06T07:11:41 [modoc] [Thread: boNem] [Site: iumt] Database tsed", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1342, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Migration", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-enim: 2017-1-20T2:14:16 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1427, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "atnulapa", + "rsa.internal.messageid": "Migration", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-msequ: uat", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1537, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ataevita: oremqu", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1557, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-oremi: ugitsedq", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1583, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ipsaqu: TagEventHandler cancel", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1608, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tiaecon: Acknowledged: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1648, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-itametc: ProductNotificationService: allow", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1681, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-olori: ido", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1733, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Activation", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-lpaquiof: Activation 2017-5-14T10:34:50 oloreeu", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1753, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "oloreeu", + "rsa.internal.messageid": "Activation", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-umfugi: 2017-5-29T5:37:24 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1810, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Error", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-olu: 2017-6-12T12:39:58 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 1907, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "tect", + "rsa.internal.messageid": "Error", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.action": "Upgrading database", + "event.code": "Upgrading", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-magnam: 2017-6-26T7:42:33 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2013, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "Upgrading", + "rsa.misc.action": [ + "Upgrading database" + ], + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-assi: 2017-7-11T2:45:07 [eserun] [Thread: rvelill] [Site: lupta] Default ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2139, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tatevel: midestl", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2222, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "An", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ufugi: An 2017-8-8T4:50:15 cin", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2248, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "cin", + "rsa.internal.messageid": "An", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "PostgreSQL", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-onofdeF: 2017-8-22T11:52:50 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2288, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "natuserr", + "rsa.internal.messageid": "PostgreSQL", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-orsitam: 2017-9-6T6:55:24 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2413, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Remapped", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-aea: 2017/09/20T13:57:58 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2604, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "eruntmo", + "rsa.internal.messageid": "Remapped", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uatu: Shutting down '", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2763, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ende: DEFAULT SCHEDULER: '", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2794, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mexerci: 2017-11-2T11:05:41 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2830, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-exe: Reading ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2960, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-eddoei: Benchmark lorumw", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 2983, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ctionofd: j_password: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3017, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-boreetd: tNe", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3049, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ntocca: 2018-1-12T10:18:32 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3071, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured", + "rsa.internal.messageid": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout", + "rsa.misc.result_code": "exeacomm", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iadeseru: Adding ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3351, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-eosqui: iatquo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3378, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Establishing", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iqu: Establishing 2018-2-24T7:26:15 quamqua", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3402, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "quamqua", + "rsa.internal.messageid": "Establishing", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Deleted", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-diduntut: 2018/03/11T02:28:49 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3455, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "ntut", + "rsa.internal.messageid": "Deleted", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Error", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-aturve: Error 2018-3-25T9:31:24 edqui", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3615, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "edqui", + "rsa.internal.messageid": "Error", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-Loremip: Requested: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3662, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "0.16", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nge: 2018/04/22T23:36:32 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3692, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "moen", + "rsa.internal.messageid": "0.16", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tur: The: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3799, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Renamed", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mipsa: 2018-5-21T1:41:41 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex", + "event.outcome": "success", + "file.name": "abo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3819, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "suntex", + "rsa.internal.messageid": "Renamed", + "rsa.investigations.ec_activity": "Modify", + "rsa.investigations.ec_outcome": "Success", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-exerc: Retrieving ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3937, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uaturQ: but: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3965, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-dolor: 2018-7-3T10:49:23 [equunt] [Thread: mto] [Site: iae] Invocation ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 3988, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-magnido: mcolab", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4069, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tiumd: Dumping ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4094, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-orisnis: umq", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4119, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-intoc: 2018-8-29T2:59:40 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4141, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uisno: enat", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4237, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "suntexpl JVM frames", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-oriss: imadmin suntexpl JVM frames : urve", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4258, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "suntexpl JVM frames", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-lupta: utla", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4332, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "AssetGroupEventHandler", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ntore: 2018-10-25T7:09:57 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4353, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "AssetGroupEventHandler", + "rsa.misc.action": [ + "accept" + ], + "service.name": "fld1", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ostr: amcorp 0.49: iadolo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4475, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "loading", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mali: 2018-11-23T9:15:06 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4510, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "maveni", + "rsa.internal.messageid": "loading", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Closing", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-upt: 2018-12-7T4:17:40 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4621, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "Closing connection to scan engine", + "rsa.internal.messageid": "Closing", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-eosqu: reetdolo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4798, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ten: 2019-1-5T6:22:49 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4823, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-Neq: rcita", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4927, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "removing", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-quatD: 2019-2-2T8:27:57 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 4947, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "laud", + "rsa.internal.messageid": "removing", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-atquo: 2019-2-17T3:30:32 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5066, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-Malor: 2019-3-3T10:33:06 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5164, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Setting", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-pta: 2019-3-17T5:35:40 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5348, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "isq", + "rsa.internal.messageid": "Setting", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ptate: oloreeu credentials: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5461, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-iscinge: Populating ora", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5499, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-orincidi: ScanEventHandler: cancel", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5532, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mSecti: Updating ius", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5576, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "No", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-aturExc: 2019-5-28T4:48:31 [rsit] intocca[Thread: No] [Started: equuntu] [Duration: ntutlab] eaq", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5606, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "eaq", + "rsa.internal.messageid": "No", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "[Site:", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ipis: 2019-6-11T11:51:06 [nsecte] [Thread: miurere] [Site: tat] persistent-xss ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5712, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "[Site:", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Activation", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-olupta: 2019-6-25T6:53:40 [ape] amestqu[Thread: Activation] [Started: luptas] [Duration: ariatu] psumqui", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5801, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "psumqui", + "rsa.internal.messageid": "Activation", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "AssetGroupEventHandler", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uunturm: 2019-7-10T1:56:14 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 5915, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "AssetGroupEventHandler", + "rsa.misc.action": [ + "allow" + ], + "service.name": "fld1", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-agn: Stopping eritinvo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6051, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.action": "Shutting down", + "event.code": "ConsoleScanImporter", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-uisaut: 2019-8-7T4:01:23 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6083, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "tinvo", + "rsa.internal.messageid": "ConsoleScanImporter", + "rsa.misc.action": [ + "Shutting down" + ], + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-ctobeat: common ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6203, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-olab: remagnam Destroying: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6229, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-adipi: idid Destroying: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6266, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Job", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-lore: 2019-10-3T8:11:40 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6300, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.db.index": "stlaboru", + "rsa.internal.event_desc": "Job execution threads will use class loader", + "rsa.internal.messageid": "Job", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-mco: 2019-10-18T3:14:14 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer.", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6465, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured", + "rsa.internal.messageid": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", + "rsa.misc.result_code": "uaer", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "Restarting", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tenim: 2019-11-1T10:16:48 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6730, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.event_desc": "iono", + "rsa.internal.messageid": "Restarting", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-tempori: sedquian", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6837, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-umfu: No ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6864, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + }, + { + "event.code": "NEXPOSE_GENERIC", + "event.dataset": "rapid7.nexpose", + "event.module": "rapid7", + "event.original": "%NEXPOSE-nisi: credentials: ", + "fileset.name": "nexpose", + "input.type": "log", + "log.offset": 6883, + "observer.product": "Nexpose", + "observer.type": "Vulnerability", + "observer.vendor": "Rapid7", + "rsa.internal.messageid": "NEXPOSE_GENERIC", + "service.type": "rapid7", + "tags": [ + "rapid7.nexpose", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md new file mode 100644 index 00000000000..65bd2526ff1 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -0,0 +1,7 @@ +# sonicwall module + +This is a module for Sonicwall-FW logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 +at 2020-07-13 17:55:41.955704 +0000 UTC. + diff --git a/x-pack/filebeat/module/sonicwall/_meta/config.yml b/x-pack/filebeat/module/sonicwall/_meta/config.yml new file mode 100644 index 00000000000..fcc2abefb79 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/_meta/config.yml @@ -0,0 +1,19 @@ +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc new file mode 100644 index 00000000000..6b882920797 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: sonicwall +:has-dashboards: false + +== Sonicwall module + +experimental[] + +This is a module for receiving Sonicwall-FW logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device revision 124. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9519` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/sonicwall/_meta/fields.yml b/x-pack/filebeat/module/sonicwall/_meta/fields.yml new file mode 100644 index 00000000000..13a72000b12 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: sonicwall + title: Sonicwall-FW + description: > + sonicwall fields. + fields: diff --git a/x-pack/filebeat/module/sonicwall/fields.go b/x-pack/filebeat/module/sonicwall/fields.go new file mode 100644 index 00000000000..d3f61fd9af9 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sonicwall + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "sonicwall", asset.ModuleFieldsPri, AssetSonicwall); err != nil { + panic(err) + } +} + +// AssetSonicwall returns asset data. +// This is the base64 encoded gzipped contents of module/sonicwall. +func AssetSonicwall() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JUZKzFRXiL4RYbgW8Jpftn7775fe/EFKCYZrXliv5mvzbXwghmx+RGQdRmslfSPiv1/i5+993RNIKXhMJdqX01YRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8dmiuly97fS5jRRtgCl3xNZlQY2Pp4gHD7v/e0AqJmxC6gRYx0iJHVAjTgZ1bT2YwzsqCGTAEkUVMDegnlZECfNvQOxMy1aurbk7LL1M2yiLWkYou88dXH1o8tsVmkMvOtv+9fYXzDBrvyccGN+x7hhjQGSmIVYbS2TeC/pitSgTF07v5NLWGqAuOIVu7zHdCEvFVzcgpMlaDjhHhYfBepQ8lp4cISpC0caYkBB4Qzcz+w3CDPmZIWpDXufnBpLJW2RcNEcbS8OgTBktrdD4bYcY+TW4JQS1YLzhaEEgPGcCXJgltDKHkP9nduJRjT7v5kcDQ6Ys1CNaIkEpagyRS6c1dTbYC8A0sdapTMtKp6Sz19q+bmxQVlV2DNswH4U66BWbF+TmzAm5IP4IWFP+Gyh+YkykgBSxAHcFIouXs/tzh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZs8fvwj0/P/2BLKlowo3nJUjLZzycTrimzBKh5n6/9GAjkDruwIfTgt9z21FTbTlrBNX4+7Cxk9GTMQB90EmJnYwB5PGTMroly+Puycv/vyf798StmmdD7nd91fSPAgnZ3ZZHg92SHiL0sqOmwahGs0xv7/3Zluv+3w8zY6mFCqR9jMjRpuS2YILu3OFHgh5Iq9ePEbGF06keI2JcHoZYXo2plRyP96SVQA+RHnnZNgMoU9pQI3pNzM7sfbF1CzhsBnrIQEm4nxWxo4cMoN9gRYxzcce1ciQuyp5XJco+z64BmYnYRyIcvDP72DHU6kbyLw1s1Gjd0R/+tN42ak+UZO5xoFY9dst2RNwseV5x2OfuiVuGzzij/fv8Vs3J2RKkJZconEkjS9DOBNEQBNWA9Bm/hpIYsA7I1o+31zDjBku7CQPY9zZYuk0YgL7Tpgw9gen9S4cdzAFdd+DJ3XiwUCaTvto/l78qY/siUuyeSAOy5HLefmhix6bnQ/p6+MsPOWCDH40y9vxi+ROhZamdrBy77rvMHVBv1dfK3OWr3Ox99f8uex238suGXbngHWl9b1lJKJnzJcjOSfb1KgKORYf5L/JaIOVjVP6+jojGqEND1etCw5cMe90PHuIGI93TNXL5zC9NLvAiPQ/ebEvJx3UNhNGhBJkCAW4XoMmnc2l/eEWUJr8IRe2PL8mUGjxFbYBsxueNRtXvBroPUXe/YroxDJrP+EzgX3C/nqtcbrZ91nG78lfvYFB6RXWZTanrSbQe2X1Onl983tL3KNEg6O6WEmLWxkIVHtGAtoO2AH9SjWee+7fSfM4lFe1vtrWVG/iQS//akxhxfvH5VYQFAf0BJ+7Pgg6jIZdTvD6bgzpUHA99fRZAS9BHiV3/ikuR89P7REk9vv1gKYI5LFb6qJ1sghXZ/Wy0VbTON4oWXhRnupwoIYBZpb9GAey49wA5N+7McUOYZx2UDtMtRfWt2lVbyB5GP0KLr2LTx6KqVspgslulJJmuB5tGiIYvDRjrABpe1WId9sl92Ql6ApQtiOElkKffE7vQDXn588/PyIoaYgBkt8oeTjwK5fUWnDC1kgbysYJ9NaeCqUbazqfQVFMv9NxVNlEI5CmdqiX0mMFlNLOyFW/GaqDV6P1hX82xeWBWQcmbXT0tBaO+iWmOnWOBzwi3/2xefv/DX40X6S9qFKAt0v8cUPNPZw++pWvQ5CU5k4zWphE+suJMyjvJ9Rj0ewY/IrmVsVV+fEn+1ZH7nPz4I/lXwpR2+jJSERZ9Tv67sP/TfZEbss2Ub6JbKFUJj9bWlSsoGBViStlVXg3YIyeVxWtDrbcrHBNBlrXi0qJpYiGe4IyHowCtVab8tI0+aGpgnArEGDE1VmmnWcu11zrcB0sqeOkPRgwpQmaqkaV7YQQg8lzOg3J0Y/Li9o0YQE4RCwzXYU/YaGQX1kLR8rG8cwEdYvifQCqwmrOI1RFM4f6X0Rb2z30rhN2zT+1Go1Wzdtsm5Fe1clsztDm5JEo7Y8wqcgVQ38C0R/HifSVM04qBMcWSl0WZK+p61kqeOUjQ1OIlLx0He3bhkmvbUOGM9i3fu4y4OHjFndmNsXJkhqciXPXzU6KdtDboUEGmUT0H233tRk4YnSnp6cE54TPh9nNCZwkFDQX/+Wnre/0AlbJALsN5ZxrwoZ2uxwSl+18biPkKAi9hpcLUgufMbHjU5rzhA7X/UehmTuZmPO9469wbEM56e+paqyU8If81IoxevMy4eIAYvVvVGUcXJ28ugu7LqHTs4VWt9K7GS/CJ/OrSIJrH4f745J8qNMTRdI+5UrdN+Wbzk43B7vUctMwn5OXPr8gK+V4BlYQKEfcVoFMf1aSN/4isQIMHSy0RQI0lSu6Ui2wz8cHVxK+biZG7miNsG3j3u9IlMg6zmoAtpBJqvt4NxM24HmixhPxM2IJqyqxnorvUa8QfneaSNDLk9Igtn/loRW3qgm4fqM8ZRNgTu0SLonJKppJtGEHT1ahMQ8m6o1ZShhqrj1HI4HNQjDW6hWgslSXVJZFKV1TwP2P5vUpXUf6UIcvhYBapZjp4ku7EpA3WHTIvBJ8BUhwx8A0wJcsRBXuz3YWxOf0sewjikqmqFmCjB2DUiUpRgbea74jBXr2Ztg90kC/d2tHjPHaUt0/m6PGrlLSLRNu0qU9NlfOyyXIqH4jxZ7LMwXYH8k8lc3db2CMW3eqtiunTaz/ucnggorLd6DfEwrUNl48sQZteOUW5Lw8ssr/3PWxroKnI3JTpMaVLKPO9gyHJJjxTplux1THaTJvui/34+vC10qqaINQGi/INA0k1V16trxph+XeWgya0rkVb/bLpZVNRSeex0lxCBIZ3WnvRI+VxNYTbJ4aolfSRMUuretczGDB2qzkUh7fPGsIW3Fk3qgQzIe8aY9FM6gN1t5LakbxcauHATdorwGYzh/cSjqEJ4Sa3C3reaZiBBsn8gaBOtS75kpdOs8HzEBdkl60g+7jDvDiR1zXXR6Nws58+FnTtTiK3Yu2JNU7oOX3NIYUHdL9vNOGmj7pwnjtp3MmzyWDJLp1MNaklUDVQ5O4LseN/6quCGuSXBpqjHSV3uv0p2sjHFTUEkShHzg0i90NqpiZUCrYYmkGmzSub4fWdVzlwrYsMqNZFDu25TimKtoG+TA41g67Ue0UexoTcMR+jb8zgubzTm3Oo2LxJrh0SLNg8EDvdEFI7gigbKPEpFGvTiNxhpxErSjWWqQpeeBw64wWzstVscEKoDCzYMiBHDggsQXObs3RkD2Ht6qEIsBfZ2efyyVu8OOgd6F/prtLFQcO4Uw2Mz/jG8Ilrtz6YM9ZTJejK+bOZIhvQuRh5uSmYaF1UZQiyRPEOZvOxNuHztpXetwSVJr9dhtRYbtqEgF2/Gq7f7tBYlaSpleEJBcetzhaa07L0HaYwlb+9u6NdeBphi3yti+4oimRTgebsrrIoStsRqtj2ENavZOtuhhdL/n4PSFuCLJUOCbN7KVPTPx6ge00b2lXTP4DF7WiHWP5a8AG7nQTdj5iX9Dl71X0zvJCh6j+ImeDlWtAut1gqSyhZhI4X8QRaoeZFm6jyIEK9PYh3FurH6JmyJfv+julW2LUaxUdc8VeCs3Xu27NHLlwgAqG5thTrEbnciJx503EGfmgEIGJxcaqkhevcGmuH0Ln0/rpNP1Ralsb9Hz6qVLQIxRrA3PA4swWVcygkrHLLgrHAJax6oX5UQqzVfNpY6EmIYY6+8ag7bb3//MVFh6lpMmHXcU7wbG0r9zENDcHd/CKPTF9/ixi3WAHmGNY2HDSbnC+9BD0hl+A3pTGgJ3QO2Mo7ZLrPlG5xGMBuwXi9neHvif99r2+F0mSq1cp91v416Jre7BrtJ31eXlBtU7vpOsCpPSrhTqlBdeix7pQSZac25rpSqoYQUMz1Fr+RhArQtssu0ptFw998eCuIj14TAExCiijMJZFKfqehBrRk9mU/oNlwzCeHNVq7C9PZK7iTqMe94D7C1oZ/BpStuF0EZdnLenKKC06x2kQSJb+bK/ffe14CVFKKiOKYkW7aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEb2A8JUw0xrYHMvxjsE34E27cToaa6ODfcIovfjquAh1d+/E3LG7R+7ZM+ZSyJzcZXg7LU8SCUGMU4+gvdbsRtSdxw97yK3hNKKkXa8MZFaTk5uo5qTXORHlOwLIncUWZanpI7eUdH3pfZ6NpBRa0ITU12MXLYCMH34uAqapyUkxtBe2HpTVg2V51z78HD6Xx9fYww8PkxTdTVd0M72CGbaNkxWWpViGflinJoLbPu0yKUWYMyJw1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe0h3KuFbLq+gDLVAbSI6NeidCgaK++SbDrUJL/dtnBh0hcgq6vqTnbxbYheBFr3fLh8Kr9/q4Hkll8N2PV3QGXTFdwc75XaxhjURW3/+92vaPybWtGdc5L/jHcm/4GrdNdZQNgxIGzmCuLvNgOZUFJHXNNsjcolLtmrz7vvYewDdCzPqFwB2ZQ5qOZDCYxxWdw/dgppFd0OdWhipMmzYwmf+tjU2XZnhSQtpp0WYI6RbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGEIFxj99xAqSRK3HiV/c9Gcc9pd6Cy+4a79jnvcznp+S9lzRPQ+MG4qfthaJfh9uzuF7tHdAP4cvvuZ/PT5GloeStExND78F2RM6nAXoSJv4QOVmw4iZupC7NOmcv++2obijQ9urCXj+29Mb3EU+NY/1JtzA5P71Rk03ln7tBk3WIvZTlRqOdkBNfnxn6nQr/wX5tFhHU29/44Zvgjps2tqvcVLZ7jBopwHjOKP+grBRZUs3pVAyqAH1TBi5JLeiIIDAgTdb+KFsb2ldV/coTJ6mchtHWF3K3z5cvzi92dWgSWsZ6j8JYXfaBAwVvXQu5ibR4JMm5tOSSzyVFYTFyRGulczavfTKQX+6QXrS6m8KujvifDpHeXcZTVqrIwXn/20fCJRNNCU6chUG27ucT8vTsmla1gNfkwjtEPFiU3pO4XwQjc0ePbaJzavO0xDHj5sqp3AfgdYdSvJ4b8314Gj5wc7Un5Go1n89B5xthF2fZ534sIOCA2ulCg1koUbrT4231kUmjW6H3I3gWhrH3IJWffvA6xrOuGcf5abyM5NbReaaqujhy3hXuSsi9wjGu3r9nmul3Dh0lsT51huNmVNmwMSstqKUPlDXWx7yTlkpj5wEn11v8RqbEUV2uqH6YDL1hV30nXWl4iBwRI62RnzohSsk7ytp+ynHl1omgo9oxSn7XKqh6vxTytmbyodYaqEmeG2wstU0qxbnzR1EuHszscItP1TXh5Yvx98u9rM0xMHQYfRo0PvZ3wWERv7rtO5Z5+t7gkJ8O5+4d8pxxqZpUMc5eHYmZJ79TTpKmdDoMPLI/JQacuzPj1pF4I4STe8Q0jIExs0aQM7c+YaoE445E2+w3bllwWcJ1YgYIbuxhmuc9ZQsujKaYbpGYgsb4ZkU1F5jBE/Hg+fi7nBOKTPzO/TZKmcxwDtXUNxd6II04rE6edvmcNWhTh6JbL2EGLAsqwiYhvu3w9GykyNC7uYbvce6EEq98dUlewVflv+0+pFwaUoKlXEScDFPV2N7vRkhT4ui5ma3HlnZ5bIjH+ENqoapFtmyeN6SEGQ0hoND5so3hh2xNpxUvQQu6xkIuq8LjSp5GbqT7AK3u8GuYtVXg3ldvLLcNNmYkUcI2tsGwYdN9r2vSKFbPv8NoakwzyCqmqsrdpzzH6MRDJ7yX7FtrteSl95+1XeQqMKOJUKVihwca7+4t+4WLjdbI+nl5cdXgusakp4eR9e3qeWX9H2p6oN/pYPL+t5qGAEz8dtU8X+PcU0wo9jt/eXFOzgcKVR+NbF1rQ3XJfgwSFnZ11bDzpIb0XfxhIbc6rtx7EVFMVZm74mtQcberdARciMNlRD1apO+W4EMGR6g877mAQ+mwT6Dt4iF8zssulDPixKtSW42DMvAEL386Ja+ju25yPlPtdO+LT757ThuIwmSNa2BN34vgU7+mECtvbbsw7UvcOIIjJOoVL7cdIl11JV1SLugwkEE6VzjB+soZaD0yacHfoUN8/enibsFYqUIDKB+AHZAU0g0Mn09GJCKvimlTluvk/hleFUnrgHpwGwOHNTrf66VKD1FzlbDLwU6JXWGaYxQkcNPPXvU9V2lTcttV1m36ogWMYoPtNhUbXpRswgv7ifRZYqk5uDyaVX7y+Yw8DbUSnxvhdOUpF1jAgXlgZ9e1Mu6bz8h3Q0eD3I3CXEm1kluGkAHWYDOL5Tb0kUmbjB7BBbebFnrSVrm/D6VJb2FO2Zp8GjXXBJ9q+hBF+WHhLRZzSSrK5UzTCvamY9RU49Te/H0StpTLC1yWvFelT47etAXsZZ1FkCI3aF+YKuAYkctC2u4b9x5W5NdGoin5TpUgyFMul5NvnxOu2HMydf8H7v+opGJtuJl8G48vWlYXM0EHk/NT61DbGv7JBcFF0deFcnLdDr9Ss72NGqzKiqn/6zTg2bZBMKDdQY4itKzSyt0dzD6/+51qIB99AvC3335+9/ubD2fffutzbpdUUz56JldKX6UsWb7xgv3eLtiPsI06wahMrUSEmp20XUq654Ay91ysM5gwM6VBGs5SCpCeKykDxlV6L0gkPpAKaLGifDic+N7eAex9nhqouz6pS9RNM810Key0NFanrnzHeu1sDrH+W5rsHW1rPvI5SQ8tdtkMBhuoNKHYZFP3EupdHIgZH3U0taRmc8QeSmq0G1GEzN3ynrhQPrif4N0dFw75oP9/GK66UZn95L8HOWJlz0cfENmL5IMcjjaOuw8/pY6QtLW1sz279KntMtrbLDvsk/kM3W6Dk3tzZLptWc2PEQ/Doq8Z5cLxum3mchFkxvlpv7YNO3E5c9DCPNLCYDyrsM25LpyKeAA9hyReY7p1qD46UVXVyF1P1AA7eVjjpvti9x6u7d8hrlN3uJnDNOv74nZJZfnvKh412+BmqeWHSIZ7YzdceAs505iaM66SZYkey4JH7FdUy2HQ4bGjbmRVFyqXML58/+6C/Ob9qJuk1DgiX46aSnD5H2/Jlwb0SO/WRshCw26nzrzJDT2H6Jp8aIvOomldnZbOEj6kfaAq9RgBB7Q+yHF0E1QbCY7dG26ZfkADFVRXGXbLgc3gXqB1wgLkDmhTJptKuwUzbberLdAltbta4X3hTkGyRUV1qrKSDu66poPxxfeOPlE2SKdKArNYJD8LDGZpC6g6wLM5tlrKAFZN/8gAtabJJ2H4jlPJjxcG3Que+sEJndsqcKpncqRlQRkORklffuJgG5nQeO8Bns7r5U/y2i6Sv+9MFszqojRJ+673oDvIh0WebgF4KWhyiSELkHMuExZFDkHnyI2WxawwK25Zcvkhi5lQK0Or9LkrfdjSLvNBzxB1YbLgMqc44bIGXU3XyRLeB7BrdpUH+JKKHGeF10WtlVVF+pAUQl/+VKDHMT1ske1uCjUvyhzMdoDT578xWVT0urA2ldtgG7A70QIyPAoVl5mQ5jIf0rUwhZiKInVYdAv29xmBJ+8M3oOduhdiH3bqqt4+7J8zwn6VEfa/ZIT9PzLC/mse2FbVgk4hh0jpoKc3z2RRNQKV7+k6wzvZAq+vMuglVSP4vKrzaN9Oy6RinjoJKUDmOZQSA19Yet+ILIxPSMywg0azPNakA5zHmjRr09QZZpEy2ZVVZzFVrbLO9IDrDCLEKusMs1yw0azJAryR/FpSqQywDIdw+cpxJdOjsHylarsAWmZwq6mqLpjI4MN2gDMESRCunq5tereog2yyQK6bIkNMg2luOaMiQwGRKegcJFsnzLrqw5ZUrP+EcpoD72WBbUCzQPbtYPJg7RNrs0Cfzuvlqzw+aFNMuf1rlkZjzBRpZ8XtANYquag2Wa45QgWm01e5Ge/jTzZrqwcY7ML7+dM7RzxwVPuyAPfd5NN1kOvBnnEBOWwYU8xybCKfpSzO3gacQzcwBa8xSbHIIup4vfypNLYeNPNPBNtolgW24DPIYcYYdDRXUPJkBaPbsLnMc0oqVTYCDFM5uB2A83kG2aRqs6I26cz/HvRYBnkSwBrm3FhN03tCNrAzaHwa6lys1tl4bbATuc4kX31mvj/iGaBbDbTKoEj6UqBcaOdTrlcLxU3hJ8ymh76mmmY54OVIIWwKyEs/3z41XG4slcnnHJfGThudalhgCxX8rKAcUJvkuKbXo9ua5NRgcXLDLP2w60M7DeyDOadlmfoO8DJ1WLVtHZThLeJVwbRSVZauRA5wBjONV0We5MjQ8SgHm+ur5O2ZapO+ZSmvTa15YqCCWm6b5NlngktI12JnA9UknajTwcXi2/RuLaF819NiJlTy57wDniHl39m8yaWOA5pB4jgbOgOqyXMThJpnObpynuUC10qnFmDVtJnnuGYVNyyHWKhMlgObYw6EBIvNlZLDTS7DfQPo1Bl/HmrqdDy5WqW2QLJUlCk/ADq5JarSa0ZK83kRmcd1b7grCTr9m1UXfihvcrBJJ1NvwPoRr1kOWYbCzTATJ7UwCGBTS4O68I6k5OhSY9yHBVukqvMfgIbrmicPBNSgq7mm0g567qaAvMoCOP3T6zuRffq0MwU0AWCt5gU1dcKBAX3QmqaGqoGKHPqdBoZ88F1HMwFPz2QHOW0L1x5kpcsMGKd3ZJoMvmHjfcMZ8gEMpE4E8AOPMxgnBr6kPwCxBq3JoGYwpQyfZxC8pk7tZTOa5bgHmpXJFWmjWawrbgLANt2IrT7MxiTvqrlkMnWhRHRa7H2B+iadqcm3c5v+WHmg6SN63UzP1HDXdfJurU05zZKH3miR4S1sDOii5Kmr3rOMrWgjQznYYJmxtErtDV4WXBpLZxk0gyXXNocavqxlhtZNVulGpnSzxtqiRTqKvmmsIh8aSQZLd9kjGYflfaaCl+REQ8ktOaG6DN0MDbZ/j6PjJ2dl5NLYhFAEg0P0CfY3YEqQWKlOlw/BZT7OnVW1UGsYDBa8kX8z1SRr6n3LM+Z46H1GOO9MwxyuSUV3Gy1sYrFy3uwOA8mOpOAGhzO0q4etxwZKxDR1rbQlw8ajhKwW1BJuSa1hNnYU7pGWe5chFDHGB6ujQ4FwGTq7j/SFFlzmnsjfQ9Wt1sfTEKvmYBegJ5vvm4VqBi8aIRKWoLtxRFaRmmoD5B1YihPB/V2lHQuevlVz8+LCl70+I6dhxNdzYheRKUXYDPgDhNHHiLYk78H+zq0EE9/n4aHOwrwZjuzubhEu7ok1QDVbTLjkUfxw5u4R+mvviE+chYHJEC8EbSTO+p03OMe1beIeb+C+0699D03523F3NHVNuMP84hFj321EkbCm6XadV3FZ8hGuLd6KMXfBMaZRjwikzeC69zihWoqRiZfYPTfjOHDsn2vAEg1fGjB2T9Puw7OV794r36sMOJbHr+ol9q5Hqss73Xan7MPJY4Sxsa2/Y4d28zpKecrZ/zfPN3SLnZ+2QgHXjp8NtBrSJfHe8Qi7x2VKDRCfrt1hQwa3qtul8IuHwVd2o+A7zJX27eujbCSEGmIAcNwZ3T+vSlNpKDvCeN9Bh2m/tES1d3NoWKNxAto+pGvQFffqxrGQ3izpB3PwJRcwByJgCYJQY/hc+o3bzOuPH31syfyA8hvX33PSpw8y6dlh1kj+pYHdMYk0fvl6+B7WMfGwKSitRsNLfyGZkhIwt4KsuF2MCQpCIpUhncau4aDyojubFo6dKE+6J0qoOWdUEIfBiOmDWDwsdrjUyJjGh+NdvVibOHq9dLaV2slqTf3AU8GpKRYqu03gjbjOXMNZKpuhRk4q9kfwxPsBEH9pHLb4poVBLEwA1ZM3wihniG/dt1MMlpNfwy8m5I1cd/8aQLdoyxtpCS0nTFV1Y0HHxXAWN74jLJ959s3uXuCMxa0N4fafzcvvf/irs31Pe9vRcuybKNrhnBZpI2a3ddzQNWjyL51PzrwIaCBy8Vufuv4n/5mXG5y3Tv3e/Tgwefkm2fZkd2CKW2dC3v/28czRDhq88wT9pSU3TENNJVs7rTKoZ2I3F4Qgh56Tj+9ek3Npf3z5nJy/Pz37z9fk07m0r34iT1eLNZHA7QI0YQtlwqg0pTUwi9/64dX/+m/PnkQ5AnaRUcbt8gNl6qSi8XE8JvPpu+M1v/Rn8bxFKn7Fy8eFdF823YD5gQ3jbv3Ax/DdUUw31slnrm1DBXn75n0U2T+VhHy+rMNOxv9REiZx3jp0vxoRioTcLDxxCx7jG7xnH+bUwoo+wIh0PN0X5E1ZavTT+lMeQ6d7ellVHxrnvG8s5Pzk3YV/lUbDYxU1R4x+bDmVvKYa3m5yfuFQGfF+OR4eOAkiCQ/d2uM8bDWxwk/XOq6A6KFLy5K7L1OxCdj2ZvnH37kjHgBnEuIFV+GGn24fgQEqm1zrLHrdbZ80St4HDC+Utp1IHgjdEgNsuAHcrm+WvObIvPf0cDlvH5OWrHdjjJcQsxuP5cUN2KHlS41RjDuV0/uNBjoOcXJZUzmHSWc6MSVnfN5oKMl0jTBBlpg1FJcz9YGtBwZFoyPacnTRWYZ+ByKh7t8v4UruANBQKQtFyOxOn2eUnrWlNAUtfCp+BtC11XmAzzIciVmGamGR4zrk6n9SZ2AqLYvWE5dPLd+14B0dk93V+s6EB9Bgz+wCtARLPq5reE4+tc/YW3SA/UguWgfY4CX4bUxTa0f1HEGZGDGNW6SDX/w5oUJElYl680VMcKMaE/OWoN0byKVVxFh8zLkkn85HBQrDBNls8iq5yHZAVZ1h7JsDrMGkzuh1YDOUuPgXMXUqOvrbM2DrRysUAuQ8+aRIxNkpHxm10BEN1Ks8VPQCMJIwTCeYEUp+UXpFdTmc003Imzkme2lC3Y2/xly6KdgVgIyrnom7Jt41xq0sFf1QnUeGYMt4zIwYUMhlyHPFtISKWyeWwoiNOIlLQeUx4vi3cFC2CSI9F+WAwG2X5SaSsnQW7BwN2O2XJ3WkEhh2IVim6wd3u4g91ZazRlBNsF80aZF4enb9+q2aq9ksPv0dWGEXkH17t5D96Bb0t7GH95nD26H7prELkDYki4+ibZqUnRNul9DjlxxH/ZMBPYqwaixTx+V0WHIc4cuGMTBmBGfsPH5Yc7TDEk8QL+JU3LnSaxIpTBjgdgzhtIUj7ODopBIG+EytpHtXnNyKKYfdD8lAUdqmapmuH93Iu0mJ71qKNQOCQ9nRE/wwO/owl8Rw20TkJ8HiAggiOkBdUENoqWr3utgFcE3USm62zDPO0mslVTWSV4szOQz3LeqPq0Q45Z7L0skfpU3HAEp+4QLIm4DYZMCG2zh7ZUeYv5OjCeMd/Q+SrjDKgsuQtZCWCzEaI4xIWe9+D0b4fL3LUK+RmhPjCaFTlbN6IEL8FBZ0yVWD2iVTVa1VxUcyFOHYyJ1JOhVYRDYjJ/tx43LZiZ2MSO5iuKV1kigCWxgmHS5zAIKR9Tv8cu9u75Xd3LfRY7cps2yk3S1nS63Rl1gGXrBDzPpbaUH4Hs9BguasJQkZgol+u6kF3C7wqY3NdiMB2Qn7YWKsHg9+tjQd0nbrwWh6uZ+moF74tTLSFTVNOyPc8gqMk+te29NQw2gQKexCsqYQN24ENh685zboWx6tQ3p3P9jR+vF2NP1QmGRDTm9NWnAY30ThgDakeCMQbiEMvl7qXt5InT7q3vmLloQ2ffPOJeulehwBcoMc7wTI13scf7x5y1KNNjjOlt1OPuqjSpCUd+wW8uOoxzElbYPD2Cn1WIK246dOXrnT2EVRgV2oB4iS0C1PMvFohK+Nbjj2UtIqq9dpT1TngxLBX+sQ2XMuM3lC/nPy8/ffk6dvT99cPCOn3Fgu5w03CyixFD6Ki1Bzlb0v0L5IGGbLzjweYZvxiyMZY1pl9iruq/90uxrDoLsx6JFPNvT5LteFYdp/V/fbc/whTrGYKZWxNumbTDEqUnWn2yHkAy15Y/wKRGlieMUF1V48ObHp7hDDdz1eXoX33PDymJ1G+pnyn9xBaL2IO30xN5c8X53FG7nvrmNYI1Qa9vy/wUmEnwzOQnDcQK8so4y7MpXOmRgwCNkgq5WeU8n/3JNVLfMdhdsy+wBO98/UCLtnXEdrSTN1/fnFLYevhW/x5XsXbWU1/wpU2AWjGkitoVQVlzRacNcTTxfUcpDW3JgeL+gxqX1LH5RY3/oR6kwH112dJ05w1VRbbIa0IXW/WD1is6MgbG4jUWdQgqYWyiJZUtme8+GEzy/til3w7EKrJS+75mHhe7SuRdBUBwcjNP9xz9q2ThtXcDZE8vJIVHZLhl5/dj1CZnR4KGZOLrmPni92FfeRFnCd0plyKPhdNU+4Rp2p96NeJfQ8QqjXUVFjpYYYq7SX+A5aBZbiak/wWxP3rSdx6itelgKOJ+Xe4Xq3lXOR7e3JvYPkXDse4zjkXoTVeh2G5LqNzj4ntaBuy9z7rDQByfS6HvPyYyrkEezJW2TQ6c62/FUZS95RtuByxKQraSbJ8c0urz9JzPSvNTjx4fQj3+TMTMjbktbkM/7D60elkr7u9J/Dx5Ms6BKc5iSAavKlAb0m2IPQ1EoaaDWqeHGqo7fA3xxHXoYeeMxB1rztAik9+b4v3zieLUlHQHVzgD6E5qi3xRSnPOV1mO2e8ba19FYTI2cbhoeXG6IbKaN2rHnevTw+8uzbSI3U2AWIRbAw828EJSsuS7UyxNTA+Iwz98nzWJ1gyJMdXhBHnsd3k3NDnmJHWJBs8wxh6PJZj1ukkfiOv4U5ZWvyyWw3vu0isNVuIW3y7Fq3whEM9pHXvm9qISpYq4aHzL2IA453fQAi1f9blaZYzjNk3zbZ+RXqse68Xr2OUIwURg9a+M0BxB4nr3eM1JDhG1zvraw7Q9LHu4AOqTmOw64LGGzvzSYh02/DYIfiDSluLn7GsoGUIwFHK9yQ5BJmXAZfPQon7OpX0Xqk6SBid1ChWCbcNg6YHfUvtWDsfLa5aQ+9lEZ6U3Y+bGspW1RHboG/WRUZTgbWUX87sgx5mXKZboJY0rvhSMaiwryPZ0RI9ct2cFt8G+1NeX9kaucA67xv3w1Y11S3Z8r9+fmGlNWCD1qpE3c7nC3rk99vRZ5NPrPEt7VQep1vw/9mair/7caOMS0i213UW/U89jQ5tvztBUK/gbYHU4kGVLX91vdTNXoKCpBWq/oQ0VGqZjpwLtzqjIc1nbUNN5QjII6+uuO49/BEVTWV6+4+4rXDcfreXlmCds9QweVMxZUCaq5y1wjdID92rMgWsxXk7Yo++5IrR+CXRog1+Y+GCj7jUJJTrHv2zsEoKiuYFkypK/5AQfffYUr8+hv7mYoxbT55t9lNOLxuLKrcB44wvfmuf+iWCFN2gjva++Qn5OO69qRvPAeOOX4HxzdPw6xI2kx2B22Hg3dE6Ccm1rZ2F5ljuOo65XIbO+9ZrJVuvf0YYv7wdmTLe71yEh+nlhd13jlEe1jhVr7Rc9+iqZXKpIlsI+XWcftBamrjrkkmC2pSRvt7gHUop08MudEi4Tb3oCbclc4YLRqdyhvSg2lAF3SezqbcgE7+PG2DTpr+uA06nPoMggWuLUhUrdIbJw5+stPcKXoLDTupMqk1Kr/EMWoJt2TuR1wW1asX4b9PAgovwn+EvKaY258K0PHsvEDOA0bPPTH94Dl6XHuj1gbklGEgmjOpuJyB1iNx1yHdR6Grr/jfyPqoe/YISLZ9iWe9bYhcKQxrq6xXKrLE0Y7fmY/bu2P3ETOIdf9P/4Bhgtb4wE9eL0Afxx/hdPaQ8fT0BEc/PiMnuH4cNdD2SM1SRvh8AjoM/4StLMw9zXkha+i4x8jehrtFn5hep+i9O83/PNQreffWKPHdJpf8z7i3hl9lkinn/zgjEubKcr+B9YKakQlQhh27rVBvK/3i48MF3VZnmwA1SHDZOWNt4/S2/iaekGL4/BgVFdv9jbqphx9HBy07acKNaZIrnQgZk6XyeevuF0NBDEHrrD7Qwab0peeZW5xcYnB6n3Q6SoZE1xk8RJGfXmJq5/7HqCc9D0Py7tJzD47jItQYUSxzvui7IdXgyI4iUxbu6NEmeZtGkwswv4JgUWdqbvDNZlxJ/0FC2foTMRivU5qcX775x7sLcuHeKfKbHJm+ssE2UyX1Idh+XKk4tiiG2ALYlTnIiXw7IZy3B1ls6FzXr7NrEYZpoGEE4UYK7tFyQfNBU8gHUHI9Hl1XkFGjAXG21DZHm/DZx3JJBS/9QYwgsSsIj9bVep8gRI5dwdrsiu1EJ79NIE0Me2FtbQqOM2izgMatzMEQRh/BbeJz2Va+KM3t+oYbxVRVZe0Td0u8PR7BIRQvwV9xDWLX0kztYlkJKgtjHmrgrVvZy/DfA7VtjVYUW19qXNSKHyOtOoawx4AgBohU3BpAtrIFlXLQOCN3u6mwKiIyErM9Utvm7mEJMw9/f/vmfXj3Xuws3z0oVuld33/ynm3cXBVLJZpcDHjTznGWYc5NNxm7HefbSG4NeeqRMM+wWwcW9rYTdXfAE0Q6So1oMkmztwHXT5LbkC4w2S46WILGTIFZIwhTkkFtnaF86fdwpL3CapVT+nrGO4O9HaHtEK2VtkQ5/v76729iKbhRtqc+d0rPj59guVtgsOVinVLf7CTaKObvZ79dnF+Qd/S64rLsxnrHt9XRdvQ0zK0hiiNkBTIG1O0jq1Of4iWLydOzfZVjMTteweZDF+G3JGdXO7acZUEqn5+GLr0Bi70YiuNtygP3Cmgprv7L1w13hTmyHGqSqW83+kucCf1A2Y1hXDVa8V1Qt/LFvc+JaSIp6tSQvxmrlZz/21RQdiW4sVD+7UX42/PuUy5nwOIfzbiGFRVRRYZORe83hMqSGEVGjqWGOTdWr51lf0xhUVO7CM36OxzILg4DJNEpdSw0fSG0r9diSve6kHf6ZIc5SKvXf/m/AQAA//8l2LtQ" +} diff --git a/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml b/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml new file mode 100644 index 00000000000..91bbc2d960f --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Sonicwall" + product: "Firewalls" + type: "Firewall" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/sonicwall/firewall/config/liblogparser.js + - ${path.home}/module/sonicwall/firewall/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} n=%{fld2->} src=%{p0}"); + +var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + +var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); + +var dup11 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup12 = setc("eventcategory","1502010000"); + +var dup13 = setc("eventcategory","1502020000"); + +var dup14 = setc("eventcategory","1002010000"); + +var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + +var dup17 = setf("hostip","hhostip"); + +var dup18 = setf("id","hid"); + +var dup19 = setf("serial_number","hserial_number"); + +var dup20 = setf("category","hcategory"); + +var dup21 = setf("severity","hseverity"); + +var dup22 = setc("eventcategory","1805010000"); + +var dup23 = call({ + dest: "nwparser.msg", + fn: RMQ, + args: [ + field("msg"), + ], +}); + +var dup24 = setc("eventcategory","1302000000"); + +var dup25 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var dup26 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + +var dup27 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + +var dup28 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} "); + +var dup29 = setc("eventcategory","1401050100"); + +var dup30 = setc("eventcategory","1401030000"); + +var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + +var dup32 = setc("eventcategory","1301020000"); + +var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + +var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + +var dup35 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var dup36 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); + +var dup37 = date_time({ + dest: "event_time", + args: ["date","time"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup38 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var dup39 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + +var dup40 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); + +var dup41 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + +var dup42 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + +var dup43 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); + +var dup44 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + +var dup45 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); + +var dup46 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); + +var dup47 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); + +var dup48 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); + +var dup49 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var dup50 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + +var dup51 = setc("ec_subject","NetworkComm"); + +var dup52 = setc("ec_activity","Deny"); + +var dup53 = setc("ec_theme","Communication"); + +var dup54 = setf("msg","$MSG"); + +var dup55 = setc("action","dropped"); + +var dup56 = setc("eventcategory","1608010000"); + +var dup57 = setc("eventcategory","1302010000"); + +var dup58 = setc("eventcategory","1301000000"); + +var dup59 = setc("eventcategory","1001000000"); + +var dup60 = setc("eventcategory","1003030000"); + +var dup61 = setc("eventcategory","1003050000"); + +var dup62 = setc("eventcategory","1103000000"); + +var dup63 = setc("eventcategory","1603110000"); + +var dup64 = setc("eventcategory","1605020000"); + +var dup65 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + +var dup66 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); + +var dup67 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var dup68 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); + +var dup69 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var dup70 = setc("eventcategory","1801000000"); + +var dup71 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + +var dup72 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var dup73 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var dup74 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + +var dup75 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var dup76 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); + +var dup77 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + +var dup78 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var dup79 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); + +var dup80 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + +var dup81 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var dup82 = setf("id","hfld1"); + +var dup83 = setc("eventcategory","1001020309"); + +var dup84 = setc("eventcategory","1303000000"); + +var dup85 = setc("eventcategory","1801010100"); + +var dup86 = setc("eventcategory","1604010000"); + +var dup87 = setc("eventcategory","1002020000"); + +var dup88 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); + +var dup89 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); + +var dup90 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); + +var dup91 = setc("eventcategory","1001010000"); + +var dup92 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); + +var dup93 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); + +var dup94 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); + +var dup95 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + +var dup96 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); + +var dup97 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); + +var dup98 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + +var dup99 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); + +var dup100 = setc("eventcategory","1401060000"); + +var dup101 = setc("eventcategory","1804000000"); + +var dup102 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + +var dup103 = setc("eventcategory","1401070000"); + +var dup104 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + +var dup105 = setc("eventcategory","1801030000"); + +var dup106 = setc("eventcategory","1402020300"); + +var dup107 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + +var dup108 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); + +var dup109 = setc("eventcategory","1402000000"); + +var dup110 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + +var dup111 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + +var dup112 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + +var dup113 = setc("eventcategory","1803020000"); + +var dup114 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); + +var dup115 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); + +var dup116 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + +var dup117 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + +var dup118 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + +var dup119 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); + +var dup120 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); + +var dup121 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + +var dup122 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); + +var dup123 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + +var dup124 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var dup125 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); + +var dup126 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + +var dup127 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); + +var dup128 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); + +var dup129 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + +var dup130 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); + +var dup131 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); + +var dup132 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); + +var dup133 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var dup134 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + +var dup135 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); + +var dup136 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + +var dup137 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); + +var dup138 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var dup139 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + +var dup140 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); + +var dup141 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); + +var dup142 = setc("event_description","Connection Closed"); + +var dup143 = setc("eventcategory","1801020000"); + +var dup144 = setc("ec_activity","Permit"); + +var dup145 = setc("action","allowed"); + +var dup146 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var dup147 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var dup148 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + +var dup149 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + +var dup150 = setc("eventcategory","1001030500"); + +var dup151 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + +var dup152 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); + +var dup153 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var dup154 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var dup155 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + +var dup156 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + +var dup157 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + +var dup158 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); + +var dup159 = setc("eventcategory","1801010000"); + +var dup160 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); + +var dup161 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var dup162 = setc("eventcategory","1003010000"); + +var dup163 = setc("eventcategory","1609000000"); + +var dup164 = setc("eventcategory","1204000000"); + +var dup165 = setc("eventcategory","1602000000"); + +var dup166 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + +var dup167 = setc("eventcategory","1803000000"); + +var dup168 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var dup169 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); + +var dup170 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); + +var dup171 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + +var dup172 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + +var dup173 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + +var dup174 = linear_select([ + dup8, + dup9, +]); + +var dup175 = linear_select([ + dup15, + dup16, +]); + +var dup176 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var dup177 = linear_select([ + dup25, + dup26, +]); + +var dup178 = linear_select([ + dup27, + dup28, +]); + +var dup179 = linear_select([ + dup34, + dup35, +]); + +var dup180 = linear_select([ + dup25, + dup39, +]); + +var dup181 = linear_select([ + dup41, + dup42, +]); + +var dup182 = linear_select([ + dup46, + dup47, +]); + +var dup183 = linear_select([ + dup49, + dup50, +]); + +var dup184 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup62, +])); + +var dup185 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, +])); + +var dup186 = linear_select([ + dup71, + dup75, + dup76, +]); + +var dup187 = linear_select([ + dup8, + dup25, +]); + +var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, +])); + +var dup189 = linear_select([ + dup88, + dup89, +]); + +var dup190 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, +])); + +var dup191 = linear_select([ + dup92, + dup93, +]); + +var dup192 = linear_select([ + dup96, + dup97, +]); + +var dup193 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup87, +])); + +var dup194 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, +])); + +var dup195 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, +])); + +var dup196 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, +])); + +var dup197 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var dup198 = linear_select([ + dup66, + dup108, +]); + +var dup199 = linear_select([ + dup110, + dup111, +]); + +var dup200 = linear_select([ + dup115, + dup45, +]); + +var dup201 = linear_select([ + dup8, + dup26, +]); + +var dup202 = linear_select([ + dup8, + dup25, + dup39, +]); + +var dup203 = linear_select([ + dup71, + dup15, + dup16, +]); + +var dup204 = linear_select([ + dup121, + dup122, +]); + +var dup205 = linear_select([ + dup68, + dup69, + dup74, +]); + +var dup206 = linear_select([ + dup127, + dup128, +]); + +var dup207 = linear_select([ + dup41, + dup42, + dup134, +]); + +var dup208 = linear_select([ + dup135, + dup136, +]); + +var dup209 = linear_select([ + dup138, + dup139, +]); + +var dup210 = linear_select([ + dup140, + dup141, +]); + +var dup211 = linear_select([ + dup49, + dup148, +]); + +var dup212 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup150, +])); + +var dup213 = linear_select([ + dup152, + dup40, +]); + +var dup214 = linear_select([ + dup154, + dup155, +]); + +var dup215 = linear_select([ + dup156, + dup157, +]); + +var dup216 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, +])); + +var dup217 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, +])); + +var dup218 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup23, +])); + +var dup219 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var dup220 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup23, +])); + +var dup221 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup37, +])); + +var dup222 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, +])); + +var dup223 = linear_select([ + dup169, + dup170, +]); + +var dup224 = linear_select([ + dup172, + dup173, +]); + +var dup225 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var dup226 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var dup227 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup85, + ]), +}); + +var dup228 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var dup229 = all_match({ + processors: [ + dup95, + dup192, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var dup230 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup100, + ]), +}); + +var dup231 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var dup232 = all_match({ + processors: [ + dup102, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup103, + ]), +}); + +var dup233 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup106, + ]), +}); + +var dup234 = all_match({ + processors: [ + dup107, + dup198, + ], + on_success: processor_chain([ + dup87, + ]), +}); + +var dup235 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup109, + ]), +}); + +var dup236 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup178, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var dup237 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var dup238 = all_match({ + processors: [ + dup151, + dup213, + dup153, + dup214, + dup215, + dup158, + ], + on_success: processor_chain([ + dup150, + dup51, + dup52, + dup53, + dup54, + dup37, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var dup239 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup191, + dup94, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var dup240 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("= "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ + dup1, +])); + +var msg1 = msg("4", part1); + +var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ + dup1, +])); + +var msg2 = msg("5", part2); + +var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup1, +])); + +var msg3 = msg("5:01", part3); + +var select2 = linear_select([ + msg2, + msg3, +]); + +var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ + dup1, +])); + +var msg4 = msg("6", part4); + +var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ + dup1, +])); + +var msg5 = msg("6:01", part5); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ + dup2, +])); + +var msg6 = msg("7", part6); + +var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ + dup3, +])); + +var msg7 = msg("8", part7); + +var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ + dup4, +])); + +var msg8 = msg("9", part8); + +var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ + dup4, +])); + +var msg9 = msg("10", part9); + +var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ + dup4, +])); + +var msg10 = msg("11", part10); + +var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ + dup5, +])); + +var msg11 = msg("12", part11); + +var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup5, +])); + +var msg12 = msg("12:01", part12); + +var select4 = linear_select([ + msg11, + msg12, +]); + +var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ + dup1, +])); + +var msg13 = msg("13", part13); + +var part14 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}"); + +var part15 = match("MESSAGE#13:14/1_0", "nwparser.p0", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode->} "); + +var part16 = match("MESSAGE#13:14/1_1", "nwparser.p0", "Web site blocked %{}"); + +var select5 = linear_select([ + part15, + part16, +]); + +var all1 = all_match({ + processors: [ + part14, + select5, + ], + on_success: processor_chain([ + dup6, + setc("action","Web site access denied"), + ]), +}); + +var msg14 = msg("14", all1); + +var part17 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} code= %{p0}"); + +var part18 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} code= %{p0}"); + +var select6 = linear_select([ + part17, + part18, +]); + +var part19 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category=%{fld4->} npcs=%{info}"); + +var all2 = all_match({ + processors: [ + dup7, + dup174, + dup10, + select6, + part19, + ], + on_success: processor_chain([ + dup6, + ]), +}); + +var msg15 = msg("14:01", all2); + +var part20 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, +])); + +var msg16 = msg("14:02", part20); + +var part21 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, +])); + +var msg17 = msg("14:03", part21); + +var part22 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, +])); + +var msg18 = msg("14:04", part22); + +var part23 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, +])); + +var msg19 = msg("14:05", part23); + +var select7 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, +]); + +var part24 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup12, +])); + +var msg20 = msg("15", part24); + +var part25 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup13, +])); + +var msg21 = msg("16", part25); + +var part26 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup13, +])); + +var msg22 = msg("17", part26); + +var part27 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup12, +])); + +var msg23 = msg("18", part27); + +var part28 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup12, +])); + +var msg24 = msg("19", part28); + +var part29 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup12, +])); + +var msg25 = msg("20", part29); + +var part30 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ + dup1, +])); + +var msg26 = msg("21", part30); + +var part31 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup14, +])); + +var msg27 = msg("22", part31); + +var part32 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup14, +])); + +var msg28 = msg("23", part32); + +var part33 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part34 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); + +var part35 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); + +var select8 = linear_select([ + part34, + part35, +]); + +var part36 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}"); + +var all3 = all_match({ + processors: [ + part33, + dup175, + dup10, + select8, + part36, + ], + on_success: processor_chain([ + dup14, + ]), +}); + +var msg29 = msg("23:01", all3); + +var part37 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ + dup14, +])); + +var msg30 = msg("23:02", part37); + +var part38 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part39 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}"); + +var part40 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac= %{p0}"); + +var select9 = linear_select([ + part39, + part40, +]); + +var part41 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); + +var all4 = all_match({ + processors: [ + part38, + select9, + part41, + ], + on_success: processor_chain([ + dup14, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg31 = msg("23:03", all4); + +var select10 = linear_select([ + msg28, + msg29, + msg30, + msg31, +]); + +var part42 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup22, +])); + +var msg32 = msg("24", part42); + +var msg33 = msg("24:01", dup176); + +var select11 = linear_select([ + msg32, + msg33, +]); + +var part43 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup14, +])); + +var msg34 = msg("25", part43); + +var part44 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup14, +])); + +var msg35 = msg("26", part44); + +var part45 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup14, +])); + +var msg36 = msg("27", part45); + +var part46 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup14, +])); + +var msg37 = msg("28", part46); + +var part47 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup14, +])); + +var msg38 = msg("28:01", part47); + +var select12 = linear_select([ + msg37, + msg38, +]); + +var part48 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup24, +])); + +var msg39 = msg("29", part48); + +var part49 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + +var all5 = all_match({ + processors: [ + part49, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var msg40 = msg("29:01", all5); + +var select13 = linear_select([ + msg39, + msg40, +]); + +var part50 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup30, +])); + +var msg41 = msg("30", part50); + +var msg42 = msg("30:01", dup226); + +var select14 = linear_select([ + msg41, + msg42, +]); + +var part51 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup24, +])); + +var msg43 = msg("31", part51); + +var all6 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup24, + ]), +}); + +var msg44 = msg("31:01", all6); + +var part52 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup24, + dup11, +])); + +var msg45 = msg("31:02", part52); + +var part53 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup24, + dup11, +])); + +var msg46 = msg("31:03", part53); + +var part54 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup24, + dup11, +])); + +var msg47 = msg("31:04", part54); + +var select15 = linear_select([ + msg43, + msg44, + msg45, + msg46, + msg47, +]); + +var part55 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup30, +])); + +var msg48 = msg("32", part55); + +var msg49 = msg("32:01", dup226); + +var select16 = linear_select([ + msg48, + msg49, +]); + +var part56 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup32, +])); + +var msg50 = msg("33", part56); + +var all7 = all_match({ + processors: [ + dup33, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var msg51 = msg("33:01", all7); + +var select17 = linear_select([ + msg50, + msg51, +]); + +var part57 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ + dup5, +])); + +var msg52 = msg("34", part57); + +var part58 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ + setc("eventcategory","1401040000"), +])); + +var msg53 = msg("35", part58); + +var part59 = match("MESSAGE#52:35:01/3_1", "nwparser.p0", "%{daddr}"); + +var select18 = linear_select([ + dup27, + part59, +]); + +var all8 = all_match({ + processors: [ + dup31, + dup177, + dup10, + select18, + ], + on_success: processor_chain([ + setc("eventcategory","1401050200"), + ]), +}); + +var msg54 = msg("35:01", all8); + +var select19 = linear_select([ + msg53, + msg54, +]); + +var part60 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ + dup5, +])); + +var msg55 = msg("36", part60); + +var part61 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); + +var part62 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src= %{p0}"); + +var part63 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{fld1->} src= %{p0}"); + +var select20 = linear_select([ + part62, + part63, +]); + +var part64 = match("MESSAGE#54:36:01/6_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); + +var part65 = match("MESSAGE#54:36:01/6_1", "nwparser.p0", " rule=%{rule->} "); + +var part66 = match("MESSAGE#54:36:01/6_2", "nwparser.p0", " proto=%{protocol->} "); + +var select21 = linear_select([ + part64, + part65, + part66, +]); + +var all9 = all_match({ + processors: [ + part61, + select20, + dup179, + dup36, + dup175, + dup10, + select21, + ], + on_success: processor_chain([ + dup5, + dup37, + ]), +}); + +var msg56 = msg("36:01", all9); + +var part67 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} %{p0}"); + +var part68 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} %{p0}"); + +var select22 = linear_select([ + part67, + part68, +]); + +var part69 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}"); + +var all10 = all_match({ + processors: [ + dup38, + dup180, + dup10, + dup175, + dup10, + select22, + part69, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg57 = msg("36:02", all10); + +var select23 = linear_select([ + msg55, + msg56, + msg57, +]); + +var part70 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ + dup5, +])); + +var msg58 = msg("37", part70); + +var part71 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); + +var part72 = match("MESSAGE#57:37:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); + +var select24 = linear_select([ + part72, + dup40, +]); + +var part73 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + +var part74 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); + +var part75 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); + +var part76 = match("MESSAGE#57:37:01/3_2", "nwparser.p0", "%{dport}:%{dinterface->} %{p0}"); + +var select25 = linear_select([ + part74, + part75, + part76, +]); + +var part77 = match("MESSAGE#57:37:01/4_0", "nwparser.p0", "proto=%{protocol->} fw_action=\"%{fld3}\" "); + +var part78 = match("MESSAGE#57:37:01/4_1", "nwparser.p0", " rule=%{rule}"); + +var select26 = linear_select([ + part77, + part78, +]); + +var all11 = all_match({ + processors: [ + part71, + select24, + part73, + select25, + select26, + ], + on_success: processor_chain([ + dup5, + dup37, + ]), +}); + +var msg59 = msg("37:01", all11); + +var part79 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ + dup5, +])); + +var msg60 = msg("37:02", part79); + +var all12 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup181, + dup43, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg61 = msg("37:03", all12); + +var part80 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup11, +])); + +var msg62 = msg("37:04", part80); + +var select27 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, +]); + +var part81 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ + dup5, +])); + +var msg63 = msg("38", part81); + +var part82 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code->} "); + +var select28 = linear_select([ + part82, + dup45, +]); + +var all13 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup175, + dup10, + select28, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg64 = msg("38:01", all13); + +var part83 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode=%{fld4->} npcs=%{info}"); + +var all14 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup182, + part83, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg65 = msg("38:02", all14); + +var part84 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", "%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); + +var part85 = match("MESSAGE#64:38:03/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + +var select29 = linear_select([ + part84, + part85, +]); + +var part86 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part87 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); + +var all15 = all_match({ + processors: [ + dup48, + select29, + part86, + dup183, + part87, + ], + on_success: processor_chain([ + dup5, + dup11, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg66 = msg("38:03", all15); + +var select30 = linear_select([ + msg63, + msg64, + msg65, + msg66, +]); + +var part88 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ + dup5, +])); + +var msg67 = msg("39", part88); + +var part89 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ + dup5, +])); + +var msg68 = msg("40", part89); + +var part90 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg69 = msg("41:01", part90); + +var part91 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ + dup5, +])); + +var msg70 = msg("41:02", part91); + +var part92 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ + dup5, +])); + +var msg71 = msg("41:03", part92); + +var select31 = linear_select([ + msg69, + msg70, + msg71, +]); + +var part93 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ + dup5, +])); + +var msg72 = msg("42", part93); + +var part94 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ + dup5, +])); + +var msg73 = msg("43", part94); + +var part95 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ + dup5, +])); + +var msg74 = msg("44", part95); + +var part96 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ + dup5, +])); + +var msg75 = msg("45", part96); + +var part97 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup5, +])); + +var msg76 = msg("45:01", part97); + +var part98 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ + dup5, +])); + +var msg77 = msg("45:02", part98); + +var select32 = linear_select([ + msg75, + msg76, + msg77, +]); + +var part99 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg78 = msg("46:01", part99); + +var part100 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup5, +])); + +var msg79 = msg("46:02", part100); + +var part101 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ + dup5, +])); + +var msg80 = msg("46", part101); + +var part102 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var all16 = all_match({ + processors: [ + part102, + dup174, + dup10, + dup181, + dup43, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg81 = msg("46:03", all16); + +var select33 = linear_select([ + msg78, + msg79, + msg80, + msg81, +]); + +var part103 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ + dup5, +])); + +var msg82 = msg("47", part103); + +var part104 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ + dup5, +])); + +var msg83 = msg("48", part104); + +var part105 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ + dup5, +])); + +var msg84 = msg("49", part105); + +var part106 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ + dup5, +])); + +var msg85 = msg("50", part106); + +var part107 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ + dup5, +])); + +var msg86 = msg("51", part107); + +var part108 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ + dup5, +])); + +var msg87 = msg("52", part108); + +var part109 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ + dup2, +])); + +var msg88 = msg("53", part109); + +var part110 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup56, +])); + +var msg89 = msg("58", part110); + +var part111 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup12, +])); + +var msg90 = msg("60", part111); + +var part112 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ + dup1, +])); + +var msg91 = msg("61", part112); + +var part113 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup57, +])); + +var msg92 = msg("62", part113); + +var part114 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup58, +])); + +var msg93 = msg("63", part114); + +var part115 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup58, +])); + +var msg94 = msg("63:01", part115); + +var select34 = linear_select([ + msg93, + msg94, +]); + +var part116 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ + dup1, +])); + +var msg95 = msg("64", part116); + +var part117 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup58, +])); + +var msg96 = msg("65", part117); + +var part118 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup58, +])); + +var msg97 = msg("66", part118); + +var part119 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup58, +])); + +var msg98 = msg("67", part119); + +var all17 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup58, + ]), +}); + +var msg99 = msg("67:01", all17); + +var select35 = linear_select([ + msg98, + msg99, +]); + +var part120 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup58, +])); + +var msg100 = msg("68", part120); + +var part121 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup58, +])); + +var msg101 = msg("69", part121); + +var part122 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup58, +])); + +var msg102 = msg("70", part122); + +var part123 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} %{p0}"); + +var part124 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} "); + +var part125 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", " dstname=%{name}"); + +var select36 = linear_select([ + part124, + part125, +]); + +var all18 = all_match({ + processors: [ + part123, + select36, + ], + on_success: processor_chain([ + dup58, + ]), +}); + +var msg103 = msg("70:01", all18); + +var select37 = linear_select([ + msg102, + msg103, +]); + +var part126 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg104 = msg("72", part126); + +var part127 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup59, +])); + +var msg105 = msg("72:01", part127); + +var select38 = linear_select([ + msg104, + msg105, +]); + +var part128 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup60, +])); + +var msg106 = msg("73", part128); + +var part129 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup61, +])); + +var msg107 = msg("74", part129); + +var part130 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup60, +])); + +var msg108 = msg("75", part130); + +var part131 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg109 = msg("76", part131); + +var part132 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg110 = msg("77", part132); + +var part133 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup61, +])); + +var msg111 = msg("78", part133); + +var part134 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg112 = msg("79", part134); + +var part135 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg113 = msg("80", part135); + +var part136 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup14, +])); + +var msg114 = msg("81", part136); + +var part137 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup62, +])); + +var msg115 = msg("82", part137); + +var part138 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ + dup62, +])); + +var msg116 = msg("82:02", part138); + +var part139 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup62, +])); + +var msg117 = msg("82:03", part139); + +var msg118 = msg("82:01", dup184); + +var select39 = linear_select([ + msg115, + msg116, + msg117, + msg118, +]); + +var part140 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup62, +])); + +var msg119 = msg("83", part140); + +var msg120 = msg("83:01", dup185); + +var part141 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup5, +])); + +var msg121 = msg("83:02", part141); + +var select40 = linear_select([ + msg119, + msg120, + msg121, +]); + +var part142 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); + +var part143 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); + +var select41 = linear_select([ + part142, + part143, +]); + +var all19 = all_match({ + processors: [ + select41, + ], + on_success: processor_chain([ + dup63, + setc("action","Failed to resolve name"), + ]), +}); + +var msg122 = msg("84", all19); + +var part144 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup64, +])); + +var msg123 = msg("87", part144); + +var part145 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup64, +])); + +var msg124 = msg("87:01", part145); + +var select42 = linear_select([ + msg123, + msg124, +]); + +var part146 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup58, +])); + +var msg125 = msg("88", part146); + +var part147 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup58, +])); + +var msg126 = msg("88:01", part147); + +var select43 = linear_select([ + msg125, + msg126, +]); + +var part148 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup64, +])); + +var msg127 = msg("89", part148); + +var part149 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} %{p0}"); + +var part150 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "src=%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface->} "); + +var part151 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", " src=%{saddr->} dst=%{daddr->} dstname=%{name}"); + +var select44 = linear_select([ + part150, + part151, +]); + +var all20 = all_match({ + processors: [ + part149, + select44, + ], + on_success: processor_chain([ + dup64, + ]), +}); + +var msg128 = msg("89:01", all20); + +var select45 = linear_select([ + msg127, + msg128, +]); + +var part152 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup64, +])); + +var msg129 = msg("90", part152); + +var part153 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup64, +])); + +var msg130 = msg("91", part153); + +var part154 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup64, +])); + +var msg131 = msg("92", part154); + +var part155 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ + dup1, +])); + +var msg132 = msg("93", part155); + +var part156 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ + dup1, +])); + +var msg133 = msg("94", part156); + +var part157 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ + dup1, +])); + +var msg134 = msg("95", part157); + +var part158 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ + dup1, +])); + +var msg135 = msg("96", part158); + +var part159 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ + dup1, +])); + +var msg136 = msg("97", part159); + +var part160 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} %{p0}"); + +var part161 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); + +var part162 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); + +var select46 = linear_select([ + part161, + part162, +]); + +var part163 = match("MESSAGE#135:97:01/7_0", "nwparser.p0", "result=%{result->} dstname=%{name->} "); + +var select47 = linear_select([ + part163, + dup66, +]); + +var all21 = all_match({ + processors: [ + dup65, + dup179, + dup36, + dup175, + part160, + select46, + dup10, + select47, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg137 = msg("97:01", all21); + +var part164 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} result=%{result}"); + +var all22 = all_match({ + processors: [ + dup65, + dup179, + dup36, + dup175, + part164, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg138 = msg("97:02", all22); + +var part165 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); + +var part166 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}"); + +var part167 = match("MESSAGE#137:97:03/5_1", "nwparser.p0", "dstname=%{name->} %{p0}"); + +var select48 = linear_select([ + part166, + part167, +]); + +var part168 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + +var all23 = all_match({ + processors: [ + dup67, + dup179, + dup36, + dup175, + part165, + select48, + part168, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg139 = msg("97:03", all23); + +var part169 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} %{p0}"); + +var part170 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}"); + +var part171 = match("MESSAGE#138:97:04/5_1", "nwparser.p0", "dstname=%{name->} arg= %{p0}"); + +var select49 = linear_select([ + part170, + part171, +]); + +var part172 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + +var all24 = all_match({ + processors: [ + dup67, + dup179, + dup36, + dup175, + part169, + select49, + part172, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg140 = msg("97:04", all24); + +var part173 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); + +var all25 = all_match({ + processors: [ + dup65, + dup179, + dup36, + dup175, + part173, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg141 = msg("97:05", all25); + +var part174 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{p0}"); + +var select50 = linear_select([ + dup68, + dup69, +]); + +var part175 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + +var all26 = all_match({ + processors: [ + part174, + select50, + part175, + ], + on_success: processor_chain([ + dup70, + dup11, + ]), +}); + +var msg142 = msg("97:06", all26); + +var part176 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var part177 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}"); + +var select51 = linear_select([ + part177, + dup49, +]); + +var part178 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + +var all27 = all_match({ + processors: [ + part176, + select51, + part178, + ], + on_success: processor_chain([ + dup70, + dup11, + ]), +}); + +var msg143 = msg("97:07", all27); + +var part179 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup11, +])); + +var msg144 = msg("97:08", part179); + +var part180 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup11, +])); + +var msg145 = msg("97:09", part180); + +var part181 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup11, +])); + +var msg146 = msg("97:10", part181); + +var select52 = linear_select([ + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, +]); + +var part182 = match("MESSAGE#145:98/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); + +var part183 = match("MESSAGE#145:98/0_1", "nwparser.payload", " msg=\"%{event_description}\"%{p0}"); + +var select53 = linear_select([ + part182, + part183, +]); + +var part184 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var part185 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}"); + +var select54 = linear_select([ + part185, + dup71, +]); + +var part186 = match("MESSAGE#145:98/3_1", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} "); + +var part187 = match("MESSAGE#145:98/3_2", "nwparser.p0", " proto=%{protocol}"); + +var select55 = linear_select([ + dup72, + part186, + part187, +]); + +var all28 = all_match({ + processors: [ + select53, + part184, + select54, + select55, + ], + on_success: processor_chain([ + dup70, + dup51, + setc("ec_activity","Stop"), + dup53, + dup54, + dup11, + setc("action","Opened"), + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg147 = msg("98", all28); + +var part188 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg148 = msg("98:07", part188); + +var part189 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", "%{msg}\" app=%{fld2->} sess=\"%{fld3}\"%{p0}"); + +var part190 = match("MESSAGE#147:98:01/1_1", "nwparser.p0", "%{msg}\"%{p0}"); + +var select56 = linear_select([ + part189, + part190, +]); + +var part191 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); + +var part192 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); + +var part193 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); + +var select57 = linear_select([ + part192, + part193, +]); + +var select58 = linear_select([ + dup73, + dup69, + dup74, +]); + +var part194 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var part195 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} "); + +var part196 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + +var part197 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", " proto=%{protocol->} sent=%{sbytes}"); + +var part198 = match("MESSAGE#147:98:01/7_5", "nwparser.p0", "proto=%{protocol}"); + +var select59 = linear_select([ + part194, + part195, + part196, + dup72, + part197, + part198, +]); + +var all29 = all_match({ + processors: [ + dup48, + select56, + part191, + select57, + select58, + dup10, + dup186, + select59, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg149 = msg("98:01", all29); + +var part199 = match("MESSAGE#148:98:06/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\" %{p0}"); + +var part200 = match("MESSAGE#148:98:06/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} %{p0}"); + +var part201 = match("MESSAGE#148:98:06/0_2", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} %{p0}"); + +var select60 = linear_select([ + part199, + part200, + part201, +]); + +var part202 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "n=%{fld1->} usr=%{username->} %{p0}"); + +var part203 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", " n=%{fld1->} %{p0}"); + +var select61 = linear_select([ + part202, + part203, +]); + +var part204 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{}src= %{p0}"); + +var part205 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var part206 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var select62 = linear_select([ + part205, + part206, + dup77, + dup78, +]); + +var part207 = match("MESSAGE#148:98:06/6", "nwparser.p0", "%{protocol->} %{p0}"); + +var part208 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + +var part209 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); + +var part210 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); + +var part211 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "sent=%{sbytes}"); + +var part212 = match("MESSAGE#148:98:06/7_4", "nwparser.p0", "fw_action=\"%{action}\""); + +var select63 = linear_select([ + part208, + part209, + part210, + part211, + part212, +]); + +var all30 = all_match({ + processors: [ + select60, + select61, + part204, + dup187, + dup10, + select62, + part207, + select63, + ], + on_success: processor_chain([ + dup70, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg150 = msg("98:06", all30); + +var part213 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); + +var all31 = all_match({ + processors: [ + part213, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg151 = msg("98:02", all31); + +var part214 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection %{}"); + +var part215 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", " msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} "); + +var select64 = linear_select([ + part214, + part215, +]); + +var all32 = all_match({ + processors: [ + select64, + ], + on_success: processor_chain([ + dup1, + dup37, + ]), +}); + +var msg152 = msg("98:03", all32); + +var part216 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); + +var all33 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + part216, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg153 = msg("98:04", all33); + +var part217 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); + +var all34 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + part217, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg154 = msg("98:05", all34); + +var select65 = linear_select([ + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, +]); + +var part218 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup30, + dup11, +])); + +var msg155 = msg("986", part218); + +var part219 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_description}\""); + +var all35 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + part219, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg156 = msg("427", all35); + +var part220 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + +var all36 = all_match({ + processors: [ + dup81, + dup183, + part220, + ], + on_success: processor_chain([ + dup22, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg157 = msg("428", all36); + +var part221 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup64, +])); + +var msg158 = msg("99", part221); + +var part222 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup64, +])); + +var msg159 = msg("100", part222); + +var part223 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup64, +])); + +var msg160 = msg("101", part223); + +var part224 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup64, +])); + +var msg161 = msg("102", part224); + +var part225 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup64, +])); + +var msg162 = msg("103", part225); + +var part226 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup64, +])); + +var msg163 = msg("104", part226); + +var part227 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup64, +])); + +var msg164 = msg("105", part227); + +var part228 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup63, +])); + +var msg165 = msg("106", part228); + +var part229 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup64, +])); + +var msg166 = msg("107", part229); + +var part230 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup64, +])); + +var msg167 = msg("108", part230); + +var part231 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup63, +])); + +var msg168 = msg("109", part231); + +var part232 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup64, +])); + +var msg169 = msg("110", part232); + +var msg170 = msg("111:01", dup188); + +var part233 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup64, +])); + +var msg171 = msg("111", part233); + +var select66 = linear_select([ + msg170, + msg171, +]); + +var part234 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup64, +])); + +var msg172 = msg("112", part234); + +var part235 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup64, +])); + +var msg173 = msg("113", part235); + +var part236 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup64, +])); + +var msg174 = msg("114", part236); + +var msg175 = msg("115:01", dup188); + +var part237 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup64, +])); + +var msg176 = msg("115", part237); + +var select67 = linear_select([ + msg175, + msg176, +]); + +var part238 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup64, +])); + +var msg177 = msg("116", part238); + +var part239 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup64, +])); + +var msg178 = msg("117", part239); + +var part240 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup64, +])); + +var msg179 = msg("118", part240); + +var part241 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup63, +])); + +var msg180 = msg("119", part241); + +var part242 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup63, +])); + +var msg181 = msg("120", part242); + +var part243 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup64, +])); + +var msg182 = msg("121", part243); + +var part244 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup63, +])); + +var msg183 = msg("122", part244); + +var part245 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup63, +])); + +var msg184 = msg("123", part245); + +var part246 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup64, +])); + +var msg185 = msg("124", part246); + +var part247 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup64, +])); + +var msg186 = msg("125", part247); + +var part248 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup83, + dup11, +])); + +var msg187 = msg("1254", part248); + +var part249 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg188 = msg("1256", part249); + +var part250 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup83, + dup11, +])); + +var msg189 = msg("1257", part250); + +var part251 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup64, +])); + +var msg190 = msg("126", part251); + +var part252 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup64, +])); + +var msg191 = msg("127", part252); + +var part253 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ + dup5, +])); + +var msg192 = msg("128", part253); + +var part254 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ + dup5, +])); + +var msg193 = msg("129", part254); + +var part255 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ + dup1, +])); + +var msg194 = msg("130", part255); + +var part256 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ + dup1, +])); + +var msg195 = msg("131", part256); + +var part257 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ + dup1, +])); + +var msg196 = msg("132", part257); + +var part258 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ + dup1, +])); + +var msg197 = msg("133", part258); + +var part259 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ + dup1, +])); + +var msg198 = msg("134", part259); + +var part260 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup84, +])); + +var msg199 = msg("135", part260); + +var part261 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup84, +])); + +var msg200 = msg("136", part261); + +var part262 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ + dup3, +])); + +var msg201 = msg("137", part262); + +var part263 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ + dup3, +])); + +var msg202 = msg("138", part263); + +var part264 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ + dup5, +])); + +var msg203 = msg("139", part264); + +var all37 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1801020100"), + ]), +}); + +var msg204 = msg("139:01", all37); + +var select68 = linear_select([ + msg203, + msg204, +]); + +var msg205 = msg("140", dup227); + +var msg206 = msg("141", dup227); + +var part265 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ + dup1, +])); + +var msg207 = msg("142", part265); + +var part266 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ + dup1, +])); + +var msg208 = msg("143", part266); + +var part267 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup70, + dup11, +])); + +var msg209 = msg("1431", part267); + +var part268 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ + dup1, +])); + +var msg210 = msg("144", part268); + +var part269 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ + dup1, +])); + +var msg211 = msg("145", part269); + +var part270 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup86, +])); + +var msg212 = msg("146", part270); + +var part271 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup86, +])); + +var msg213 = msg("147", part271); + +var part272 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ + dup1, +])); + +var msg214 = msg("148", part272); + +var part273 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + setc("eventcategory","1204010000"), + dup11, +])); + +var msg215 = msg("1480", part273); + +var part274 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ + dup1, +])); + +var msg216 = msg("149", part274); + +var part275 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ + dup1, +])); + +var msg217 = msg("150", part275); + +var part276 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ + dup1, +])); + +var msg218 = msg("151", part276); + +var part277 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ + dup1, +])); + +var msg219 = msg("152", part277); + +var part278 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ + setc("eventcategory","1603010000"), +])); + +var msg220 = msg("153", part278); + +var part279 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup56, +])); + +var msg221 = msg("154", part279); + +var part280 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup86, +])); + +var msg222 = msg("155", part280); + +var part281 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup86, +])); + +var msg223 = msg("156", part281); + +var part282 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup1, +])); + +var msg224 = msg("157:01", part282); + +var part283 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ + dup5, +])); + +var msg225 = msg("157", part283); + +var select69 = linear_select([ + msg224, + msg225, +]); + +var part284 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup86, +])); + +var msg226 = msg("158", part284); + +var part285 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ + dup5, +])); + +var msg227 = msg("159", part285); + +var part286 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ + setc("eventcategory","1203000000"), +])); + +var msg228 = msg("160", part286); + +var part287 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup57, +])); + +var msg229 = msg("161", part287); + +var part288 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup32, +])); + +var msg230 = msg("162", part288); + +var part289 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ + dup5, +])); + +var msg231 = msg("163", part289); + +var part290 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ + dup5, +])); + +var msg232 = msg("164", part290); + +var part291 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ + dup1, +])); + +var msg233 = msg("165", part291); + +var part292 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup12, +])); + +var msg234 = msg("166", part292); + +var part293 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup12, +])); + +var msg235 = msg("167", part293); + +var part294 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup12, +])); + +var msg236 = msg("168", part294); + +var part295 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ + dup1, +])); + +var msg237 = msg("169", part295); + +var part296 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ + dup1, +])); + +var msg238 = msg("170", part296); + +var part297 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup62, +])); + +var msg239 = msg("171", part297); + +var part298 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, +])); + +var msg240 = msg("171:01", part298); + +var part299 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, +])); + +var msg241 = msg("171:02", part299); + +var part300 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); + +var all38 = all_match({ + processors: [ + part300, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup87, + ]), +}); + +var msg242 = msg("171:03", all38); + +var select70 = linear_select([ + msg239, + msg240, + msg241, + msg242, +]); + +var part301 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup62, +])); + +var msg243 = msg("172", part301); + +var part302 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup62, +])); + +var msg244 = msg("172:01", part302); + +var select71 = linear_select([ + msg243, + msg244, +]); + +var part303 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup62, +])); + +var msg245 = msg("173", part303); + +var part304 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup59, +])); + +var msg246 = msg("174", part304); + +var all39 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var msg247 = msg("174:01", all39); + +var all40 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup178, + ], + on_success: processor_chain([ + dup12, + ]), +}); + +var msg248 = msg("174:02", all40); + +var all41 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup181, + dup43, + ], + on_success: processor_chain([ + dup12, + ]), +}); + +var msg249 = msg("174:03", all41); + +var select72 = linear_select([ + msg246, + msg247, + msg248, + msg249, +]); + +var part305 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup59, +])); + +var msg250 = msg("175", part305); + +var part306 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ + dup59, +])); + +var msg251 = msg("175:01", part306); + +var part307 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ + dup59, +])); + +var msg252 = msg("175:02", part307); + +var select73 = linear_select([ + msg250, + msg251, + msg252, +]); + +var part308 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup87, +])); + +var msg253 = msg("176", part308); + +var msg254 = msg("177", dup185); + +var msg255 = msg("178", dup190); + +var msg256 = msg("179", dup185); + +var all42 = all_match({ + processors: [ + dup33, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup91, + ]), +}); + +var msg257 = msg("180", all42); + +var all43 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup191, + dup94, + ], + on_success: processor_chain([ + dup91, + ]), +}); + +var msg258 = msg("180:01", all43); + +var select74 = linear_select([ + msg257, + msg258, +]); + +var msg259 = msg("181", dup184); + +var all44 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup62, + ]), +}); + +var msg260 = msg("181:01", all44); + +var select75 = linear_select([ + msg259, + msg260, +]); + +var msg261 = msg("193", dup228); + +var msg262 = msg("194", dup229); + +var msg263 = msg("195", dup229); + +var part309 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); + +var part310 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}"); + +var select76 = linear_select([ + dup98, + part310, +]); + +var all45 = all_match({ + processors: [ + part309, + select76, + dup99, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg264 = msg("196", all45); + +var part311 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + +var select77 = linear_select([ + dup98, + part311, +]); + +var all46 = all_match({ + processors: [ + dup95, + select77, + dup99, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg265 = msg("196:01", all46); + +var select78 = linear_select([ + msg264, + msg265, +]); + +var msg266 = msg("199", dup230); + +var msg267 = msg("200", dup226); + +var part312 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup29, +])); + +var msg268 = msg("235:02", part312); + +var part313 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); + +var all47 = all_match({ + processors: [ + part313, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var msg269 = msg("235", all47); + +var msg270 = msg("235:01", dup231); + +var select79 = linear_select([ + msg268, + msg269, + msg270, +]); + +var msg271 = msg("236", dup231); + +var msg272 = msg("237", dup230); + +var msg273 = msg("238", dup230); + +var part314 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup101, +])); + +var msg274 = msg("239", part314); + +var part315 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup101, +])); + +var msg275 = msg("240", part315); + +var part316 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup70, +])); + +var msg276 = msg("241", part316); + +var part317 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup70, +])); + +var msg277 = msg("241:01", part317); + +var select80 = linear_select([ + msg276, + msg277, +]); + +var part318 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); + +var part319 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var select81 = linear_select([ + part318, + part319, + dup35, +]); + +var part320 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}:: "); + +var part321 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} "); + +var select82 = linear_select([ + part320, + part321, + dup28, +]); + +var all48 = all_match({ + processors: [ + dup44, + select81, + dup36, + select82, + ], + on_success: processor_chain([ + dup70, + ]), +}); + +var msg278 = msg("242", all48); + +var msg279 = msg("252", dup193); + +var msg280 = msg("255", dup193); + +var msg281 = msg("257", dup193); + +var msg282 = msg("261:01", dup232); + +var msg283 = msg("261", dup193); + +var select83 = linear_select([ + msg282, + msg283, +]); + +var msg284 = msg("262", dup232); + +var all49 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg285 = msg("273", all49); + +var msg286 = msg("328", dup233); + +var msg287 = msg("329", dup226); + +var msg288 = msg("346", dup193); + +var msg289 = msg("350", dup193); + +var msg290 = msg("351", dup193); + +var msg291 = msg("352", dup193); + +var msg292 = msg("353:01", dup190); + +var part322 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup5, +])); + +var msg293 = msg("353", part322); + +var select84 = linear_select([ + msg292, + msg293, +]); + +var part323 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup1, +])); + +var msg294 = msg("354", part323); + +var msg295 = msg("355", dup194); + +var msg296 = msg("355:01", dup193); + +var select85 = linear_select([ + msg295, + msg296, +]); + +var msg297 = msg("356", dup195); + +var part324 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup87, +])); + +var msg298 = msg("357", part324); + +var part325 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup87, +])); + +var msg299 = msg("357:01", part325); + +var select86 = linear_select([ + msg298, + msg299, +]); + +var msg300 = msg("358", dup196); + +var part326 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ + setc("eventcategory","1503000000"), +])); + +var msg301 = msg("371", part326); + +var msg302 = msg("371:01", dup197); + +var select87 = linear_select([ + msg301, + msg302, +]); + +var msg303 = msg("372", dup193); + +var msg304 = msg("373", dup195); + +var msg305 = msg("401", dup234); + +var msg306 = msg("402", dup234); + +var msg307 = msg("406", dup196); + +var part327 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, +])); + +var msg308 = msg("413", part327); + +var msg309 = msg("414", dup193); + +var msg310 = msg("438", dup235); + +var msg311 = msg("439", dup235); + +var all50 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1501020000"), + ]), +}); + +var msg312 = msg("440", all50); + +var all51 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1502050000"), + ]), +}); + +var msg313 = msg("441", all51); + +var part328 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + setc("eventcategory","1001020000"), +])); + +var msg314 = msg("441:01", part328); + +var select88 = linear_select([ + msg313, + msg314, +]); + +var all52 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1501030000"), + ]), +}); + +var msg315 = msg("442", all52); + +var part329 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); + +var part330 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); + +var part331 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); + +var select89 = linear_select([ + part330, + part331, +]); + +var part332 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var all53 = all_match({ + processors: [ + part329, + select89, + part332, + dup199, + dup112, + ], + on_success: processor_chain([ + dup59, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg316 = msg("446", all53); + +var part333 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup113, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg317 = msg("477", part333); + +var all54 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var msg318 = msg("509", all54); + +var all55 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup103, + ]), +}); + +var msg319 = msg("520", all55); + +var msg320 = msg("522", dup236); + +var part334 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); + +var part335 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}"); + +var all56 = all_match({ + processors: [ + part334, + dup179, + part335, + dup175, + dup114, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg321 = msg("522:01", all56); + +var part336 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); + +var select90 = linear_select([ + part336, + dup39, +]); + +var all57 = all_match({ + processors: [ + dup38, + select90, + dup10, + dup175, + dup114, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg322 = msg("522:02", all57); + +var select91 = linear_select([ + msg320, + msg321, + msg322, +]); + +var msg323 = msg("523", dup236); + +var all58 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + dup10, + dup200, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg324 = msg("524", all58); + +var part337 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); + +var part338 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); + +var select92 = linear_select([ + part337, + part338, +]); + +var all59 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + dup10, + select92, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg325 = msg("524:01", all59); + +var part339 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}"); + +var part340 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}"); + +var part341 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}"); + +var select93 = linear_select([ + part340, + part341, +]); + +var part342 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); + +var all60 = all_match({ + processors: [ + part339, + select93, + part342, + ], + on_success: processor_chain([ + dup6, + dup11, + ]), +}); + +var msg326 = msg("524:02", all60); + +var select94 = linear_select([ + msg324, + msg325, + msg326, +]); + +var msg327 = msg("526", dup237); + +var part343 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); + +var select95 = linear_select([ + dup25, + part343, + dup39, +]); + +var part344 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} "); + +var select96 = linear_select([ + dup27, + part344, +]); + +var all61 = all_match({ + processors: [ + dup80, + select95, + dup10, + select96, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg328 = msg("526:01", all61); + +var all62 = all_match({ + processors: [ + dup7, + dup201, + dup10, + dup175, + dup114, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg329 = msg("526:02", all62); + +var part345 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, +])); + +var msg330 = msg("526:03", part345); + +var part346 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, +])); + +var msg331 = msg("526:04", part346); + +var part347 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, +])); + +var msg332 = msg("526:05", part347); + +var select97 = linear_select([ + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, +]); + +var part348 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); + +var part349 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} "); + +var part350 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} "); + +var select98 = linear_select([ + part349, + part350, +]); + +var all63 = all_match({ + processors: [ + dup116, + dup202, + dup10, + dup203, + part348, + select98, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg333 = msg("537:01", all63); + +var part351 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}"); + +var all64 = all_match({ + processors: [ + dup116, + dup202, + dup10, + dup203, + part351, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg334 = msg("537:02", all64); + +var select99 = linear_select([ + dup117, + dup118, + dup119, + dup120, +]); + +var part352 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var part353 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}"); + +var select100 = linear_select([ + dup123, + part352, + part353, +]); + +var part354 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); + +var select101 = linear_select([ + dup124, + dup125, +]); + +var part355 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + +var part356 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + +var select102 = linear_select([ + part355, + part356, +]); + +var part357 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" "); + +var part358 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); + +var part359 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" "); + +var part360 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} "); + +var part361 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}"); + +var select103 = linear_select([ + part357, + part358, + part359, + part360, + part361, +]); + +var all65 = all_match({ + processors: [ + select99, + dup204, + dup205, + select100, + part354, + select101, + select102, + select103, + ], + on_success: processor_chain([ + dup105, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg335 = msg("537:08", all65); + +var select104 = linear_select([ + dup118, + dup117, + dup119, + dup120, +]); + +var part362 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + +var part363 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}"); + +var select105 = linear_select([ + dup126, + part362, + part363, +]); + +var part364 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var select106 = linear_select([ + dup129, + dup130, + dup131, + dup132, +]); + +var all66 = all_match({ + processors: [ + select104, + dup204, + dup205, + select105, + part364, + dup206, + select106, + ], + on_success: processor_chain([ + dup105, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg336 = msg("537:09", all66); + +var part365 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + +var select107 = linear_select([ + dup117, + part365, + dup119, + dup120, +]); + +var part366 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var part367 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}"); + +var select108 = linear_select([ + part366, + part367, + dup124, + dup125, +]); + +var part368 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\""); + +var select109 = linear_select([ + dup129, + dup130, + dup131, + part368, + dup132, +]); + +var all67 = all_match({ + processors: [ + select107, + dup204, + dup205, + dup186, + select108, + dup206, + select109, + ], + on_success: processor_chain([ + dup105, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg337 = msg("537:07", all67); + +var part369 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}"); + +var part370 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}"); + +var select110 = linear_select([ + part369, + part370, +]); + +var part371 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); + +var part372 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}"); + +var part373 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}"); + +var part374 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}"); + +var part375 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}"); + +var select111 = linear_select([ + part372, + part373, + part374, + part375, +]); + +var part376 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); + +var part377 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); + +var part378 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); + +var part379 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); + +var part380 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}"); + +var select112 = linear_select([ + part376, + part377, + part378, + part379, + part380, +]); + +var all68 = all_match({ + processors: [ + dup48, + select110, + part371, + dup202, + select111, + select112, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg338 = msg("537", all68); + +var part381 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); + +var all69 = all_match({ + processors: [ + dup133, + dup180, + dup10, + dup207, + part381, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg339 = msg("537:04", all69); + +var part382 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}"); + +var part383 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); + +var part384 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}"); + +var select113 = linear_select([ + part383, + part384, +]); + +var all70 = all_match({ + processors: [ + dup133, + dup180, + dup10, + dup207, + part382, + select113, + dup90, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg340 = msg("537:05", all70); + +var part385 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}"); + +var part386 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + +var part387 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + +var select114 = linear_select([ + dup126, + part386, + part387, +]); + +var part388 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + +var all71 = all_match({ + processors: [ + part385, + dup208, + dup137, + dup209, + select114, + part388, + dup210, + ], + on_success: processor_chain([ + dup105, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg341 = msg("537:10", all71); + +var part389 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}"); + +var part390 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var part391 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); + +var select115 = linear_select([ + dup77, + part390, + part391, +]); + +var part392 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + +var all72 = all_match({ + processors: [ + part389, + dup208, + dup137, + dup209, + select115, + part392, + dup210, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg342 = msg("537:03", all72); + +var part393 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); + +var all73 = all_match({ + processors: [ + dup133, + dup180, + dup10, + dup207, + part393, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg343 = msg("537:06", all73); + +var part394 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup105, + dup54, + dup11, + dup142, +])); + +var msg344 = msg("537:11", part394); + +var part395 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup105, + dup54, + dup11, + dup142, +])); + +var msg345 = msg("537:12", part395); + +var select116 = linear_select([ + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, +]); + +var msg346 = msg("538", dup228); + +var msg347 = msg("549", dup226); + +var msg348 = msg("557", dup226); + +var all74 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1402020200"), + ]), +}); + +var msg349 = msg("558", all74); + +var msg350 = msg("561", dup233); + +var msg351 = msg("562", dup233); + +var msg352 = msg("563", dup233); + +var all75 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1402020400"), + ]), +}); + +var msg353 = msg("583", all75); + +var part396 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup143, + dup51, + dup144, + dup53, + dup54, + dup11, + dup145, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg354 = msg("597:01", part396); + +var part397 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup1, +])); + +var msg355 = msg("597:02", part397); + +var part398 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var all76 = all_match({ + processors: [ + part398, + dup187, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg356 = msg("597:03", all76); + +var select117 = linear_select([ + msg354, + msg355, + msg356, +]); + +var part399 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ + dup1, +])); + +var msg357 = msg("598", part399); + +var part400 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}"); + +var all77 = all_match({ + processors: [ + dup146, + dup182, + part400, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg358 = msg("598:01", all77); + +var all78 = all_match({ + processors: [ + dup146, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg359 = msg("598:02", all78); + +var select118 = linear_select([ + msg357, + msg358, + msg359, +]); + +var part401 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup143, + dup51, + dup144, + dup53, + dup54, + dup11, + dup145, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg360 = msg("602:01", part401); + +var msg361 = msg("602:02", dup237); + +var all79 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg362 = msg("602:03", all79); + +var select119 = linear_select([ + msg360, + msg361, + msg362, +]); + +var msg363 = msg("605", dup196); + +var all80 = all_match({ + processors: [ + dup147, + dup211, + dup149, + dup199, + dup112, + ], + on_success: processor_chain([ + dup87, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg364 = msg("606", all80); + +var part402 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); + +var part403 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); + +var part404 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); + +var select120 = linear_select([ + part403, + part404, +]); + +var part405 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); + +var part406 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); + +var part407 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); + +var select121 = linear_select([ + part406, + part407, +]); + +var part408 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + +var part409 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); + +var part410 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + +var part411 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}"); + +var select122 = linear_select([ + part409, + part410, + part411, +]); + +var all81 = all_match({ + processors: [ + part402, + select120, + part405, + select121, + part408, + select122, + ], + on_success: processor_chain([ + dup1, + dup37, + ]), +}); + +var msg365 = msg("608", all81); + +var msg366 = msg("616", dup194); + +var msg367 = msg("658", dup190); + +var msg368 = msg("710", dup212); + +var msg369 = msg("712:02", dup238); + +var msg370 = msg("712", dup212); + +var all82 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup191, + dup94, + ], + on_success: processor_chain([ + dup150, + ]), +}); + +var msg371 = msg("712:01", all82); + +var select123 = linear_select([ + msg369, + msg370, + msg371, +]); + +var part412 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg372 = msg("713:01", part412); + +var msg373 = msg("713:04", dup238); + +var msg374 = msg("713:02", dup212); + +var part413 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg375 = msg("713:03", part413); + +var select124 = linear_select([ + msg372, + msg373, + msg374, + msg375, +]); + +var part414 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup113, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg376 = msg("760", part414); + +var part415 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part416 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}"); + +var all83 = all_match({ + processors: [ + part415, + dup174, + dup10, + dup191, + part416, + ], + on_success: processor_chain([ + dup113, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg377 = msg("760:01", all83); + +var select125 = linear_select([ + msg376, + msg377, +]); + +var msg378 = msg("766", dup216); + +var msg379 = msg("860", dup216); + +var msg380 = msg("860:01", dup217); + +var select126 = linear_select([ + msg379, + msg380, +]); + +var part417 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); + +var part418 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); + +var part419 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} "); + +var select127 = linear_select([ + part418, + part419, +]); + +var all84 = all_match({ + processors: [ + part417, + select127, + ], + on_success: processor_chain([ + dup5, + dup37, + ]), +}); + +var msg381 = msg("866", all84); + +var msg382 = msg("866:01", dup217); + +var select128 = linear_select([ + msg381, + msg382, +]); + +var msg383 = msg("867", dup216); + +var msg384 = msg("867:01", dup217); + +var select129 = linear_select([ + msg383, + msg384, +]); + +var part420 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup1, +])); + +var msg385 = msg("882", part420); + +var part421 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ + dup1, +])); + +var msg386 = msg("882:01", part421); + +var select130 = linear_select([ + msg385, + msg386, +]); + +var part422 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup159, +])); + +var msg387 = msg("888", part422); + +var part423 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup159, +])); + +var msg388 = msg("888:01", part423); + +var select131 = linear_select([ + msg387, + msg388, +]); + +var all85 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup159, + ]), +}); + +var msg389 = msg("892", all85); + +var msg390 = msg("904", dup216); + +var msg391 = msg("905", dup216); + +var msg392 = msg("906", dup216); + +var msg393 = msg("907", dup216); + +var select132 = linear_select([ + dup73, + dup138, +]); + +var all86 = all_match({ + processors: [ + dup160, + select132, + dup10, + dup211, + dup161, + dup199, + dup112, + ], + on_success: processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg394 = msg("908", all86); + +var msg395 = msg("909", dup216); + +var msg396 = msg("914", dup218); + +var part424 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup64, +])); + +var msg397 = msg("931", part424); + +var msg398 = msg("657", dup218); + +var all87 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg399 = msg("657:01", all87); + +var select133 = linear_select([ + msg398, + msg399, +]); + +var msg400 = msg("403", dup197); + +var msg401 = msg("534", dup176); + +var msg402 = msg("994", dup219); + +var part425 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ + dup1, + dup23, +])); + +var msg403 = msg("243", part425); + +var msg404 = msg("995", dup176); + +var part426 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ + dup1, + dup51, + dup53, + dup54, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg405 = msg("997", part426); + +var msg406 = msg("998", dup219); + +var part427 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup105, + dup11, +])); + +var msg407 = msg("998:01", part427); + +var select134 = linear_select([ + msg406, + msg407, +]); + +var msg408 = msg("1110", dup220); + +var msg409 = msg("565", dup220); + +var part428 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup54, +])); + +var msg410 = msg("404", part428); + +var select135 = linear_select([ + dup148, + dup50, +]); + +var part429 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); + +var all88 = all_match({ + processors: [ + dup81, + select135, + part429, + ], + on_success: processor_chain([ + dup105, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg411 = msg("267:01", all88); + +var part430 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ + dup1, + dup54, +])); + +var msg412 = msg("267", part430); + +var select136 = linear_select([ + msg411, + msg412, +]); + +var part431 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ + dup1, + dup23, +])); + +var msg413 = msg("263", part431); + +var part432 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup103, + dup11, +])); + +var msg414 = msg("264", part432); + +var msg415 = msg("412", dup197); + +var part433 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup23, +])); + +var msg416 = msg("793", part433); + +var part434 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ + dup1, + dup23, +])); + +var msg417 = msg("805", part434); + +var part435 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup162, + dup11, +])); + +var msg418 = msg("809", part435); + +var part436 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup162, + dup11, +])); + +var msg419 = msg("809:01", part436); + +var select137 = linear_select([ + msg418, + msg419, +]); + +var msg420 = msg("935", dup218); + +var msg421 = msg("614", dup221); + +var part437 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var all89 = all_match({ + processors: [ + part437, + dup199, + dup112, + ], + on_success: processor_chain([ + dup58, + dup37, + ]), +}); + +var msg422 = msg("748", all89); + +var part438 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var part439 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); + +var select138 = linear_select([ + part439, + dup111, +]); + +var all90 = all_match({ + processors: [ + part438, + select138, + dup112, + ], + on_success: processor_chain([ + dup163, + dup37, + ]), +}); + +var msg423 = msg("794", all90); + +var msg424 = msg("1086", dup221); + +var part440 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup37, +])); + +var msg425 = msg("1430", part440); + +var msg426 = msg("1149", dup221); + +var msg427 = msg("1159", dup221); + +var part441 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup37, +])); + +var msg428 = msg("1195", part441); + +var part442 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup163, + dup37, +])); + +var msg429 = msg("1195:01", part442); + +var select139 = linear_select([ + msg428, + msg429, +]); + +var part443 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup37, +])); + +var msg430 = msg("1226", part443); + +var part444 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup37, +])); + +var msg431 = msg("1222", part444); + +var part445 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup23, +])); + +var msg432 = msg("1154", part445); + +var part446 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); + +var all91 = all_match({ + processors: [ + part446, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + dup23, + ]), +}); + +var msg433 = msg("1154:01", all91); + +var part447 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup164, + dup11, +])); + +var msg434 = msg("1154:02", part447); + +var part448 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var select140 = linear_select([ + dup123, + dup49, +]); + +var part449 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); + +var all92 = all_match({ + processors: [ + part448, + select140, + part449, + ], + on_success: processor_chain([ + dup164, + dup11, + ]), +}); + +var msg435 = msg("1154:03", all92); + +var select141 = linear_select([ + msg432, + msg433, + msg434, + msg435, +]); + +var part450 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup165, +])); + +var msg436 = msg("msg", part450); + +var part451 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup165, +])); + +var msg437 = msg("src", part451); + +var all93 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + dup10, + dup200, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg438 = msg("1235", all93); + +var part452 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); + +var all94 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup191, + part452, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg439 = msg("1197", all94); + +var part453 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var all95 = all_match({ + processors: [ + part453, + dup177, + dup166, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg440 = msg("1199", all95); + +var part454 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup167, + dup11, +])); + +var msg441 = msg("1199:01", part454); + +var part455 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup167, + dup11, +])); + +var msg442 = msg("1199:02", part455); + +var select142 = linear_select([ + msg440, + msg441, + msg442, +]); + +var part456 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); + +var all96 = all_match({ + processors: [ + part456, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg443 = msg("1155", all96); + +var part457 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup105, +])); + +var msg444 = msg("1155:01", part457); + +var select143 = linear_select([ + msg443, + msg444, +]); + +var all97 = all_match({ + processors: [ + dup168, + dup201, + dup166, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg445 = msg("1198", all97); + +var all98 = all_match({ + processors: [ + dup7, + dup177, + dup166, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg446 = msg("714", all98); + +var msg447 = msg("709", dup239); + +var msg448 = msg("1005", dup239); + +var msg449 = msg("1003", dup239); + +var msg450 = msg("1007", dup240); + +var part458 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup103, + dup11, +])); + +var msg451 = msg("1008", part458); + +var msg452 = msg("708", dup240); + +var all99 = all_match({ + processors: [ + dup168, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg453 = msg("1201", all99); + +var msg454 = msg("1201:01", dup240); + +var select144 = linear_select([ + msg453, + msg454, +]); + +var msg455 = msg("654", dup222); + +var msg456 = msg("670", dup222); + +var msg457 = msg("884", dup240); + +var part459 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ + dup1, +])); + +var msg458 = msg("1153", part459); + +var part460 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}"); + +var part461 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}"); + +var part462 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}"); + +var select145 = linear_select([ + part460, + part461, + part462, +]); + +var part463 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); + +var part464 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + +var select146 = linear_select([ + part464, + dup25, +]); + +var part465 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); + +var part466 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); + +var part467 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); + +var select147 = linear_select([ + part465, + part466, + part467, +]); + +var part468 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); + +var part469 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} "); + +var part470 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} "); + +var part471 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} "); + +var select148 = linear_select([ + part469, + part470, + part471, +]); + +var all100 = all_match({ + processors: [ + select145, + part463, + select146, + dup10, + select147, + part468, + select148, + ], + on_success: processor_chain([ + dup1, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg459 = msg("1153:01", all100); + +var part472 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + +var part473 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part474 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}"); + +var select149 = linear_select([ + part473, + part474, +]); + +var part475 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); + +var all101 = all_match({ + processors: [ + part472, + select149, + part475, + ], + on_success: processor_chain([ + dup1, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg460 = msg("1153:02", all101); + +var select150 = linear_select([ + msg458, + msg459, + msg460, +]); + +var part476 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ + dup1, +])); + +var msg461 = msg("1107", part476); + +var part477 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); + +var part478 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part479 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}"); + +var select151 = linear_select([ + part478, + part479, +]); + +var all102 = all_match({ + processors: [ + part477, + select151, + dup10, + dup223, + dup171, + ], + on_success: processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg462 = msg("1220", all102); + +var all103 = all_match({ + processors: [ + dup147, + dup223, + dup171, + ], + on_success: processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg463 = msg("1230", all103); + +var part480 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ + dup1, +])); + +var msg464 = msg("1231", part480); + +var part481 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup167, + dup11, +])); + +var msg465 = msg("1233", part481); + +var part482 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); + +var part483 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); + +var part484 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); + +var select152 = linear_select([ + part483, + part484, +]); + +var part485 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); + +var part486 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}"); + +var part487 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} "); + +var part488 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}"); + +var select153 = linear_select([ + part486, + part487, + part488, +]); + +var all104 = all_match({ + processors: [ + part482, + select152, + part485, + select153, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg466 = msg("1079", all104); + +var part489 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ + dup1, +])); + +var msg467 = msg("1079:01", part489); + +var part490 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","destination is not allowed by access control"), + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg468 = msg("1079:02", part490); + +var part491 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg469 = msg("1079:03", part491); + +var select154 = linear_select([ + msg466, + msg467, + msg468, + msg469, +]); + +var part492 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); + +var part493 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var select155 = linear_select([ + dup73, + part493, +]); + +var select156 = linear_select([ + dup77, + dup78, +]); + +var part494 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}"); + +var all105 = all_match({ + processors: [ + part492, + select155, + dup10, + select156, + part494, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg470 = msg("1080", all105); + +var part495 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg471 = msg("580", part495); + +var part496 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + +var all106 = all_match({ + processors: [ + part496, + dup224, + dup112, + ], + on_success: processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg472 = msg("1369", all106); + +var all107 = all_match({ + processors: [ + dup147, + dup211, + dup149, + dup224, + dup112, + ], + on_success: processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg473 = msg("1370", all107); + +var all108 = all_match({ + processors: [ + dup147, + dup211, + dup161, + dup199, + dup112, + ], + on_success: processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg474 = msg("1371", all108); + +var part497 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}"); + +var select157 = linear_select([ + dup138, + part497, +]); + +var all109 = all_match({ + processors: [ + dup160, + select157, + dup10, + dup211, + dup161, + dup199, + dup112, + ], + on_success: processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg475 = msg("1387", all109); + +var part498 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}"); + +var part499 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}"); + +var select158 = linear_select([ + dup69, + part499, +]); + +var part500 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}"); + +var part501 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + +var part502 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}"); + +var select159 = linear_select([ + part500, + part501, + part502, +]); + +var all110 = all_match({ + processors: [ + part498, + select158, + select159, + ], + on_success: processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg476 = msg("1391", all110); + +var part503 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg477 = msg("1253", part503); + +var part504 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg478 = msg("1009", part504); + +var part505 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part506 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}"); + +var part507 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); + +var select160 = linear_select([ + part506, + part507, +]); + +var part508 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + +var all111 = all_match({ + processors: [ + part505, + select160, + part508, + ], + on_success: processor_chain([ + dup5, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg479 = msg("910", all111); + +var part509 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup21, + dup37, +])); + +var msg480 = msg("m:01", part509); + +var part510 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg481 = msg("1011", part510); + +var part511 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup164, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg482 = msg("609", part511); + +var msg483 = msg("796", dup225); + +var part512 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg484 = msg("880", part512); + +var part513 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg485 = msg("1309", part513); + +var msg486 = msg("1310", dup225); + +var part514 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}"); + +var part515 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}"); + +var select161 = linear_select([ + part514, + part515, +]); + +var part516 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); + +var all112 = all_match({ + processors: [ + dup81, + select161, + part516, + ], + on_success: processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg487 = msg("1232", all112); + +var part517 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var all113 = all_match({ + processors: [ + part517, + dup199, + dup112, + ], + on_success: processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg488 = msg("1447", all113); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "10": msg9, + "100": msg159, + "1003": msg449, + "1005": msg448, + "1007": msg450, + "1008": msg451, + "1009": msg478, + "101": msg160, + "1011": msg481, + "102": msg161, + "103": msg162, + "104": msg163, + "105": msg164, + "106": msg165, + "107": msg166, + "1079": select154, + "108": msg167, + "1080": msg470, + "1086": msg424, + "109": msg168, + "11": msg10, + "110": msg169, + "1107": msg461, + "111": select66, + "1110": msg408, + "112": msg172, + "113": msg173, + "114": msg174, + "1149": msg426, + "115": select67, + "1153": select150, + "1154": select141, + "1155": select143, + "1159": msg427, + "116": msg177, + "117": msg178, + "118": msg179, + "119": msg180, + "1195": select139, + "1197": msg439, + "1198": msg445, + "1199": select142, + "12": select4, + "120": msg181, + "1201": select144, + "121": msg182, + "122": msg183, + "1220": msg462, + "1222": msg431, + "1226": msg430, + "123": msg184, + "1230": msg463, + "1231": msg464, + "1232": msg487, + "1233": msg465, + "1235": msg438, + "124": msg185, + "125": msg186, + "1253": msg477, + "1254": msg187, + "1256": msg188, + "1257": msg189, + "126": msg190, + "127": msg191, + "128": msg192, + "129": msg193, + "13": msg13, + "130": msg194, + "1309": msg485, + "131": msg195, + "1310": msg486, + "132": msg196, + "133": msg197, + "134": msg198, + "135": msg199, + "136": msg200, + "1369": msg472, + "137": msg201, + "1370": msg473, + "1371": msg474, + "138": msg202, + "1387": msg475, + "139": select68, + "1391": msg476, + "14": select7, + "140": msg205, + "141": msg206, + "142": msg207, + "143": msg208, + "1430": msg425, + "1431": msg209, + "144": msg210, + "1447": msg488, + "145": msg211, + "146": msg212, + "147": msg213, + "148": msg214, + "1480": msg215, + "149": msg216, + "15": msg20, + "150": msg217, + "151": msg218, + "152": msg219, + "153": msg220, + "154": msg221, + "155": msg222, + "156": msg223, + "157": select69, + "158": msg226, + "159": msg227, + "16": msg21, + "160": msg228, + "161": msg229, + "162": msg230, + "163": msg231, + "164": msg232, + "165": msg233, + "166": msg234, + "167": msg235, + "168": msg236, + "169": msg237, + "17": msg22, + "170": msg238, + "171": select70, + "172": select71, + "173": msg245, + "174": select72, + "175": select73, + "176": msg253, + "177": msg254, + "178": msg255, + "179": msg256, + "18": msg23, + "180": select74, + "181": select75, + "19": msg24, + "193": msg261, + "194": msg262, + "195": msg263, + "196": select78, + "199": msg266, + "20": msg25, + "200": msg267, + "21": msg26, + "22": msg27, + "23": select10, + "235": select79, + "236": msg271, + "237": msg272, + "238": msg273, + "239": msg274, + "24": select11, + "240": msg275, + "241": select80, + "242": msg278, + "243": msg403, + "25": msg34, + "252": msg279, + "255": msg280, + "257": msg281, + "26": msg35, + "261": select83, + "262": msg284, + "263": msg413, + "264": msg414, + "267": select136, + "27": msg36, + "273": msg285, + "28": select12, + "29": select13, + "30": select14, + "31": select15, + "32": select16, + "328": msg286, + "329": msg287, + "33": select17, + "34": msg52, + "346": msg288, + "35": select19, + "350": msg289, + "351": msg290, + "352": msg291, + "353": select84, + "354": msg294, + "355": select85, + "356": msg297, + "357": select86, + "358": msg300, + "36": select23, + "37": select27, + "371": select87, + "372": msg303, + "373": msg304, + "38": select30, + "39": msg67, + "4": msg1, + "40": msg68, + "401": msg305, + "402": msg306, + "403": msg400, + "404": msg410, + "406": msg307, + "41": select31, + "412": msg415, + "413": msg308, + "414": msg309, + "42": msg72, + "427": msg156, + "428": msg157, + "43": msg73, + "438": msg310, + "439": msg311, + "44": msg74, + "440": msg312, + "441": select88, + "442": msg315, + "446": msg316, + "45": select32, + "46": select33, + "47": msg82, + "477": msg317, + "48": msg83, + "49": msg84, + "5": select2, + "50": msg85, + "509": msg318, + "51": msg86, + "52": msg87, + "520": msg319, + "522": select91, + "523": msg323, + "524": select94, + "526": select97, + "53": msg88, + "534": msg401, + "537": select116, + "538": msg346, + "549": msg347, + "557": msg348, + "558": msg349, + "561": msg350, + "562": msg351, + "563": msg352, + "565": msg409, + "58": msg89, + "580": msg471, + "583": msg353, + "597": select117, + "598": select118, + "6": select3, + "60": msg90, + "602": select119, + "605": msg363, + "606": msg364, + "608": msg365, + "609": msg482, + "61": msg91, + "614": msg421, + "616": msg366, + "62": msg92, + "63": select34, + "64": msg95, + "65": msg96, + "654": msg455, + "657": select133, + "658": msg367, + "66": msg97, + "67": select35, + "670": msg456, + "68": msg100, + "69": msg101, + "7": msg6, + "70": select37, + "708": msg452, + "709": msg447, + "710": msg368, + "712": select123, + "713": select124, + "714": msg446, + "72": select38, + "73": msg106, + "74": msg107, + "748": msg422, + "75": msg108, + "76": msg109, + "760": select125, + "766": msg378, + "77": msg110, + "78": msg111, + "79": msg112, + "793": msg416, + "794": msg423, + "796": msg483, + "8": msg7, + "80": msg113, + "805": msg417, + "809": select137, + "81": msg114, + "82": select39, + "83": select40, + "84": msg122, + "860": select126, + "866": select128, + "867": select129, + "87": select42, + "88": select43, + "880": msg484, + "882": select130, + "884": msg457, + "888": select131, + "89": select45, + "892": msg389, + "9": msg8, + "90": msg129, + "904": msg390, + "905": msg391, + "906": msg392, + "907": msg393, + "908": msg394, + "909": msg395, + "91": msg130, + "910": msg479, + "914": msg396, + "92": msg131, + "93": msg132, + "931": msg397, + "935": msg420, + "94": msg133, + "95": msg134, + "96": msg135, + "97": select52, + "98": select65, + "986": msg155, + "99": msg158, + "994": msg402, + "995": msg404, + "997": msg405, + "998": select134, + "m": msg480, + "msg": msg436, + "src": msg437, + }), +]); + +var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + +var part520 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part521 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); + +var part522 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var part523 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + +var part524 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + +var part526 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + +var part527 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} "); + +var part528 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + +var part529 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + +var part530 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + +var part531 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var part532 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); + +var part533 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var part534 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + +var part535 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); + +var part536 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + +var part537 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + +var part538 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); + +var part539 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + +var part540 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); + +var part541 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); + +var part542 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); + +var part543 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); + +var part544 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var part545 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + +var part546 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + +var part547 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); + +var part548 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var part549 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); + +var part550 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part551 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + +var part552 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var part553 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var part554 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + +var part555 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var part556 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); + +var part557 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + +var part558 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var part559 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); + +var part560 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + +var part561 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part562 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); + +var part563 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); + +var part564 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); + +var part565 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); + +var part566 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); + +var part567 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); + +var part568 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + +var part569 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); + +var part570 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); + +var part571 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + +var part572 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); + +var part573 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + +var part574 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + +var part575 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + +var part576 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); + +var part577 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + +var part578 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + +var part579 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + +var part580 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); + +var part581 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); + +var part582 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + +var part583 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + +var part584 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + +var part585 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); + +var part586 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); + +var part587 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + +var part588 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); + +var part589 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + +var part590 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var part591 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); + +var part592 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + +var part593 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); + +var part594 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); + +var part595 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + +var part596 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); + +var part597 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); + +var part598 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); + +var part599 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var part600 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + +var part601 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); + +var part602 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + +var part603 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); + +var part604 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part605 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + +var part606 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); + +var part607 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); + +var part608 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part609 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part610 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + +var part611 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + +var part612 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + +var part613 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); + +var part614 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var part615 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var part616 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + +var part617 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + +var part618 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + +var part619 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); + +var part620 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); + +var part621 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var part622 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + +var part623 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part624 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); + +var part625 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); + +var part626 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + +var part627 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + +var part628 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + +var select162 = linear_select([ + dup8, + dup9, +]); + +var select163 = linear_select([ + dup15, + dup16, +]); + +var part629 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var select164 = linear_select([ + dup25, + dup26, +]); + +var select165 = linear_select([ + dup27, + dup28, +]); + +var select166 = linear_select([ + dup34, + dup35, +]); + +var select167 = linear_select([ + dup25, + dup39, +]); + +var select168 = linear_select([ + dup41, + dup42, +]); + +var select169 = linear_select([ + dup46, + dup47, +]); + +var select170 = linear_select([ + dup49, + dup50, +]); + +var part630 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup62, +])); + +var part631 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, +])); + +var select171 = linear_select([ + dup71, + dup75, + dup76, +]); + +var select172 = linear_select([ + dup8, + dup25, +]); + +var part632 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, +])); + +var select173 = linear_select([ + dup88, + dup89, +]); + +var part633 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, +])); + +var select174 = linear_select([ + dup92, + dup93, +]); + +var select175 = linear_select([ + dup96, + dup97, +]); + +var part634 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup87, +])); + +var part635 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, +])); + +var part636 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, +])); + +var part637 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, +])); + +var part638 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var select176 = linear_select([ + dup66, + dup108, +]); + +var select177 = linear_select([ + dup110, + dup111, +]); + +var select178 = linear_select([ + dup115, + dup45, +]); + +var select179 = linear_select([ + dup8, + dup26, +]); + +var select180 = linear_select([ + dup8, + dup25, + dup39, +]); + +var select181 = linear_select([ + dup71, + dup15, + dup16, +]); + +var select182 = linear_select([ + dup121, + dup122, +]); + +var select183 = linear_select([ + dup68, + dup69, + dup74, +]); + +var select184 = linear_select([ + dup127, + dup128, +]); + +var select185 = linear_select([ + dup41, + dup42, + dup134, +]); + +var select186 = linear_select([ + dup135, + dup136, +]); + +var select187 = linear_select([ + dup138, + dup139, +]); + +var select188 = linear_select([ + dup140, + dup141, +]); + +var select189 = linear_select([ + dup49, + dup148, +]); + +var part639 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup150, +])); + +var select190 = linear_select([ + dup152, + dup40, +]); + +var select191 = linear_select([ + dup154, + dup155, +]); + +var select192 = linear_select([ + dup156, + dup157, +]); + +var part640 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, +])); + +var part641 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, +])); + +var part642 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup23, +])); + +var part643 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var part644 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup23, +])); + +var part645 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup37, +])); + +var part646 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, +])); + +var select193 = linear_select([ + dup169, + dup170, +]); + +var select194 = linear_select([ + dup172, + dup173, +]); + +var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var all114 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var all115 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup85, + ]), +}); + +var all116 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var all117 = all_match({ + processors: [ + dup95, + dup192, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var all118 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup100, + ]), +}); + +var all119 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var all120 = all_match({ + processors: [ + dup102, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup103, + ]), +}); + +var all121 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup106, + ]), +}); + +var all122 = all_match({ + processors: [ + dup107, + dup198, + ], + on_success: processor_chain([ + dup87, + ]), +}); + +var all123 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup109, + ]), +}); + +var all124 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup178, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var all125 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var all126 = all_match({ + processors: [ + dup151, + dup213, + dup153, + dup214, + dup215, + dup158, + ], + on_success: processor_chain([ + dup150, + dup51, + dup52, + dup53, + dup54, + dup37, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var all127 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup191, + dup94, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var all128 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml new file mode 100644 index 00000000000..75670b6f441 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Sonicwall-FW + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml new file mode 100644 index 00000000000..18e06e5fd2e --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["sonicwall.firewall", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9519 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log b/x-pack/filebeat/module/sonicwall/firewall/test/general.log new file mode 100644 index 00000000000..41f778c72f3 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log @@ -0,0 +1,21 @@ +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN type=3 code=3 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=2.2.2.2:500 dst=1.1.1.1:500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500 +Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445 +Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957 +Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name" +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582 +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json new file mode 100644 index 00000000000..9f972c2e6fc --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -0,0 +1,660 @@ +[ + { + "@timestamp": "2007-01-03T16:48:06.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 0, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:06.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36701, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:07.000Z", + "event.action": "Administrator login denied due to bad credentials", + "event.code": "30", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 203, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "30", + "rsa.misc.action": [ + "Administrator login denied due to bad credentials" + ], + "rsa.time.event_time": "2007-01-03T16:48:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:07.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 414, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:07.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36702, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:07.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 617, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:08.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 843, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:08.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:10.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1092, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:10.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1345, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:10.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1560, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36703, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:10.000Z", + "event.action": "Administrator login denied due to bad credentials", + "event.code": "30", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1763, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "30", + "rsa.misc.action": [ + "Administrator login denied due to bad credentials" + ], + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:11.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1974, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:11.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36704, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:14.000Z", + "event.code": "38", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN type=3 code=3", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2177, + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "219.89.19.223" + ], + "rsa.internal.event_desc": "ICMP packet dropped", + "rsa.internal.messageid": "38", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:14.000Z", + "service.type": "sonicwall", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "NZ", + "source.geo.location.lat": -41.0, + "source.geo.location.lon": 174.0, + "source.ip": [ + "219.89.19.223" + ], + "source.port": 1026, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:14.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2382, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:15.000Z", + "event.code": "346", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=2.2.2.2:500 dst=1.1.1.1:500", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2582, + "log.original": "IKE Initiator: Start Quick Mode (Phase 2).", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "346", + "rsa.internal.msg": "IKE Initiator: Start Quick Mode (Phase 2).", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:15.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2780, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "1.1.1.1" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "1.1.1.1" + ], + "source.port": 500, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:15.000Z", + "event.code": "483", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2977, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "483", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:15.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3165, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.115.10" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.115.10" + ], + "source.port": 11549, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:17.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3375, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "LAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.5.64" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "LAN", + "rsa.time.event_time": "2007-01-03T16:48:17.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.5.64" + ], + "source.port": 3182, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:18.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3584, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:18.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:20.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3806, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:20.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:20.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4049, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.125.75" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:20.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.125.75" + ], + "source.port": 524, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:21.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4260, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.6.10" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:21.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.6.10" + ], + "source.port": 28503, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log new file mode 100644 index 00000000000..eb7e231070a --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log @@ -0,0 +1,100 @@ +idi id=pexe sn=nes time="2016/01/29 06:09:59" fw=10.254.41.82 pri=low c=Ute m=914 msg="lupt" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp +id=umexe sn=estlabo time="2016/02/12 13:12:33" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed +id=alo sn=eosquir time="2016-2-26 8:15:08" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg="ctetur" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action="allow" +emape id=aer sn=lupt time="2016/03/12 03:17:42" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up +id=consec sn=taliquip time="2016/03/26 10:20:16" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway +id=tconsec sn=nsequat time="2016/04/09 17:22:51" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 +llamcorp id=ari sn=eataevit time="2016/04/24 00:25:25" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked +mquisnos id=loremagn sn=iciade time="2016/05/08 07:27:59" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure +id=aali sn=ametcons time="2016/05/22 14:30:33" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal +orsitame id=quiratio sn=ite time="2016/06/05 21:33:08" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked +id=usan sn=aper time="2016/06/20 04:35:42" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host +id=atquovo sn=iumto time="2016/07/04 11:38:16" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated +id=undeo sn=loremip time="2016-7-18 6:40:50" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" +id=rveli sn=rsint time="2016/08/02 01:43:25" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped +id=qua sn=luptatev time="2016/08/16 08:45:59" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores +id=tatiset sn=eprehen time="2016/08/30 15:48:33" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings +id=aliq sn=rsitam time="2016/09/13 22:51:07" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" +id=itecto sn=erc time="2016/09/28 05:53:42" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed +id=tat sn=tion time="2016/10/12 12:56:16" fw=10.53.150.119 pri=medium c=uasia m=24 msg="emp" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note="taut" +id=nidolo sn=tatn time="2016/10/26 19:58:50" fw=10.18.109.121 pri=very-high c=dolo m=87 msg="Loremip" n=idolor src=10.204.11.20 dst=10.239.201.234 +id=quip sn=mporain time="2016-11-10 3:01:24" fw=10.34.161.166 pri=very-high c=sequi m=428 msg="rehend" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action="accept" +id=idex sn=xerci time="2016/11/24 10:03:59" fw=10.84.206.79 pri=high c=uipe m=401 msg="inesci" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib +id=ari sn=exercit time="2016/12/08 17:06:33" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active +id=serunt sn=aquaeabi time="2016/12/23 00:09:07" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying). +id=veniamq sn=one time="2017/01/06 07:11:41" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source +id=tin sn=tenima time="2017/01/20 14:14:16" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete +id=equat sn=derit time="2017/02/03 21:16:50" fw=10.90.86.89 pri=medium c=labor m=867 msg="didunt" sess=uptatema n=intocc +eporr id=xeacomm sn=mveleu time="2017/02/18 04:19:24" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated +id=nisi sn=dant time="2017/03/04 11:21:59" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state. +id=quidolor sn=tessec time="2017/03/18 18:24:33" fw=10.135.160.125 pri=low c=icabo m=882 msg="itatio" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp +id=Nequepor sn=ali time="2017/04/02 01:27:07" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed +id=ehen sn=tate time="2017/04/16 08:29:41" fw=10.140.167.6 pri=low c=stquido m=372 msg="ommodico" n=ptas src=10.60.129.15 dst=10.248.101.25 +id=Nequepo sn=ipsumd time="2017/04/30 15:32:16" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed +id=reetdolo sn=smo time="2017/05/14 22:34:50" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam +santiumd id=turadip sn=uatD time="2017/05/29 05:37:24" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped +id=volu sn=nonn time="2017/06/12 12:39:58" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login +id=sBon sn=orro time="2017/06/26 19:42:33" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD +amvo id=qui sn=tasn time="2017/07/11 02:45:07" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" +id=tvolupt sn=eufugi time="2017/07/25 09:47:41" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available +temqu id=ovol sn=ptasn time="2017/08/08 16:50:15" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped +id=pid sn=illoin time="2017/08/22 23:52:50" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout +id=mestq sn=temUt time="2017/09/06 06:55:24" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active +id=adeser sn=oin time="2017/09/20 13:57:58" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg="quam" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 +reetdol id=totamre sn=isnostr time="2017/10/04 21:00:32" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out +psaquaea id=taevita sn=ameiusm time="2017/10/19 04:03:07" fw=10.227.15.253 pri=high c=piscinge m=402 msg="tvol" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit +elitse id=ima sn=quasia time="2017/11/02 11:05:41" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local +id=asiarc sn=ian time="2017/11/16 18:08:15" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed +id=intocc sn=amcorp time="2017/12/01 01:10:49" fw=10.57.57.241 pri=low c=litani m=83 msg="utodita" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note="tiaec" npcs=rumwrit +id=gna sn=con time="2017/12/15 08:13:24" fw=10.11.44.250 pri=high c=etMal m=931 msg="qua" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497 +rem id=asper sn=idunt time="2017/12/29 15:15:58" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server +id=uisaute sn=imide time="2018/01/12 22:18:32" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable +id=ilmol sn=eri time="2018/01/27 05:21:06" fw=10.154.53.249 pri=low c=mquae m=243 msg="eriti" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp +id=ntutlabo sn=iusmodte time="2018-2-10 12:23:41" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action="deny" +id=emvele sn=isnost time="2018/02/24 19:26:15" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped +sit id=rumSect sn=ita time="2018/03/11 02:28:49" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E +oremag id=illu sn=ruredo time="2018/03/25 09:31:24" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg="its" n=lore +id=onu sn=liquaUte time="2018/04/08 16:33:58" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication +id=mveniamq sn=taedict time="2018-4-22 11:36:32" fw=10.206.69.135 pri=high c=aturve m=880 msg="utfug" n=aturQu note="aaliq" fw_action="allow" +id=uiinea sn=mnisiut time="2018/05/07 06:39:06" fw=10.208.228.129 pri=low c=olup m=441 msg="labor" n=dol src= 10.240.54.28 dst= 10.115.38.80 +id=mve sn=uia time="2018/05/21 13:41:41" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout +id=doei sn=cipitl time="2018/06/04 20:44:15" fw=10.53.127.17 pri=very-high c=strumex m=252 msg="eprehend" n=asnu src=10.102.166.19 dst=10.104.49.142 +ipsa id=asuntexp sn=adminim time="2018/06/19 03:46:49" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable +id=iumt sn=tsed time="2018/07/03 10:49:23" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out +id=loremag sn=tcu time="2018/07/17 17:51:58" fw=10.84.251.253 pri=high c=erspi m=195 msg="rorsit" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629 +elillum id=upt sn=rnat time="2018/08/01 00:54:32" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped +doeiu id=deF sn=itempo time="2018/08/15 07:57:06" fw=10.200.237.196 pri=medium c=ecillum m=995 msg="isci" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note="equep" +BCS id=qui sn=ugiatquo time="2018/08/29 14:59:40" fw=10.204.133.116 pri=medium c=autemv m=909 msg="emq" n=plicaboN +id=vol sn=admi time="2018/09/12 22:02:15" fw=10.77.229.168 pri=high c=aquiof m=178 msg="ende" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 +id=olorem sn=gitse time="2018/09/27 05:04:49" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg="sci" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note="mquisno" +id=gna sn=isiutali time="2018/10/11 12:07:23" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed +id=uaturve sn=amquisno time="2018/10/25 19:09:57" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg="CSe" n=lors src=10.135.70.159 dst=10.195.223.82 +id=atu sn=iusm time="2018/11/09 02:12:32" fw=10.20.81.176 pri=low c=stquido m=261 msg="rsitvolu" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 +id=oin sn=itseddoe time="2018/11/23 09:15:06" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry. +id=giatquov sn=olu time="2018/12/07 16:17:40" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER. +emagn id=emulla sn=mips time="2018/12/21 23:20:14" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out +id=itametc sn=ori time="2019/01/05 06:22:49" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle +id=doconse sn=etdol time="2019/01/19 13:25:23" fw=10.156.88.51 pri=high c=tura m=658 msg="osquirat" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 +id=min sn=oluptat time="2019/02/02 20:27:57" fw=10.162.129.196 pri=medium c=snisi m=195 msg="magnaal" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416 +id=eacommo sn=ueip time="2019/02/17 03:30:32" fw=10.243.252.157 pri=low c=minim m=867 msg="scipi" sess=tur n=acon +usm id=labori sn=porai time="2019/03/03 10:33:06" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked +id=lup sn=upta time="2019-3-17 5:35:40" fw=10.247.88.138 pri=very-high c=orissu m=794 msg="fic" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action="allow" +id=mmod sn=iti time="2019/04/01 00:38:14" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked +id=mag sn=gelitse time="2019/04/15 07:40:49" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 +id=nostrud sn=cteturad time="2019/04/29 14:43:23" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F +oluptate id=lit sn=santi time="2019/05/13 21:45:57" fw=10.211.112.194 pri=low c=uis m=1079 msg="Clientamcis assigned IP:10.221.220.148" n=apar +id=vol sn=psumd time="2019/05/28 04:48:31" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 +enbyCi id=reetdo sn=tat time="2019/06/11 11:51:06" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). +id=iamqui sn=tassita time="2019/06/25 18:53:40" fw=10.7.47.118 pri=medium c=piscing m=712 msg="allow" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129 +inesciu id=quid sn=atcupid time="2019/07/10 01:56:14" fw=10.29.5.115 pri=very-high c=ate m=670 msg="con" sess=tqu n=eirur +hite id=ianonnum sn=nofdeFi time="2019/07/24 08:58:48" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup +id=arch sn=lite time="2019/08/07 16:01:23" fw=10.25.118.123 pri=high c=borumSec m=931 msg="aecatcup" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374 +id=rumSecti sn=Utenima time="2019-8-21 11:03:57" fw=10.74.166.70 pri=very-high c=olor m=1086 msg="radip" n=rchitect fw_action="deny" +id=amquisno sn=modoc time="2019/09/05 06:06:31" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded +id=Bonorum sn=lesti time="2019/09/19 13:09:05" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked +uuntur id=tsedquia sn=its time="2019/10/03 20:11:40" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent +id=tatevel sn=midestl time="2019/10/18 03:14:14" fw=10.222.197.130 pri=medium c=ulapa m=713 msg="block" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342 +id=hilmole sn=sequ time="2019/11/01 10:16:48" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination +umtota id=etdolore sn=magnaa time="2019/11/15 17:19:22" fw=10.209.34.197 pri=very-high c=tes m=766 msg="equam" n=isi +id=rep sn=remap time="2019/11/30 00:21:57" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN +id=nesciun sn=amcolab time="2019/12/14 07:24:31" fw=10.142.7.145 pri=low c=iuta m=373 msg="deny" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745 diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json new file mode 100644 index 00000000000..6892f63bb1c --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -0,0 +1,2695 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "destination.nat.ip": "10.49.111.67", + "destination.nat.port": 884, + "event.code": "914", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "idi id=pexe sn=nes time=\"2016/01/29 06:09:59\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", + "fileset.name": "firewall", + "host.hostname": "oreetdol1714.internal.corp", + "host.name": "nostrud4819.mail.test", + "input.type": "log", + "log.offset": 0, + "log.original": "lupt", + "observer.egress.interface.name": "eth3598", + "observer.ingress.interface.name": "eth7178", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.92.136.230", + "10.49.111.67" + ], + "rsa.internal.messageid": "914", + "rsa.internal.msg": "lupt", + "rsa.network.dinterface": "eth3598", + "rsa.network.sinterface": "eth7178", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "sonicwall", + "source.address": "oreetdol1714.internal.corp", + "source.nat.ip": "10.92.136.230", + "source.nat.port": 6437, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-12T15:12:33.000Z", + "event.code": "16", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=umexe sn=estlabo time=\"2016/02/12 13:12:33\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 211, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "16", + "rsa.time.date": "2016/02/12", + "rsa.time.event_time": "2016-02-12T15:12:33.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "destination.ip": [ + "10.227.15.1" + ], + "destination.mac": "01:00:5e:f7:a9:ff", + "destination.port": 410, + "event.action": "allow", + "event.code": "alo", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=alo sn=eosquir time=\"2016-2-26 8:15:08\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", + "fileset.name": "firewall", + "host.ip": "10.149.203.46", + "input.type": "log", + "log.level": "medium", + "log.offset": 316, + "network.protocol": "rdp", + "observer.egress.interface.name": "eth1977", + "observer.ingress.interface.name": "eth6183", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.149.203.46", + "10.150.156.22", + "10.227.15.1" + ], + "rsa.internal.event_desc": "ctetur", + "rsa.internal.messageid": "1369", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "mwritten", + "rsa.misc.reference_id": "alo", + "rsa.misc.serial_number": "eosquir", + "rsa.misc.severity": "medium", + "rsa.network.dinterface": "eth1977", + "rsa.network.sinterface": "eth6183", + "rsa.time.date": "2016-2-26", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.150.156.22" + ], + "source.mac": "01:00:5e:84:66:6c", + "source.port": 6378, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "127", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "emape id=aer sn=lupt time=\"2016/03/12 03:17:42\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 563, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "127", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "170", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=consec sn=taliquip time=\"2016/03/26 10:20:16\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 670, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "170", + "rsa.time.date": "2016/03/26", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T19:22:51.000Z", + "destination.ip": [ + "10.13.70.213" + ], + "event.code": "372", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tconsec sn=nsequat time=\"2016/04/09 17:22:51\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 811, + "log.original": "llu", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.13.70.213", + "10.95.245.65" + ], + "rsa.internal.messageid": "372", + "rsa.internal.msg": "llu", + "rsa.time.date": "2016/04/09", + "rsa.time.event_time": "2016-04-09T19:22:51.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.95.245.65" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-24T02:25:25.000Z", + "event.code": "176", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "llamcorp id=ari sn=eataevit time=\"2016/04/24 00:25:25\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 959, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "176", + "rsa.time.event_time": "2016-04-24T02:25:25.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.code": "50", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "mquisnos id=loremagn sn=iciade time=\"2016/05/08 07:27:59\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1098, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "50", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T16:30:33.000Z", + "event.code": "87", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=aali sn=ametcons time=\"2016/05/22 14:30:33\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1220, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "87", + "rsa.time.date": "2016/05/22", + "rsa.time.event_time": "2016-05-22T16:30:33.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-05T23:33:08.000Z", + "event.code": "15", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "orsitame id=quiratio sn=ite time=\"2016/06/05 21:33:08\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1345, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "15", + "rsa.time.event_time": "2016-06-05T23:33:08.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "70", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=usan sn=aper time=\"2016/06/20 04:35:42\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1461, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "70", + "rsa.time.date": "2016/06/20", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.code": "129", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=atquovo sn=iumto time=\"2016/07/04 11:38:16\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1573, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "129", + "rsa.time.date": "2016/07/04", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "event.action": "cancel", + "event.code": "1149", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=undeo sn=loremip time=\"2016-7-18 6:40:50\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1679, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "idolore", + "rsa.internal.messageid": "1149", + "rsa.misc.action": [ + "cancel" + ], + "rsa.time.date": "2016-7-18", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "event.code": "81", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=rveli sn=rsint time=\"2016/08/02 01:43:25\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1807, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "81", + "rsa.time.date": "2016/08/02", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "1110", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=qua sn=luptatev time=\"2016/08/16 08:45:59\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1934, + "log.original": "tinvol", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "1110", + "rsa.internal.msg": "tinvol", + "rsa.misc.space": "", + "rsa.time.date": "2016/08/16", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-30T17:48:33.000Z", + "event.code": "10", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tatiset sn=eprehen time=\"2016/08/30 15:48:33\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2046, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "10", + "rsa.time.date": "2016/08/30", + "rsa.time.event_time": "2016-08-30T17:48:33.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-14T00:51:07.000Z", + "destination.nat.ip": "10.30.196.102", + "event.code": "353", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=aliq sn=rsitam time=\"2016/09/13 22:51:07\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", + "fileset.name": "firewall", + "host.hostname": "fugi4637.www.lan", + "input.type": "log", + "log.offset": 2189, + "log.original": "onproide", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.30.196.102", + "10.241.178.107" + ], + "rsa.internal.messageid": "353", + "rsa.internal.msg": "onproide", + "rsa.misc.misc": "imadmini", + "rsa.misc.ntype": "Nemoen", + "rsa.time.date": "2016/09/13", + "rsa.time.event_time": "2016-09-14T00:51:07.000Z", + "service.type": "sonicwall", + "source.address": "fugi4637.www.lan", + "source.nat.ip": "10.241.178.107", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "68", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=itecto sn=erc time=\"2016/09/28 05:53:42\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2382, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "68", + "rsa.time.date": "2016/09/28", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "destination.nat.ip": "10.78.151.178", + "destination.nat.port": 3088, + "event.code": "24", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tat sn=tion time=\"2016/10/12 12:56:16\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2487, + "log.original": "emp", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.157.161.103", + "10.78.151.178" + ], + "rsa.internal.event_desc": "taut", + "rsa.internal.messageid": "24", + "rsa.internal.msg": "emp", + "rsa.time.date": "2016/10/12", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.157.161.103", + "source.nat.port": 383, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T21:58:50.000Z", + "destination.ip": [ + "10.239.201.234" + ], + "event.code": "87", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nidolo sn=tatn time=\"2016/10/26 19:58:50\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2647, + "log.original": "Loremip", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.204.11.20", + "10.239.201.234" + ], + "rsa.internal.messageid": "87", + "rsa.internal.msg": "Loremip", + "rsa.time.date": "2016/10/26", + "rsa.time.event_time": "2016-10-26T21:58:50.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.204.11.20" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "destination.ip": [ + "10.219.116.137" + ], + "destination.mac": "01:00:5e:e1:73:47", + "destination.port": 3452, + "event.action": "accept", + "event.code": "quip", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=quip sn=mporain time=\"2016-11-10 3:01:24\" fw=10.34.161.166 pri=very-high c=sequi m=428 msg=\"rehend\" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action=\"accept\"", + "fileset.name": "firewall", + "host.ip": "10.34.161.166", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2794, + "network.protocol": "icmp", + "observer.egress.interface.name": "enp0s3611", + "observer.ingress.interface.name": "eth4059", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.34.161.166", + "10.219.116.137", + "10.245.200.97" + ], + "rsa.internal.event_desc": "rehend", + "rsa.internal.messageid": "428", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "sequi", + "rsa.misc.reference_id": "quip", + "rsa.misc.serial_number": "mporain", + "rsa.misc.severity": "very-high", + "rsa.network.dinterface": "enp0s3611", + "rsa.network.sinterface": "eth4059", + "rsa.time.date": "2016-11-10", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.245.200.97" + ], + "source.mac": " 01:00:5e:1a:ec:91", + "source.port": 3768, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "destination.ip": [ + "10.252.122.195" + ], + "event.code": "401", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=idex sn=xerci time=\"2016/11/24 10:03:59\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3050, + "log.original": "inesci", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.118.80.140", + "10.252.122.195" + ], + "rsa.internal.messageid": "401", + "rsa.internal.msg": "inesci", + "rsa.time.date": "2016/11/24", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.118.80.140" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-08T19:06:33.000Z", + "event.code": "143", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ari sn=exercit time=\"2016/12/08 17:06:33\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3207, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "143", + "rsa.time.date": "2016/12/08", + "rsa.time.event_time": "2016-12-08T19:06:33.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-23T02:09:07.000Z", + "event.code": "104", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=serunt sn=aquaeabi time=\"2016/12/23 00:09:07\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3338, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "104", + "rsa.time.date": "2016/12/23", + "rsa.time.event_time": "2016-12-23T02:09:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "156", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=veniamq sn=one time=\"2017/01/06 07:11:41\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3467, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "156", + "rsa.time.date": "2017/01/06", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-20T16:14:16.000Z", + "event.code": "132", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tin sn=tenima time=\"2017/01/20 14:14:16\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3600, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "132", + "rsa.time.date": "2017/01/20", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T23:16:50.000Z", + "event.code": "867", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=equat sn=derit time=\"2017/02/03 21:16:50\" fw=10.90.86.89 pri=medium c=labor m=867 msg=\"didunt\" sess=uptatema n=intocc", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3721, + "log.original": "didunt", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "867", + "rsa.internal.msg": "didunt", + "rsa.misc.ntype": "intocc", + "rsa.time.date": "2017/02/03", + "rsa.time.event_time": "2017-02-03T23:16:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.code": "129", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "eporr id=xeacomm sn=mveleu time=\"2017/02/18 04:19:24\" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3842, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "129", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "113", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nisi sn=dant time=\"2017/03/04 11:21:59\" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state.", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3956, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "113", + "rsa.time.date": "2017/03/04", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-18T20:24:33.000Z", + "destination.ip": [ + "10.237.163.139" + ], + "destination.port": 4402, + "event.code": "882", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=quidolor sn=tessec time=\"2017/03/18 18:24:33\" fw=10.135.160.125 pri=low c=icabo m=882 msg=\"itatio\" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4091, + "log.original": "itatio", + "network.protocol": "igmp", + "observer.egress.interface.name": "eth1612", + "observer.ingress.interface.name": "enp0s6614", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.237.163.139", + "10.135.187.104" + ], + "rsa.internal.messageid": "882", + "rsa.internal.msg": "itatio", + "rsa.network.dinterface": "eth1612", + "rsa.network.sinterface": "enp0s6614", + "rsa.time.date": "2017/03/18", + "rsa.time.event_time": "2017-03-18T20:24:33.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.135.187.104" + ], + "source.port": 7557, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "139", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=Nequepor sn=ali time=\"2017/04/02 01:27:07\" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4276, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "139", + "rsa.time.date": "2017/04/02", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "destination.ip": [ + "10.248.101.25" + ], + "event.code": "372", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ehen sn=tate time=\"2017/04/16 08:29:41\" fw=10.140.167.6 pri=low c=stquido m=372 msg=\"ommodico\" n=ptas src=10.60.129.15 dst=10.248.101.25", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4376, + "log.original": "ommodico", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.60.129.15", + "10.248.101.25" + ], + "rsa.internal.messageid": "372", + "rsa.internal.msg": "ommodico", + "rsa.time.date": "2017/04/16", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.60.129.15" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-30T17:32:16.000Z", + "event.code": "136", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=Nequepo sn=ipsumd time=\"2017/04/30 15:32:16\" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4516, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "136", + "rsa.time.date": "2017/04/30", + "rsa.time.event_time": "2017-04-30T17:32:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-15T00:34:50.000Z", + "event.code": "1079", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=reetdolo sn=smo time=\"2017/05/14 22:34:50\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", + "fileset.name": "firewall", + "host.ip": "10.14.111.221", + "input.type": "log", + "log.offset": 4637, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.14.111.221" + ], + "related.user": [ + "tco" + ], + "rsa.internal.messageid": "1079", + "rsa.misc.space": "", + "rsa.time.date": "2017/05/14", + "rsa.time.event_time": "2017-05-15T00:34:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "tco" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.code": "76", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "santiumd id=turadip sn=uatD time=\"2017/05/29 05:37:24\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4780, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "76", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "29", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=volu sn=nonn time=\"2017/06/12 12:39:58\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4892, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "29", + "rsa.time.date": "2017/06/12", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-26T21:42:33.000Z", + "destination.ip": [ + "10.14.1.45" + ], + "destination.port": 4499, + "event.code": "196", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=sBon sn=orro time=\"2017/06/26 19:42:33\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", + "fileset.name": "firewall", + "http.request.method": "HEAD", + "input.type": "log", + "log.offset": 5010, + "log.original": "vita", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.126.34.82", + "10.14.1.45" + ], + "rsa.internal.messageid": "196", + "rsa.internal.msg": "vita", + "rsa.time.date": "2017/06/26", + "rsa.time.event_time": "2017-06-26T21:42:33.000Z", + "service.type": "sonicwall", + "source.bytes": 2224, + "source.ip": [ + "10.126.34.82" + ], + "source.port": 3142, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "destination.nat.ip": "10.101.74.44", + "destination.nat.port": 2134, + "event.code": "998", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "amvo id=qui sn=tasn time=\"2017/07/11 02:45:07\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5189, + "log.original": "utp", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.251.20.13", + "10.101.74.44" + ], + "related.user": [ + "rsitv" + ], + "rsa.internal.event_desc": "quin", + "rsa.internal.messageid": "998", + "rsa.internal.msg": "utp", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.251.20.13", + "source.nat.port": 264, + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "rsitv" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "9", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tvolupt sn=eufugi time=\"2017/07/25 09:47:41\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5358, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "9", + "rsa.time.date": "2017/07/25", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-08T18:50:15.000Z", + "event.code": "40", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "temqu id=ovol sn=ptasn time=\"2017/08/08 16:50:15\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5472, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "40", + "rsa.time.event_time": "2017-08-08T18:50:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-23T01:52:50.000Z", + "event.code": "163", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=pid sn=illoin time=\"2017/08/22 23:52:50\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5586, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "163", + "rsa.time.date": "2017/08/22", + "rsa.time.event_time": "2017-08-23T01:52:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "147", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mestq sn=temUt time=\"2017/09/06 06:55:24\" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5713, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "147", + "rsa.time.date": "2017/09/06", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T15:57:58.000Z", + "event.code": "441", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=adeser sn=oin time=\"2017/09/20 13:57:58\" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg=\"quam\" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 ", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5864, + "log.original": "quam", + "observer.ingress.interface.name": "enp0s3962", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.1.36.97" + ], + "rsa.internal.messageid": "441", + "rsa.internal.msg": "quam", + "rsa.network.sinterface": "enp0s3962", + "rsa.time.date": "2017/09/20", + "rsa.time.event_time": "2017-09-20T15:57:58.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.1.36.97" + ], + "source.port": 3628, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T23:00:32.000Z", + "event.code": "34", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "reetdol id=totamre sn=isnostr time=\"2017/10/04 21:00:32\" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6038, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "34", + "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "destination.ip": [ + "10.216.125.252" + ], + "event.code": "402", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "psaquaea id=taevita sn=ameiusm time=\"2017/10/19 04:03:07\" fw=10.227.15.253 pri=high c=piscinge m=402 msg=\"tvol\" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6164, + "log.original": "tvol", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.54.14.189", + "10.216.125.252" + ], + "rsa.internal.messageid": "402", + "rsa.internal.msg": "tvol", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.54.14.189" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "destination.address": "ise5905.www.local", + "destination.nat.ip": "10.53.113.23", + "destination.nat.port": 4027, + "event.code": "1154", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "elitse id=ima sn=quasia time=\"2017/11/02 11:05:41\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", + "fileset.name": "firewall", + "host.hostname": "tiaec5551.www.local", + "input.type": "log", + "log.offset": 6336, + "log.original": "mac", + "observer.egress.interface.name": "lo1918", + "observer.ingress.interface.name": "eth5313", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.97.124.211", + "10.53.113.23" + ], + "rsa.identity.user_sid_dst": "iumdol", + "rsa.internal.messageid": "1154", + "rsa.internal.msg": "mac", + "rsa.network.dinterface": "lo1918", + "rsa.network.host_dst": "ise5905.www.local", + "rsa.network.sinterface": "eth5313", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "service.type": "sonicwall", + "source.address": "tiaec5551.www.local", + "source.nat.ip": "10.97.124.211", + "source.nat.port": 6198, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T20:08:15.000Z", + "event.code": "135", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=asiarc sn=ian time=\"2017/11/16 18:08:15\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6583, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "135", + "rsa.time.date": "2017/11/16", + "rsa.time.event_time": "2017-11-16T20:08:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "destination.ip": [ + "10.64.229.79" + ], + "destination.port": 3620, + "event.code": "83", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=intocc sn=amcorp time=\"2017/12/01 01:10:49\" fw=10.57.57.241 pri=low c=litani m=83 msg=\"utodita\" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note=\"tiaec\" npcs=rumwrit", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6705, + "log.original": "utodita", + "observer.egress.interface.name": "eth41", + "observer.ingress.interface.name": "eth2003", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.187.201.250", + "10.64.229.79" + ], + "rsa.db.index": "rumwrit", + "rsa.internal.messageid": "83", + "rsa.internal.msg": "utodita", + "rsa.network.dinterface": "eth41", + "rsa.network.sinterface": "eth2003", + "rsa.time.date": "2017/12/01", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.187.201.250" + ], + "source.port": 5504, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "destination.nat.ip": "10.76.110.144", + "destination.nat.port": 2497, + "event.code": "931", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=gna sn=con time=\"2017/12/15 08:13:24\" fw=10.11.44.250 pri=high c=etMal m=931 msg=\"qua\" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6906, + "log.original": "qua", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.108.249.60", + "10.76.110.144" + ], + "rsa.internal.messageid": "931", + "rsa.internal.msg": "qua", + "rsa.misc.ntype": "rsita", + "rsa.time.date": "2017/12/15", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.108.249.60", + "source.nat.port": 7150, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T17:15:58.000Z", + "event.code": "11", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "rem id=asper sn=idunt time=\"2017/12/29 15:15:58\" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7050, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "11", + "rsa.time.event_time": "2017-12-29T17:15:58.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-13T00:18:32.000Z", + "event.code": "88", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=uisaute sn=imide time=\"2018/01/12 22:18:32\" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7192, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "88", + "rsa.time.date": "2018/01/12", + "rsa.time.event_time": "2018-01-13T00:18:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "destination.nat.ip": "10.31.190.145", + "destination.nat.port": 3333, + "event.code": "243", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ilmol sn=eri time=\"2018/01/27 05:21:06\" fw=10.154.53.249 pri=low c=mquae m=243 msg=\"eriti\" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7327, + "log.original": "eriti", + "network.protocol": "icmp", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.147.88.219", + "10.31.190.145" + ], + "related.user": [ + "corpori" + ], + "rsa.internal.messageid": "243", + "rsa.internal.msg": "eriti", + "rsa.time.date": "2018/01/27", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.147.88.219", + "source.nat.port": 7595, + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "corpori" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "destination.ip": [ + "10.251.248.228" + ], + "destination.mac": "01:00:5e:c3:ed:55", + "destination.port": 6909, + "event.action": "deny", + "event.code": "ntutlabo", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ntutlabo sn=iusmodte time=\"2018-2-10 12:23:41\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action=\"deny\"", + "fileset.name": "firewall", + "host.ip": "10.108.84.24", + "input.type": "log", + "log.level": "low", + "log.offset": 7499, + "network.protocol": "udp", + "observer.ingress.interface.name": "eth163", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.108.84.24", + "10.113.100.237", + "10.251.248.228" + ], + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "606", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "iosamnis", + "rsa.misc.reference_id": "ntutlabo", + "rsa.misc.serial_number": "iusmodte", + "rsa.misc.severity": "low", + "rsa.network.sinterface": "eth163", + "rsa.time.date": "2018-2-10", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.113.100.237" + ], + "source.mac": " 01:00:5e:8b:c1:b4", + "source.port": 3887, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-24T21:26:15.000Z", + "event.code": "28", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=emvele sn=isnost time=\"2018/02/24 19:26:15\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7742, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "28", + "rsa.time.date": "2018/02/24", + "rsa.time.event_time": "2018-02-24T21:26:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "61", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "sit id=rumSect sn=ita time=\"2018/03/11 02:28:49\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7855, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "61", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "906", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "oremag id=illu sn=ruredo time=\"2018/03/25 09:31:24\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7959, + "log.original": "its", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "906", + "rsa.internal.msg": "its", + "rsa.misc.ntype": "lore", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T18:33:58.000Z", + "event.code": "134", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=onu sn=liquaUte time=\"2018/04/08 16:33:58\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8075, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "134", + "rsa.time.date": "2018/04/08", + "rsa.time.event_time": "2018-04-08T18:33:58.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "event.action": "allow", + "event.code": "mveniamq", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mveniamq sn=taedict time=\"2018-4-22 11:36:32\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", + "fileset.name": "firewall", + "host.ip": "10.206.69.135", + "input.type": "log", + "log.level": "high", + "log.offset": 8197, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.206.69.135" + ], + "rsa.db.index": "aaliq", + "rsa.internal.event_desc": "utfug", + "rsa.internal.messageid": "880", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "aturve", + "rsa.misc.reference_id": "mveniamq", + "rsa.misc.serial_number": "taedict", + "rsa.misc.severity": "high", + "rsa.time.date": "2018-4-22", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "event.code": "441", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=uiinea sn=mnisiut time=\"2018/05/07 06:39:06\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80 ", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8339, + "log.original": "labor", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.240.54.28" + ], + "rsa.internal.messageid": "441", + "rsa.internal.msg": "labor", + "rsa.time.date": "2018/05/07", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.240.54.28" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T15:41:41.000Z", + "event.code": "163", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mve sn=uia time=\"2018/05/21 13:41:41\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8484, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "163", + "rsa.time.date": "2018/05/21", + "rsa.time.event_time": "2018-05-21T15:41:41.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T22:44:15.000Z", + "destination.ip": [ + "10.104.49.142" + ], + "event.code": "252", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=doei sn=cipitl time=\"2018/06/04 20:44:15\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8610, + "log.original": "eprehend", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.104.49.142", + "10.102.166.19" + ], + "rsa.internal.messageid": "252", + "rsa.internal.msg": "eprehend", + "rsa.time.date": "2018/06/04", + "rsa.time.event_time": "2018-06-04T22:44:15.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.102.166.19" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "88", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "ipsa id=asuntexp sn=adminim time=\"2018/06/19 03:46:49\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8759, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "88", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "34", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=iumt sn=tsed time=\"2018/07/03 10:49:23\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8898, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "34", + "rsa.time.date": "2018/07/03", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T19:51:58.000Z", + "destination.ip": [ + "10.137.217.159" + ], + "destination.port": 563, + "event.code": "195", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=loremag sn=tcu time=\"2018/07/17 17:51:58\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9005, + "log.original": "rorsit", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.77.95.12", + "10.137.217.159" + ], + "rsa.internal.messageid": "195", + "rsa.internal.msg": "rorsit", + "rsa.time.date": "2018/07/17", + "rsa.time.event_time": "2018-07-17T19:51:58.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.77.95.12" + ], + "source.port": 2310, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T02:54:32.000Z", + "event.code": "48", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "elillum id=upt sn=rnat time=\"2018/08/01 00:54:32\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9180, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "48", + "rsa.time.event_time": "2018-08-01T02:54:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "destination.nat.ip": "10.191.242.168", + "destination.nat.port": 5251, + "event.code": "995", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "doeiu id=deF sn=itempo time=\"2018/08/15 07:57:06\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9302, + "log.original": "isci", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.191.242.168", + "10.165.48.224" + ], + "rsa.internal.event_desc": "equep", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "isci", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.165.48.224", + "source.nat.port": 5386, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T16:59:40.000Z", + "event.code": "909", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "BCS id=qui sn=ugiatquo time=\"2018/08/29 14:59:40\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9476, + "log.original": "emq", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "909", + "rsa.internal.msg": "emq", + "rsa.misc.ntype": "plicaboN", + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-13T00:02:15.000Z", + "destination.nat.ip": "10.116.173.79", + "destination.nat.port": 7693, + "event.code": "178", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=vol sn=admi time=\"2018/09/12 22:02:15\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9591, + "log.original": "ende", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.116.173.79", + "10.185.37.32" + ], + "rsa.internal.messageid": "178", + "rsa.internal.msg": "ende", + "rsa.misc.ntype": "abor", + "rsa.time.date": "2018/09/12", + "rsa.time.event_time": "2018-09-13T00:02:15.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.185.37.32", + "source.nat.port": 708, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "destination.nat.ip": "10.57.85.98", + "destination.nat.port": 3286, + "event.code": "995", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=olorem sn=gitse time=\"2018/09/27 05:04:49\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9736, + "log.original": "sci", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.219.42.212", + "10.57.85.98" + ], + "rsa.internal.event_desc": "mquisno", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "sci", + "rsa.time.date": "2018/09/27", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.219.42.212", + "source.nat.port": 5708, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "137", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=gna sn=isiutali time=\"2018/10/11 12:07:23\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9906, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "137", + "rsa.time.date": "2018/10/11", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T21:09:57.000Z", + "destination.ip": [ + "10.195.223.82" + ], + "event.code": "351", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=uaturve sn=amquisno time=\"2018/10/25 19:09:57\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10011, + "log.original": "CSe", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.195.223.82", + "10.135.70.159" + ], + "rsa.internal.messageid": "351", + "rsa.internal.msg": "CSe", + "rsa.time.date": "2018/10/25", + "rsa.time.event_time": "2018-10-25T21:09:57.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.135.70.159" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "261", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=atu sn=iusm time=\"2018/11/09 02:12:32\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 ", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10159, + "log.original": "rsitvolu", + "observer.ingress.interface.name": "eth3249", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.22.244.71" + ], + "related.user": [ + "usmo" + ], + "rsa.internal.messageid": "261", + "rsa.internal.msg": "rsitvolu", + "rsa.network.sinterface": "eth3249", + "rsa.time.date": "2018/11/09", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.22.244.71" + ], + "source.port": 1865, + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "usmo" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "125", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=oin sn=itseddoe time=\"2018/11/23 09:15:06\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10327, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "125", + "rsa.time.date": "2018/11/23", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T18:17:40.000Z", + "event.code": "105", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=giatquov sn=olu time=\"2018/12/07 16:17:40\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10431, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "105", + "rsa.time.date": "2018/12/07", + "rsa.time.event_time": "2018-12-07T18:17:40.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-22T01:20:14.000Z", + "event.code": "34", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "emagn id=emulla sn=mips time=\"2018/12/21 23:20:14\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10543, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "34", + "rsa.time.event_time": "2018-12-22T01:20:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "144", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=itametc sn=ori time=\"2019/01/05 06:22:49\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10662, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "144", + "rsa.time.date": "2019/01/05", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-19T15:25:23.000Z", + "destination.nat.ip": "10.12.54.142", + "destination.nat.port": 6543, + "event.code": "658", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=doconse sn=etdol time=\"2019/01/19 13:25:23\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10785, + "log.original": "osquirat", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.12.54.142", + "10.56.10.84" + ], + "rsa.internal.messageid": "658", + "rsa.internal.msg": "osquirat", + "rsa.misc.ntype": "equat", + "rsa.time.date": "2019/01/19", + "rsa.time.event_time": "2019-01-19T15:25:23.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.56.10.84", + "source.nat.port": 5366, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-02T22:27:57.000Z", + "destination.ip": [ + "10.117.63.181" + ], + "destination.port": 6863, + "event.code": "195", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=min sn=oluptat time=\"2019/02/02 20:27:57\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10936, + "log.original": "magnaal", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.222.169.140", + "10.117.63.181" + ], + "rsa.internal.messageid": "195", + "rsa.internal.msg": "magnaal", + "rsa.time.date": "2019/02/02", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.222.169.140" + ], + "source.port": 5299, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "867", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=eacommo sn=ueip time=\"2019/02/17 03:30:32\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11116, + "log.original": "scipi", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "867", + "rsa.internal.msg": "scipi", + "rsa.misc.ntype": "acon", + "rsa.time.date": "2019/02/17", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "60", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "usm id=labori sn=porai time=\"2019/03/03 10:33:06\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11230, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "60", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "destination.ip": [ + "10.200.122.184" + ], + "destination.port": 1176, + "event.action": "allow", + "event.code": "794", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=lup sn=upta time=\"2019-3-17 5:35:40\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11348, + "network.protocol": "rdp", + "observer.egress.interface.name": "eth5397", + "observer.ingress.interface.name": "lo1325", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.57.255.4", + "10.200.122.184" + ], + "rsa.identity.user_sid_dst": "sBon", + "rsa.internal.event_desc": "fic", + "rsa.internal.messageid": "794", + "rsa.misc.action": [ + "allow" + ], + "rsa.network.dinterface": "eth5397", + "rsa.network.sinterface": "lo1325", + "rsa.time.date": "2019-3-17", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.57.255.4" + ], + "source.port": 239, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-01T02:38:14.000Z", + "event.code": "19", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mmod sn=iti time=\"2019/04/01 00:38:14\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11600, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "19", + "rsa.time.date": "2019/04/01", + "rsa.time.event_time": "2019-04-01T02:38:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.nat.ip": "10.129.101.147", + "destination.nat.port": 3606, + "event.code": "413", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mag sn=gelitse time=\"2019/04/15 07:40:49\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11692, + "log.original": "upta", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.129.101.147", + "10.206.229.61" + ], + "rsa.internal.messageid": "413", + "rsa.internal.msg": "upta", + "rsa.time.date": "2019/04/15", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.206.229.61", + "source.nat.port": 3467, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T16:43:23.000Z", + "event.code": "159", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nostrud sn=cteturad time=\"2019/04/29 14:43:23\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11843, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "159", + "rsa.time.date": "2019/04/29", + "rsa.time.event_time": "2019-04-29T16:43:23.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-13T23:45:57.000Z", + "event.code": "1079", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "oluptate id=lit sn=santi time=\"2019/05/13 21:45:57\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", + "fileset.name": "firewall", + "host.ip": "10.221.220.148", + "input.type": "log", + "log.offset": 11953, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.221.220.148" + ], + "related.user": [ + "amc" + ], + "rsa.internal.messageid": "1079", + "rsa.misc.space": "", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "amc" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "destination.ip": [ + "10.125.85.128" + ], + "event.code": "355", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=vol sn=psumd time=\"2019/05/28 04:48:31\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12100, + "log.original": "labo", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.125.85.128", + "10.78.29.246" + ], + "rsa.internal.messageid": "355", + "rsa.internal.msg": "labo", + "rsa.time.date": "2019/05/28", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.78.29.246" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "101", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "enbyCi id=reetdo sn=tat time=\"2019/06/11 11:51:06\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12238, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "101", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T20:53:40.000Z", + "destination.ip": [ + "10.29.120.226" + ], + "destination.port": 1129, + "event.action": "allow", + "event.code": "712", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=iamqui sn=tassita time=\"2019/06/25 18:53:40\" fw=10.7.47.118 pri=medium c=piscing m=712 msg=\"allow\" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12366, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.29.120.226", + "10.203.146.137" + ], + "rsa.internal.messageid": "712", + "rsa.misc.action": [ + "allow" + ], + "rsa.time.date": "2019/06/25", + "rsa.time.event_time": "2019-06-25T20:53:40.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.203.146.137" + ], + "source.port": 4213, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "670", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "inesciu id=quid sn=atcupid time=\"2019/07/10 01:56:14\" fw=10.29.5.115 pri=very-high c=ate m=670 msg=\"con\" sess=tqu n=eirur", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12521, + "log.original": "con", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "670", + "rsa.internal.msg": "con", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "151", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "hite id=ianonnum sn=nofdeFi time=\"2019/07/24 08:58:48\" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12643, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "151", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "destination.nat.ip": "10.110.208.170", + "destination.nat.port": 6374, + "event.code": "931", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=arch sn=lite time=\"2019/08/07 16:01:23\" fw=10.25.118.123 pri=high c=borumSec m=931 msg=\"aecatcup\" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12776, + "log.original": "aecatcup", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.245.216.15", + "10.110.208.170" + ], + "rsa.internal.messageid": "931", + "rsa.internal.msg": "aecatcup", + "rsa.misc.ntype": "snisiut", + "rsa.time.date": "2019/08/07", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.245.216.15", + "source.nat.port": 7800, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.action": "deny", + "event.code": "1086", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=rumSecti sn=Utenima time=\"2019-8-21 11:03:57\" fw=10.74.166.70 pri=very-high c=olor m=1086 msg=\"radip\" n=rchitect fw_action=\"deny\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12934, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "radip", + "rsa.internal.messageid": "1086", + "rsa.misc.action": [ + "deny" + ], + "rsa.time.date": "2019-8-21", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "8", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=amquisno sn=modoc time=\"2019/09/05 06:06:31\" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13067, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "8", + "rsa.time.date": "2019/09/05", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "event.code": "60", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=Bonorum sn=lesti time=\"2019/09/19 13:09:05\" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13174, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "60", + "rsa.time.date": "2019/09/19", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "event.code": "47", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "uuntur id=tsedquia sn=its time=\"2019/10/03 20:11:40\" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13290, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "47", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.ip": [ + "10.250.149.166" + ], + "destination.port": 6342, + "event.action": "block", + "event.code": "713", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tatevel sn=midestl time=\"2019/10/18 03:14:14\" fw=10.222.197.130 pri=medium c=ulapa m=713 msg=\"block\" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13405, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.143.0.78", + "10.250.149.166" + ], + "rsa.internal.messageid": "713", + "rsa.misc.action": [ + "block" + ], + "rsa.time.date": "2019/10/18", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.143.0.78" + ], + "source.port": 3113, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "91", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=hilmole sn=sequ time=\"2019/11/01 10:16:48\" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13563, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "91", + "rsa.time.date": "2019/11/01", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "766", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "umtota id=etdolore sn=magnaa time=\"2019/11/15 17:19:22\" fw=10.209.34.197 pri=very-high c=tes m=766 msg=\"equam\" n=isi", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13682, + "log.original": "equam", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "766", + "rsa.internal.msg": "equam", + "rsa.misc.ntype": "isi", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.code": "58", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=rep sn=remap time=\"2019/11/30 00:21:57\" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13799, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "58", + "rsa.time.date": "2019/11/30", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "destination.ip": [ + "10.219.228.115" + ], + "destination.port": 745, + "event.action": "deny", + "event.code": "373", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nesciun sn=amcolab time=\"2019/12/14 07:24:31\" fw=10.142.7.145 pri=low c=iuta m=373 msg=\"deny\" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13975, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.179.3.247", + "10.219.228.115" + ], + "rsa.internal.messageid": "373", + "rsa.misc.action": [ + "deny" + ], + "rsa.time.date": "2019/12/14", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.179.3.247" + ], + "source.port": 3445, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md new file mode 100644 index 00000000000..6956555b2dd --- /dev/null +++ b/x-pack/filebeat/module/squid/README.md @@ -0,0 +1,7 @@ +# squid module + +This is a module for Squid logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 +at 2020-07-13 17:55:42.446629 +0000 UTC. + diff --git a/x-pack/filebeat/module/squid/_meta/config.yml b/x-pack/filebeat/module/squid/_meta/config.yml new file mode 100644 index 00000000000..e3d681dac2a --- /dev/null +++ b/x-pack/filebeat/module/squid/_meta/config.yml @@ -0,0 +1,19 @@ +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/squid/_meta/docs.asciidoc b/x-pack/filebeat/module/squid/_meta/docs.asciidoc new file mode 100644 index 00000000000..798af71b303 --- /dev/null +++ b/x-pack/filebeat/module/squid/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: squid +:has-dashboards: false + +== Squid module + +experimental[] + +This is a module for receiving Squid logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "squid" device revision 112. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9520` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/squid/_meta/fields.yml b/x-pack/filebeat/module/squid/_meta/fields.yml new file mode 100644 index 00000000000..6268a29d8d9 --- /dev/null +++ b/x-pack/filebeat/module/squid/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: squid + title: Squid + description: > + squid fields. + fields: diff --git a/x-pack/filebeat/module/squid/fields.go b/x-pack/filebeat/module/squid/fields.go new file mode 100644 index 00000000000..5070915d425 --- /dev/null +++ b/x-pack/filebeat/module/squid/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package squid + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "squid", asset.ModuleFieldsPri, AssetSquid); err != nil { + panic(err) + } +} + +// AssetSquid returns asset data. +// This is the base64 encoded gzipped contents of module/squid. +func AssetSquid() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+J+dLw8i+EWG4FvCaX4Z8lGKZ5bbmSr8m//YUQ4r9JZhxEaSZ/IeG/XuNn7n/fEUkreE0k2JXSVxMuLegZZTBxf+++Rohagl5pbuE1sbrpf2LXNbx2eK2ULnt/L2FGG2ELXPI1mVFhYOvjAbLt/97TCoiaEbuAFjHSIUZWC9CAn1lNZzPOyIIaMgWQRE0N6CWUkwF92tA7EDPXqqlvT8ouUzfLItaSii3yxlcfWz+2xGaRysy3/r5/hfENG+zKxwU37nuEG9IYKIlVhNHaNoH/mq5IBcbQufs3tYSpCowjWrnPd0AT8lbNySkwVYKOE+Jh8V2kDiWnhQtLkLZwpCUGHBDOzP3AcoM8Z0pakNa4+8GlsVTaFg0TxdHy6hAES2p3Pxhixz1ObglCLVktOFsQSgwYw5UkC24NoeQ92N+5lWBMu/uTwdHoiDUL1YiSSFiCJlPozl1NtQHyDix1qFEy06rqLfX0rZqbFxeUXYE1zwbgT7kGZsX6ObEBb0o+gBcW/oTLHpqTKCMFLEEcwEmh5O793OLkKdQaGLUBkxJmXEJJlBSIlqVTAaSidRyrysyLZBdmzx6/C/f8/PQHsqSiCTeelyAtn/FwOuGaMkuEmvv90oONQOq4Ax9OC37PbUdNteWsEVTj78PGTkZPxgD0QScldjIGkMdPyuiWLI+7Jy///57s3xO3ap4Nud/1VdM/CiRkd1seDXZLeojQy46aBqMazTK9vfdnW677fz/MjKUWKpD2MSJHm5Lbggm6c4cfCXogrV4/RsQWTqd6jIhxeRhieTWmVnI83pNWAj1EeuRl2wygTGlDjeg1MTuz98XWLeCwGeghAyXhflbEjh4ygH6DFTHOxR3XypG4KHtelSj7PLsGZCZiH4lw8M7sY8dQqxvJvzSwUaN1R3/403rbqD1RkrnHgVr12C3bEXGz5HnFYZ+7J24ZPuOM9u/zWzUnZ0uQllyicCaNLEE7E0RDEFQD0mf8GkpiwDogWz/eXsOMGyztJgxg39tg6TZhAPpOmzL0BKb3Lx12MAd03YEnd+PBQplM+mr/XP6qjO2LSLF7Ig3Ikst5+6GJHZueD+nr4S8/5IANfjTK2POL5U+ElqV2snLsuu8yd0C9VV8rc5evcrP31f+77HXcyi8bduWCd6T1vWUloWTOlyA7J9nXqwg4Fh3mv8hrgZSPUfn7OiIaow4NVa8LDV8y7HU/eIgbjHRP18jlM780ucCL9Dx4sy0lH9c1EEaHEmQKBLhdgCafzqX94RVRmvwiFLU/viRTavAUtQGyGZ83GlW/G+g+RN39iunGMGg+4zOBf8H9eq5yudn2Wcftyl+9g0HpFdVlNqWuJ9F6ZPc5eX7xeUvfo0SDoLtbSohZGwtVeEQD2g7aAvxJNZ557t9K8zmXVLS/2dZWbuBDLv1rT2LE+cXnVxEWBPQHnLg/CzqMhlxO8fpsDupQcTz09VkALUEfJXb9Ky5Fzk/vEyX1+PaDpQjmsFjpo3ayCVZk97PRVtE63yhaeFGc6XKihABmlf4aBbDj3gPk3Lgzxw1hnnVQOky3FNW3aldtIXsY/QgtvopNH4uqWimDyW6VkmS6HmwaIRq+NGCsA2h4VYt12Cf3ZSfoCVC2IIaXQJ5+T+xCN+Tlzz8/IytqiAGQ3Sp7OPEolNdbcMLUShrIxwr21ZwKphppO59CU0290HNX2UQhkKd0qpbQYwaX0czKVrwZq4FWo/eHfTXH5oFZBSVvdvW0FIz6JqY5do4FPiPc/rN5+f0PfzVepL+oUYC2SP9zQM0/nT34lq5Bk5fkTDJam0b4yIozKe8k12PQ7xn8iORWxlb58SX5V0fuc/Ljj+RfCVPa6ctIRVj0Ofnvwv5P90VuyDZTvoluoVQlPFpbV66gYFSIKWVXeTVgj5xUFq8Ntd6ucEwEWdaKS4umiYV4gjMejgK0Vpny0zb6oKmBcSoQY8TUWKWdZi3XXutwHyyp4KU/GDGkCJmpRpbuhRGAyHM5D8rRjcmL2zdiADlFLDBchz1ho5FdWAtFy8fyzgV0iOF/AqnAas4iVkcwhftfRlvYP/etEHbPPrUbjVbN2m2bkF/Vym3N0ObkkijtjDGryBVAfQPTHsWL95UwTSsGxhRLXhZlrqjrWSt55iBBU4uXvHQc7NmFS65tQ4Uz2rd87zLi4uAVd2Y3xsqRGZ6KcNXPT4l20tqgQwWZRvUcbPe1GzlhdKakpwfnhM+E288JnSUUNBT856et7/UDVMoCuQznnWnAh3a6HhOU7n9tIOYrCLyElQpTC54zs+FRm/OGD9T+R6GbOZmb8bzjrXNvQDjr7alrrZbwhPzXiDB68TLj4gFi9G5VZxxdnLy5CLovo9Kxh1e10rsaL8En8qtLg2geh/vjk3+q0BBH0z3mSt025ZvNTzYGu9dz0DKfkJc/vyIr5HsFVBIqRNxXgE59VJM2/iOyAg0eLLVEADWWKLlTLrLNxAdXE79uJkbuao6wbeDd70qXyDjMagK2kEqo+Xo3EDfjeqDFEvIzYQuqKbOeie5SrxF/dJpL0siQ0yO2fOajFbWpC7p9oD5nEGFP7BItisopmUq2YQRNV6MyDSXrjlpJGWqsPkYhg89BMdboFqKxVJZUl0QqXVHB/4zl9ypdRflThiyHg1mkmungSboTkzZYd8i8EHwGSHHEwDfAlCxHFOzNdhfG5vSz7CGIS6aqWoCNHoBRJypFBd5qviMGe/Vm2j7QQb50a0eP89hR3j6Zo8evUtIuEm3Tpj41Vc7LJsupfCDGn8kyB9sdyD+VzN1tYY9YdKu3KqZPr/24y+GBiMp2o98QC9c2XD6yBG165RTlvjywyP7e97CtgaYic1Omx5Quocz3DoYkm/BMmW7FVsdoM226L/bj68PXSqtqglAbLMo3DCTVXHm1vmqE5d9ZDprQuhZt9cuml01FJZ3HSnMJERjeae1Fj5TH1RBunxiiVtJHxiyt6l3PYMDYreZQHN4+awhbcGfdqBLMhLxrjEUzqQ/U3UpqR/JyqYUDN2mvAJvNHN5LOIYmhJvcLuh5p2EGGiTzB4I61brkS146zQbPQ1yQXbaC7OMO8+JEXtdcH43CzX76WNC1O4ncirUn1jih5/Q1hxQe0P2+0YSbPurCee6kcSfPJoMlu3Qy1aSWQNVAkbsvxI7/qa8KapBfGmiOdpTc6fanaCMfV9QQRKIcOTeI3A+pmZpQKdhiaAaZNq9shtd3XuXAtS4yoFoXObTnOqUo2gb6MjnUDLpS7xV5GBNyx3yMvjGD5/JOb86hYvMmuXZIsGDzQOx0Q0jtCKJsoMSnUKxNI3KHnUasKNVYpip44XHojBfMylazwQmhMrBgy4AcOSCwBM1tztKRPYS1q4ciwF5kZ5/LJ2/x4qB3oH+lu0oXBw3jTjUwPuMbwyeu3fpgzlhPlaAr589mimxA52Lk5aZgonVRlSHIEsU7mM3H2oTP21Z63xJUmvx2GVJjuWkTAnb9arh+u0NjVZKmVoYnFBy3OltoTsvSd5jCVP727o524WmELfK1LrqjKJJNBZqzu8qiKG1HqGLbQ1i/kq27GV4s+fs9IG0JslQ6JMzupUxN/3iA7jVtaFdN/wAWt6MdYvlrwQfsdhJ0P2Je0ufsVffN8EKGqv8gZoKXa0G73GKpLKFkETpexBNohZoXbaLKgwj19iDeWagfo2fKluz7O6ZbYddqFB9xxV8Jzta5b88euXCBCITm2lKsR+RyI3LmTccZ+KERgIjFxamSFq5za6wdQufS++s2/VBpWRr3f/ioUtEiFGsAc8PjzBZUzqGQsMotC8YCl7DqhfpRCbFW82ljoSchhjn6xqPutPX+8xcXHaamyYRdxznBs7Wt3Mc0NAR384s8Mn39LWLcYgWYY1jbcNBscr70EvSEXILflMaAntA5YCvvkOk+U7rFYQC7BeP1doa/J/73vb4VSpOpViv3WfvXoGt6s2u0n/R5eUG1Te2m6wCn9qiEO6UG1aHHulNKlJ3amOtKqRpCQDHXW/xGEipA2y67SG8WDX/z4a0gPnpNADAJKaIwl0Qq+Z2GGtCS2Zf9gGbDMZ8c1mjtLkxnr+BOoh73gvsIWxv+GVC24nYRlGUv68kpLjjFahNJlPxurtx/73kJUEkpIopjRrppLxj4AhFwSKoZcdLBcjATcrmRKbuDDfqVVXkwPvHlfI1xRowvGfXJNmUQv4HxlDDRGNseyPCPwTbhT7hxOxlqooN/wym++Om4CnR07cffsLhF79sy5VPKntxkeDksTxELQo1RjKO/1O1G1J7EDXvLr+A1oaRerA1nVJCSm6vnpNY4E+U5AcuexBVlqukhtZd3fOh9nY2mFVjQhtTUYBcvg40cfC8CpqrKSTG1FbQfltaAZXvVPf8ePJTG19vDDA+TF99MVXUzvIMZto2SFZelWoV8WqYkg9o+7zIpRpkxIHPWCLEmXxoqvPOzVBXlMkgN2VtIqJGnq+/1TKUu7SHdqYRvubyCMtQCtYno1KB3Khgo7pNvOtQmvNy3cWLQFSKrqOtPdvJuiV0EWvR+u3wovH6rg+eVXA7b9XRBZ9AV3x3slNvFGtZEbP35369p/5hY055xkf+OdyT/gqt111hD2TAgbeQI4u42A5pTUURe02yPyCUu2arNu+9j7wF0L8yoXwDYlTmo5UAKj3FY3T10C2oW3Q11amGkyrBhC5/529bYdGWGJy2knRZhjpBumYnRzP2q+/ew0pQ4eS4Jx5y7RjIBVLs/YSO8DWqhgDB4O3Vb2Hlz9MELv2bY5+lRv1hMVVMuu77Z/QcrlI3qO7xeS64bc2xPX18bQQTGPX7HCZBGrsSJX933ZBz3lHoLLrtrvGOf9zKfn5L3XtI8DY0biJ+2F4p+HW7P4nq1d0A/hC+/534+P0WWhpK3TkwMvQfbETmfBuhJmPhD5GTBipu4kbo065y97LejuqFA26sLe/3Y0hvfRzw1jvUn3cLk/PRGTTaVf+4GTdYh9lKWG412Qk58fWbodyr8B/u1WURQb3/jh2+CO27a2K5yU9nuMWqkAOM5o/yDslJkSTWnUzGoAvRNGbgktaAjgsCANFn7o2xtaF9V9StPnKRyGkZbX8jdPl++OL/Y1aFJaBnrPQpjddkHDhS8dS3kJtLikSTn0pJLPpcUhcXIEa2Vztm89slAfrlDetHqbgq7OuJ/OkR6dxlPWakiB+f9bx8Jl0w0JThxFgbZup9PyNOza1rVAl6TC+8Q8WBRek/ifhGMzB09tonOqc3TEseMmyunch+A1x1K8XpuzPfhafjAzdWekKvVfD4HnW+EXZxln/uxgIADaqcLDWahROlOj7fVRyaNboXej+BZGMbeg1R++sHrGM+6Zhznp/EykltH55mq6uLIeVe4KyH3Cse4ev+eaabfOXSUxPrUGY6bUWXDxqy0oJY+UNZYH/NOWiqNnQecXG/xG5kSR3W5ovphMvSGXfWddKXhIXJEjLRGfuqEKCXvKGv7KceVWyeCjmrHKPldq6Dq/VLI25rJh1proCZ5brCx1DapFOfOH0W5eDCzwy0+VdeEly/G3y/3sjbHwNBh9GnQ+NjfBYdF/Oq271jm6XuDQ346nLt3yHPGpWpSxTh7dSRmnvxOOUma0ukw8Mj+lBhw7s6MW0fijRBO7hHTMAbGzBpBztz6hKkSjDsSbbPfuGXBZQnXiRkguLGHaZ73lC24MJpiukViChrjmxXVXGAGT8SD5+Pvck4oMvE799soZTLDOVRT31zogTTisDp52uVz1qBNHYpuvYQZsCyoCJuE+LbD07ORIkPv5hq+x7kTSrzy1SV5BV+V/7b7kHJpSAmWchFxMkxVY3u/GyFNiaPnZrYeW9rlsSEe4w+phaoW2bJ53pASZjSEgELnyzaGH7I1nVa8BC3oGgu5rAqPK3kauZHuA7S6w69h1laBe1+9sdw22JiRRAnb2AbDhk33va5Jo1g9/w6jqTHNIKuYqip3n/IcoxMPnfBesm+t1ZKX3n/WdpGrwIwmQpWKHR5ovLu37BcuNloj6+flxVWD6xqTnh5G1rer55X1f6jpgX6ng8n732oaAjDx21XzfI1zTzGh2O/85cU5OR8oVH00snWtDdUl+zFIWNjVVcPOkxrSd/GHhdzquHLvRUQxVWXuiq9Bxd2u0hFwIQ6XEfVokb5bgg8ZHKHyvOcCDqXDPoG2i4fwOS+7UM6IE69KbTUOysATvPzplLyO7rrJ+Uy1070vPvnuOW0gCpM1roE1fS+CT/2aQqy8te3CtC9x4wiOkKhXvNx2iHTVlXRJuaDDQAbpXOEE6ytnoPXIpAV/hw7x9aeLuwVjpQoNoHwAdkBSSDcwfD4ZkYi8KqZNWa6T+2d4VSStA+rBbQwc1uh8r5cqPUTNVcIuBzsldoVpjlGQwE0/e9X3XKVNyW1XWbfpixYwig2221RseFGyCS/sJ9JniaXm4PJoVvnJ5zPyNNRKfG6E05WnXGABB+aBnV3XyrhvPiPfDR0NcjcKcyXVSm4ZQgZYg80sltvQRyZtMnoEF9xuWuhJW+X+PpQmvYU5ZWvyadRcE3yq6UMU5YeFt1jMJakolzNNK9ibjlFTjVN78/dJ2FIuL3BZ8l6VPjl60xawl3UWQYrcoH1hqoBjRC4Labtv3HtYkV8biabkO1WCIE+5XE6+fU64Ys/J1P0fuP+jkoq14WbybTy+aFldzAQdTM5PrUNta/gnFwQXRV8Xysl1O/xKzfY2arAqK6b+r9OAZ9sGwYB2BzmK0LJKK3d3MPv87neqgXz0CcDffvv53e9vPpx9+63PuV1STfnomVwpfZWyZPnGC/Z7u2A/wjbqBKMytRIRanbSdinpngPK3HOxzmDCzJQGaThLKUB6rqQMGFfpvSCR+EAqoMWK8uFw4nt7B7D3eWqg7vqkLlE3zTTTpbDT0liduvId67WzOcT6b2myd7St+cjnJD202GUzGGyg0oRik03dS6h3cSBmfNTR1JKazRF7KKnRbkQRMnfLe+JC+eB+gnd3XDjkg/7/YbjqRmX2k/8e5IiVPR99QGQvkg9yONo47j78lDpC0tbWzvbs0qe2y2hvs+ywT+YzdLsNTu7Nkem2ZTU/RjwMi75mlAvH67aZy0WQGeen/do27MTlzEEL80gLg/GswjbnunAq4gH0HJJ4jenWofroRFVVI3c9UQPs5GGNm+6L3Xu4tn+HuE7d4WYO06zvi9slleW/q3jUbIObpZYfIhnujd1w4S3kTGNqzrhKliV6LAsesV9RLYdBh8eOupFVXahcwvjy/bsL8pv3o26SUuOIfDlqKsHlf7wlXxrQI71bGyELDbudOvMmN/QcomvyoS06i6Z1dVo6S/iQ9oGq1GMEHND6IMfRTVBtJDh2b7hl+gENVFBdZdgtBzaDe4HWCQuQO6BNmWwq7RbMtN2utkCX1O5qhfeFOwXJFhXVqcpKOrjrmg7GF987+kTZIJ0qCcxikfwsMJilLaDqAM/m2GopA1g1/SMD1Jomn4ThO04lP14YdC946gcndG6rwKmeyZGWBWU4GCV9+YmDbWRC470HeDqvlz/Ja7tI/r4zWTCri9Ik7bveg+4gHxZ5ugXgpaDJJYYsQM65TFgUOQSdIzdaFrPCrLhlyeWHLGZCrQyt0ueu9GFLu8wHPUPUhcmCy5zihMsadDVdJ0t4H8Cu2VUe4EsqcpwVXhe1VlYV6UNSCH35U4Eex/SwRba7KdS8KHMw2wFOn//GZFHR68LaVG6DbcDuRAvI8ChUXGZCmst8SNfCFGIqitRh0S3Y32cEnrwzeA926l6Ifdipq3r7sH/OCPtVRtj/khH2/8gI+695YFtVCzqFHCKlg57ePJNF1QhUvqfrDO9kC7y+yqCXVI3g86rOo307LZOKeeokpACZ51BKDHxh6X0jsjA+ITHDDhrN8liTDnAea9KsTVNnmEXKZFdWncVUtco60wOuM4gQq6wzzHLBRrMmC/BG8mtJpTLAMhzC5SvHlUyPwvKVqu0CaJnBraaqumAigw/bAc4QJEG4erq26d2iDrLJArluigwxDaa55YyKDAVEpqBzkGydMOuqD1tSsf4TymkOvJcFtgHNAtm3g8mDtU+szQJ9Oq+Xr/L4oE0x5favWRqNMVOknRW3A1ir5KLaZLnmCBWYTl/lZryPP9msrR5gsAvv50/vHPHAUe3LAtx3k0/XQa4He8YF5LBhTDHLsYl8lrI4extwDt3AFLzGJMUii6jj9fKn0th60Mw/EWyjWRbYgs8ghxlj0NFcQcmTFYxuw+YyzympVNkIMEzl4HYAzucZZJOqzYrapDP/e9BjGeRJAGuYc2M1Te8J2cDOoPFpqHOxWmfjtcFO5DqTfPWZ+f6IZ4BuNdAqgyLpS4FyoZ1PuV4tFDeFnzCbHvqaaprlgJcjhbApIC/9fPvUcLmxVCafc1waO210qmGBLVTws4JyQG2S45pej25rklODxckNs/TDrg/tNLAP5pyWZeo7wMvUYdW2dVCGt4hXBdNKVVm6EjnAGcw0XhV5kiNDx6McbK6vkrdnqk36lqW8NrXmiYEKarltkmefCS4hXYudDVSTdKJOBxeLb9O7tYTyXU+LmVDJn/MOeIaUf2fzJpc6DmgGieNs6AyoJs9NEGqe5ejKeZYLXCudWoBV02ae45pV3LAcYqEyWQ5sjjkQEiw2V0oON7kM9w2gU2f8eaip0/HkapXaAslSUab8AOjklqhKrxkpzedFZB7XveGuJOj0b1Zd+KG8ycEmnUy9AetHvGY5ZBkKN8NMnNTCIIBNLQ3qwjuSkqNLjXEfFmyRqs5/ABqua548EFCDruaaSjvouZsC8ioL4PRPr+9E9unTzhTQBIC1mhfU1AkHBvRBa5oaqgYqcuh3GhjywXcdzQQ8PZMd5LQtXHuQlS4zYJzekWky+IaN9w1nyAcwkDoRwA88zmCcGPiS/gDEGrQmg5rBlDJ8nkHwmjq1l81oluMeaFYmV6SNZrGuuAkA23QjtvowG5O8q+aSydSFEtFpsfcF6pt0pibfzm36Y+WBpo/odTM9U8Nd18m7tTblNEseeqNFhrewMaCLkqeues8ytqKNDOVgg2XG0iq1N3hZcGksnWXQDJZc2xxq+LKWGVo3WaUbmdLNGmuLFuko+qaxinxoJBks3WWPZByW95kKXpITDSW35ITqMnQzNNj+PY6On5yVkUtjE0IRDA7RJ9jfgClBYqU6XT4El/k4d1bVQq1hMFjwRv7NVJOsqfctz5jjofcZ4bwzDXO4JhXdbbSwicXKebM7DCQ7koIbHM7Qrh62HhsoEdPUtdKWDBuPErJaUEu4JbWG2dhRuEda7l2GUMQYH6yODgXCZejsPtIXWnCZeyJ/D1W3Wh9PQ6yag12Anmy+bxaqGbxohEhYgu7GEVlFaqoNkHdgKU4E93eVdix4+lbNzYsLX/b6jJyGEV/PiV1EphRhM+APEEYfI9qSvAf7O7cSTHyfh4c6C/NmOLK7u0W4uCfWANVsMeGSR/HDmbtH6K+9Iz5xFgYmQ7wQtJE463fe4BzXtol7vIH7Tr/2PTTlb8fd0dQ14Q7zi0eMfbcRRcKaptt1XsVlyUe4tngrxtwFx5hGPSKQNoPr3uOEailGJl5i99yM48Cxf64BSzR8acDYPU27D89WvnuvfK8y4Fgev6qX2LseqS7vdNudsg8njxHGxrb+jh3azeso5Sln/98839Atdn7aCgVcO3420GpIl8R7xyPsHpcpNUB8unaHDRncqm6Xwi8eBl/ZjYLvMFfat6+PspEQaogBwHFndP+8Kk2loewI430HHab90hLV3s2hYY3GCWj7kK5BV9yrG8dCerOkH8zBl1zAHIiAJQhCjeFz6TduM68/fvSxJfMDym9cf89Jnz7IpGeHWSP5lwZ2xyTS+OXr4XtYx8TDpqC0Gg0v/YVkSkrA3Aqy4nYxJigIiVSGdBq7hoPKi+5sWjh2ojzpniih5pxRQRwGI6YPYvGw2OFSI2MaH4539WJt4uj10tlWaierNfUDTwWnplio7DaBN+I6cw1nqWyGGjmp2B/BE+8HQPylcdjimxYGsTABVE/eCKOcIb51304xWE5+Db+YkDdy3f1rAN2iLW+kJbScMFXVjQUdF8NZ3PiOsHzm2Te7e4EzFrc2hNt/Ni+//+GvzvY97W1Hy7FvomiHc1qkjZjd1nFD16DJv3Q+OfMioIHIxW996vqf/GdebnDeOvV79+PA5OWbZNuT3YEpbp0Jef/bxzNHO2jwzhP0l5bcMA01lWzttMqgnondXBCCHHpOPr57Tc6l/fHlc3L+/vTsP1+TT+fSvvqJPF0t1kQCtwvQhC2UCaPSlNbALH7rh1f/6789exLlCNhFRhm3yw+UqZOKxsfxmMyn747X/NKfxfMWqfgVLx8X0n3ZdAPmBzaMu/UDH8N3RzHdWCefubYNFeTtm/dRZP9UEvL5sg47Gf9HSZjEeevQ/WpEKBJys/DELXiMb/CefZhTCyv6ACPS8XRfkDdlqdFP6095DJ3u6WVVfWic876xkPOTdxf+VRoNj1XUHDH6seVU8ppqeLvJ+YVDZcT75Xh44CSIJDx0a4/zsNXECj9d67gCoocuLUvuvkzFJmDbm+Uff+eOeACcSYgXXIUbfrp9BAaobHKts+h1t33SKHkfMLxQ2nYieSB0Swyw4QZwu75Z8poj897Tw+W8fUxast6NMV5CzG48lhc3YIeWLzVGMe5UTu83Gug4xMllTeUcJp3pxJSc8XmjoSTTNcIEWWLWUFzO1Ae2HhgUjY5oy9FFZxn6HYiEun+/hCu5A0BDpSwUIbM7fZ5RetaW0hS08Kn4GUDXVucBPstwJGYZqoVFjuuQq/9JnYGptCxaT1w+tXzXgnd0THZX6zsTHkCDPbML0BIs+biu4Tn51D5jb9EB9iO5aB1gg5fgtzFNrR3VcwRlYsQ0bpEOfvHnhAoRVSbqzRcxwY1qTMxbgnZvIJdWEWPxMeeSfDofFSgME2SzyavkItsBVXWGsW8OsAaTOqPXgc1Q4uJfxNSp6Ohvz4CtH61QCJDz5JMiEWenfGTUQkc0UK/yUNELwEjCMJ1gRij5RekV1eVwTjchb+aY7KUJdTf+GnPppmBXADKueibumnjXGLeyVPRDdR4Zgi3jMTNiQCGXIc8V0xIqbp1YCiM24iQuBZXHiOPfwkHZJoj0XJQDArddlptIytJZsHM0YLdfntSRSmDYhWCZrh/c7SL2VFvOGkE1wX7RpEXi6dn167dqrmaz+PR3YIVdQPbt3UL2o1vQ38Ye3mcOb4fum8YuQNqQLD6KtmlSdk64XUKPX3Ic9U8G9CjCqrFMHZfTYclxhC8bxsCYEZyx8/hhzdEOSzxBvIhTcedKr0mkMGGA2zGE0xaOsIOjk0oY4DO1ku5dcXIrphx2PyQDRWmbqmW6fnQj7yYlvmsp1gwIDmVHT/DD7OjDXBLDbRORnwSLCyCI6AB1QQ2hpard62IXwDVRK7nZMs84S6+VVNVIXi3O5DDct6g/rhLhlHsuSyd/lDYdAyj5hQsgbwJikwEbbuPslR1h/k6OJox39D9IusIoCy5D1kJaLsRojDAiZb37PRjh8/UuQ71Gak6MJ4ROVc7qgQjxU1jQJVcNapdMVbVWFR/JUIRjI3cm6VRgEdmMnOzHjctlJ3YyIrmL4ZbWSaIIbGGYdLjMAQhG1u/wy727vVd2c99Gj92mzLKRdrecLbVGX2IZeMEOMetvpQXhezwHCZqzliRkCCb67aYWcLvApzY2240EZCfsh4mxejz42dJ0SNutB6Pp5X6agnrh18pIV9Q07YxwyyswTq57bU9DDaNBpLALyZpC3LgR2Hjwntugb3m0Dund/WBH68fb0fRDYZINOb01acFhfBOFA9qQ4o1AuIUw+Hqpe3kjdfqoe+cvWhLa9M07l6yX6nEEyA1yvBMgX+9x/PHmLUs12uA4W3Y7+aiPKkFS3rFbyI+jHseUtA0OY6fUYwnajp86eeVOYxdFBXahHiBKQrc8ycSjEb42uuHYS0mrrF6nPVGdD0oEf61DZM+5zOQJ+c/Jz99/T56+PX1z8YyccmO5nDfcLKDEUvgoLkLNVfa+QPsiYZgtO/N4hG3GL45kjGmV2au4r/7T7WoMg+7GoEc+2dDnu1wXhmn/Xd1vz/GHOMViplTG2qRvMsWoSNWdboeQD7TkjfErEKWJ4RUXVHvx5MSmu0MM3/V4eRXec8PLY3Ya6WfKf3IHofUi7vTF3FzyfHUWb+S+u45hjVBp2PP/BicRfjI4C8FxA72yjDLuylQ6Z2LAIGSDrFZ6TiX/c09Wtcx3FG7L7AM43T9TI+yecR2tJc3U9ecXtxy+Fr7Fl+9dtJXV/CtQYReMaiC1hlJVXNJowV1PPF1Qy0Fac2N6vKDHpPYtfVBifetHqDMdXHd1njjBVVNtsRnShtT9YvWIzY6CsLmNRJ1BCZpaKItkSWV7zocTPr+0K3bBswutlrzsmoeF79G6FkFTHRyM0PzHPWvbOm1cwdkQycsjUdktGXr92fUImdHhoZg5ueQ+er7YVdxHWsB1SmfKoeB31TzhGnWm3o96ldDzCKFeR0WNlRpirNJe4jtoFViKqz3Bb03ct57Eqa94WQo4npR7h+vdVs5Ftrcn9w6Sc+14jOOQexFW63UYkus2Ovuc1IK6LXPvs9IEJNPreszLj6mQR7Anb5FBpzvb8ldlLHlH2YLLEZOupJkkxze7vP4kMdO/1uDEh9OPfJMzMyFvS1qTz/gPrx+VSvq6038OH0+yoEtwmpMAqsmXBvSaYA9CUytpoNWo4sWpjt4Cf3MceRl64DEHWfO2C6T05Pu+fON4tiQdAdXNAfoQmqPeFlOc8pTXYbZ7xtvW0ltNjJxtGB5ebohupIzaseZ59/L4yLNvIzVSYxcgFsHCzL8RlKy4LNXKEFMD4zPO3CfPY3WCIU92eEEceR7fTc4NeYodYUGyzTOEoctnPW6RRuI7/hbmlK3JJ7Pd+LaLwFa7hbTJs2vdCkcw2Ede+76phahgrRoeMvciDjje9QGIVP9vVZpiOc+Qfdtk51eox7rzevU6QjFSGD1o4TcHEHucvN4xUkOGb3C9t7LuDEkf7wI6pOY4DrsuYLC9N5uETL8Ngx2KN6S4ufgZywZSjgQcrXBDkkuYcRl89SicsKtfReuRpoOI3UGFYplw2zhgdtS/1IKx89nmpj30UhrpTdn5sK2lbFEduQX+ZlVkOBlYR/3tyDLkZcplugliSe+GIxmLCvM+nhEh1S/bwW3xbbQ35f2RqZ0DrPO+fTdgXVPdnin35+cbUlYLPmilTtztcLasT36/FXk2+cwS39ZC6XW+Df+bqan8txs7xrSIbHdRb9Xz2NPk2PK3Fwj9BtoeTCUaUNX2W99P1egpKEBarepDREepmunAuXCrMx7WdNY23FCOgDj66o7j3sMTVdVUrrv7iNcOx+l7e2UJ2j1DBZczFVcKqLnKXSN0g/zYsSJbzFaQtyv67EuuHIFfGiHW5D8aKviMQ0lOse7ZOwejqKxgWjClrvgDBd1/hynx62/sZyrGtPnk3WY34fC6sahyHzjC9Oa7/qFbIkzZCe5o75OfkI/r2pO+8Rw45vgdHN88DbMiaTPZHbQdDt4RoZ+YWNvaXWSO4arrlMtt7LxnsVa69fZjiPnD25Et7/XKSXycWl7UeecQ7WGFW/lGz32LplYqkyayjZRbx+0HqamNuyaZLKhJGe3vAdahnD4x5EaLhNvcg5pwVzpjtGh0Km9ID6YBXdB5OptyAzr587QNOmn64zbocOozCBa4tiBRtUpvnDj4yU5zp+gtNOykyqTWqPwSx6gl3JK5H3FZVK9ehP8+CSi8CP8R8ppibn8qQMez8wI5Dxg998T0g+foce2NWhuQU4aBaM6k4nIGWo/EXYd0H4WuvuJ/I+uj7tkjINn2JZ71tiFypTCsrbJeqcgSRzt+Zz5u747dR8wg1v0//QOGCVrjAz95vQB9HH+E09lDxtPTExz9+Iyc4Ppx1EDbIzVLGeHzCegw/BO2sjD3NOeFrKHjHiN7G+4WfWJ6naL37jT/81Cv5N1bo8R3m1zyP+PeGn6VSaac/+OMSJgry/0G1gtqRiZAGXbstkK9rfSLjw8XdFudbQLUIMFl54y1jdPb+pt4Qorh82NUVGz3N+qmHn4cHbTspAk3pkmudCJkTJbK5627XwwFMQSts/pAB5vSl55nbnFyicHpfdLpKBkSXWfwEEV+eompnfsfo570PAzJu0vPPTiOi1BjRLHM+aLvhlSDIzuKTFm4o0eb5G0aTS7A/AqCRZ2pucE3m3El/QcJZetPxGC8TmlyfvnmH+8uyIV7p8hvcmT6ygbbTJXUh2D7caXi2KIYYgtgV+YgJ/LthHDeHmSxoXNdv86uRRimgYYRhBspuEfLBc0HTSEfQMn1eHRdQUaNBsTZUtscbcJnH8slFbz0BzGCxK4gPFpX632CEDl2BWuzK7YTnfw2gTQx7IW1tSk4zqDNAhq3MgdDGH0Et4nPZVv5ojS36xtuFFNVlbVP3C3x9ngEh1C8BH/FNYhdSzO1i2UlqCyMeaiBt25lL8N/D9S2NVpRbH2pcVErfoy06hjCHgOCGCBScWsA2coWVMpB44zc7abCqojISMz2SG2bu4clzDz8/e2b9+Hde7GzfPegWKV3ff/Je7Zxc1UslWhyMeBNO8dZhjk33WTsdpxvI7k15KlHwjzDbh1Y2NtO1N0BTxDpKDWiySTN3gZcP0luQ7rAZLvoYAkaMwVmjSBMSQa1dYbypd/DkfYKq1VO6esZ7wz2doS2Q7RW2hLl+Pvrv7+JpeBG2Z763Ck9P36C5W6BwZaLdUp9s5Noo5i/n/12cX5B3tHrisuyG+sd31ZH29HTMLeGKI6QFcgYULePrE59ipcsJk/P9lWOxex4BZsPXYTfkpxd7dhylgWpfH4auvQGLPZiKI63KQ/cK6CluPovXzfcFebIcqhJpr7d6C9xJvQDZTeGcdVoxXdB3coX9z4npomkqFND/masVnL+b1NB2ZXgxkL5txfhb8+7T7mcAYt/NOMaVlREFRk6Fb3fECpLYhQZOZYa5txYvXaW/TGFRU3tIjTr73AguzgMkESn1LHQ9IXQvl6LKd3rQt7pkx3mIK1e/+X/BgAA//8QnLWU" +} diff --git a/x-pack/filebeat/module/squid/log/_meta/fields.yml b/x-pack/filebeat/module/squid/log/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/squid/log/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml new file mode 100644 index 00000000000..ac392325320 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Squid" + product: "Proxy" + type: "Proxies" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/squid/log/config/liblogparser.js + - ${path.home}/module/squid/log/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hsaddr"), + constant(" "), + field("hsport"), + constant(" ["), + field("fld20"), + constant(" "), + field("fld21"), + constant("] \""), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hevent_time_string"), + constant(" "), + field("hduration"), + constant(" "), + field("hsaddr"), + constant(" "), + field("haction"), + constant("/"), + field("hresultcode"), + constant(" "), + field("hsbytes"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var msg1 = msg("GET", dup15); + +var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var msg2 = msg("GET:02", part1); + +var msg3 = msg("GET:01", dup16); + +var select2 = linear_select([ + msg1, + msg2, + msg3, +]); + +var msg4 = msg("HEAD", dup15); + +var msg5 = msg("HEAD:01", dup16); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var msg6 = msg("POST", dup17); + +var msg7 = msg("POST:01", dup18); + +var select4 = linear_select([ + msg6, + msg7, +]); + +var msg8 = msg("PUT", dup19); + +var msg9 = msg("PUT:01", dup20); + +var select5 = linear_select([ + msg8, + msg9, +]); + +var msg10 = msg("DELETE", dup19); + +var msg11 = msg("DELETE:01", dup20); + +var select6 = linear_select([ + msg10, + msg11, +]); + +var msg12 = msg("TRACE", dup19); + +var msg13 = msg("TRACE:01", dup20); + +var select7 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("OPTIONS", dup19); + +var msg15 = msg("OPTIONS:01", dup20); + +var select8 = linear_select([ + msg14, + msg15, +]); + +var msg16 = msg("CONNECT", dup17); + +var msg17 = msg("CONNECT:01", dup18); + +var select9 = linear_select([ + msg16, + msg17, +]); + +var msg18 = msg("ICP_QUERY", dup19); + +var msg19 = msg("ICP_QUERY:01", dup20); + +var select10 = linear_select([ + msg18, + msg19, +]); + +var msg20 = msg("PURGE", dup19); + +var msg21 = msg("PURGE:01", dup20); + +var select11 = linear_select([ + msg20, + msg21, +]); + +var msg22 = msg("PROPFIND", dup19); + +var msg23 = msg("PROPFIND:01", dup20); + +var select12 = linear_select([ + msg22, + msg23, +]); + +var msg24 = msg("PROPATCH", dup19); + +var msg25 = msg("PROPATCH:01", dup20); + +var select13 = linear_select([ + msg24, + msg25, +]); + +var msg26 = msg("MKOL", dup19); + +var msg27 = msg("MKOL:01", dup20); + +var select14 = linear_select([ + msg26, + msg27, +]); + +var msg28 = msg("COPY", dup19); + +var msg29 = msg("COPY:01", dup20); + +var select15 = linear_select([ + msg28, + msg29, +]); + +var msg30 = msg("MOVE", dup19); + +var msg31 = msg("MOVE:01", dup20); + +var select16 = linear_select([ + msg30, + msg31, +]); + +var msg32 = msg("LOCK", dup19); + +var msg33 = msg("LOCK:01", dup20); + +var select17 = linear_select([ + msg32, + msg33, +]); + +var msg34 = msg("UNLOCK", dup19); + +var msg35 = msg("UNLOCK:01", dup20); + +var select18 = linear_select([ + msg34, + msg35, +]); + +var msg36 = msg("NONE", dup19); + +var msg37 = msg("NONE:01", dup20); + +var select19 = linear_select([ + msg36, + msg37, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "CONNECT": select9, + "COPY": select15, + "DELETE": select6, + "GET": select2, + "HEAD": select3, + "ICP_QUERY": select10, + "LOCK": select17, + "MKOL": select14, + "MOVE": select16, + "NONE": select19, + "OPTIONS": select8, + "POST": select4, + "PROPATCH": select13, + "PROPFIND": select12, + "PURGE": select11, + "PUT": select5, + "TRACE": select7, + "UNLOCK": select18, + }), +]); + +var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml new file mode 100644 index 00000000000..caeba41fcbc --- /dev/null +++ b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Squid + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/squid/log/manifest.yml b/x-pack/filebeat/module/squid/log/manifest.yml new file mode 100644 index 00000000000..8ae24b8f147 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["squid.log", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9520 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/squid/log/test/access1.log b/x-pack/filebeat/module/squid/log/test/access1.log new file mode 100644 index 00000000000..cb21bd0fc0b --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access1.log @@ -0,0 +1,100 @@ +1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - +1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html +1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 - +1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css +1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript +1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html +1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif +1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 - +1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 - +1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 - +1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif +1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html +1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 - +1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html +1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html +1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif +1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 - +1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 - +1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html +1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 - +1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif +1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html +1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - +1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html +1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html +1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css +1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html +1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css +1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css +1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html +1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css +1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html +1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml +1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html +1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml +1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml +1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html +1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html +1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html +1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html +1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html +1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html +1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html +1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif +1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif +1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif +1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml +1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif +1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg +1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg +1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg +1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml +1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml +1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html +1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html +1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg +1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash +1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif +1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif +1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 - +1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript +1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css +1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif +1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - +1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 - +1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif +1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif +1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif +1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif +1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif +1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html +1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html +1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif +1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html +1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html +1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript +1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css +1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript +1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript +1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript +1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json new file mode 100644 index 00000000000..5f0e879398a --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -0,0 +1,5710 @@ +[ + { + "@timestamp": "2006-09-08T04:21:52.000Z", + "destination.as.number": 36752, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.73.177.115" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "209.73.177.115" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "login.yahoo.com", + "rsa.time.duration_time": 5006, + "rsa.time.event_time": "2006-09-08T04:21:52.000Z", + "rsa.time.event_time_str": "1157689312", + "rsa.web.alias_host": "login.yahoo.com", + "server.domain": "login.yahoo.com", + "service.type": "squid", + "source.bytes": 19763, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.yahoo.com", + "url.original": "login.yahoo.com:443", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:00.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 115, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 2864, + "rsa.time.event_time": "2006-09-08T04:22:00.000Z", + "rsa.time.event_time_str": "1157689320", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 10182, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:00.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 -", + "file.name": "styles.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 240, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1357, + "rsa.time.event_time": "2006-09-08T04:22:00.000Z", + "rsa.time.event_time_str": "1157689320", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 214, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/styles.css", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:01.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css", + "file.name": "styles.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 372, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:01.000Z", + "rsa.time.event_time_str": "1157689321", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 1464, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/styles.css", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:02.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript", + "file.name": "urchin.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 490, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "text/javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google-analytics.com", + "rsa.time.duration_time": 1464, + "rsa.time.event_time": "2006-09-08T04:22:02.000Z", + "rsa.time.event_time_str": "1157689322", + "rsa.web.alias_host": "www.google-analytics.com", + "server.domain": "www.google-analytics.com", + "service.type": "squid", + "source.bytes": 5626, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google-analytics.com", + "url.original": "http://www.google-analytics.com/urchin.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:03.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 620, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 3856, + "rsa.time.event_time": "2006-09-08T04:22:03.000Z", + "rsa.time.event_time_str": "1157689323", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 30169, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:04.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "66.102.9.147" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif", + "file.name": "__utm.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 745, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "66.102.9.147" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google-analytics.com", + "rsa.time.duration_time": 1372, + "rsa.time.event_time": "2006-09-08T04:22:04.000Z", + "rsa.time.event_time_str": "1157689324", + "rsa.web.alias_host": "www.google-analytics.com", + "server.domain": "www.google-analytics.com", + "service.type": "squid", + "source.bytes": 399, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google-analytics.com", + "url.original": "http://www.google-analytics.com/__utm.gif?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:04.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "newslogo.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 883, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1457, + "rsa.time.event_time": "2006-09-08T04:22:04.000Z", + "rsa.time.event_time_str": "1157689324", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 215, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/graphics/newslogo.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:04.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 -", + "file.name": "arsenal_shop_ad.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1026, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1465, + "rsa.time.event_time": "2006-09-08T04:22:04.000Z", + "rsa.time.event_time_str": "1157689324", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 215, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/shop/arsenal_shop_ad.jpg", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:05.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "FUS.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1172, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1452, + "rsa.time.event_time": "2006-09-08T04:22:05.000Z", + "rsa.time.event_time_str": "1157689325", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 214, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FUS.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:05.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif", + "file.name": "FGB.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1307, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 2, + "rsa.time.event_time": "2006-09-08T04:22:05.000Z", + "rsa.time.event_time_str": "1157689325", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 1353, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FGB.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:05.000Z", + "destination.as.number": 36351, + "destination.as.organization.name": "SoftLayer Technologies Inc.", + "destination.geo.city_name": "Dallas", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 32.9379, + "destination.geo.location.lon": -96.8384, + "destination.geo.region_iso_code": "US-TX", + "destination.geo.region_name": "Texas", + "destination.ip": [ + "209.85.16.38" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html", + "file.name": "s", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1429, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "209.85.16.38", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "as.casalemedia.com", + "rsa.time.duration_time": 2603, + "rsa.time.event_time": "2006-09-08T04:22:05.000Z", + "rsa.time.event_time_str": "1157689325", + "rsa.web.alias_host": "as.casalemedia.com", + "server.domain": "as.casalemedia.com", + "service.type": "squid", + "source.bytes": 1013, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "as.casalemedia.com", + "url.original": "http://as.casalemedia.com/s?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:06.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.213.132" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1554, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "68.142.213.132" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.bc.yahoo.com", + "rsa.time.duration_time": 4459, + "rsa.time.event_time": "2006-09-08T04:22:06.000Z", + "rsa.time.event_time_str": "1157689326", + "rsa.web.alias_host": "us.bc.yahoo.com", + "server.domain": "us.bc.yahoo.com", + "service.type": "squid", + "source.bytes": 1845, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.bc.yahoo.com", + "url.original": "us.bc.yahoo.com:443", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:07.000Z", + "destination.as.number": 1299, + "destination.as.organization.name": "Telia Company AB", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SE", + "destination.geo.location.lat": 59.3247, + "destination.geo.location.lon": 18.056, + "destination.ip": [ + "217.212.240.172" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html", + "file.name": "992098", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1668, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "217.212.240.172", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "impgb.tradedoubler.com", + "rsa.time.duration_time": 1356, + "rsa.time.event_time": "2006-09-08T04:22:07.000Z", + "rsa.time.event_time_str": "1157689327", + "rsa.web.alias_host": "impgb.tradedoubler.com", + "server.domain": "impgb.tradedoubler.com", + "service.type": "squid", + "source.bytes": 729, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "impgb.tradedoubler.com", + "url.original": "http://impgb.tradedoubler.com/imp/img/16349696/992098", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:07.000Z", + "destination.as.number": 3549, + "destination.as.organization.name": "Level 3 Parent, LLC", + "destination.geo.city_name": "Los Angeles", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 34.0675, + "destination.geo.location.lon": -118.3521, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "206.169.136.22" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html", + "file.name": "text_group.php", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1820, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "206.169.136.22", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "4.adbrite.com", + "rsa.time.duration_time": 3484, + "rsa.time.event_time": "2006-09-08T04:22:07.000Z", + "rsa.time.event_time_str": "1157689327", + "rsa.web.alias_host": "4.adbrite.com", + "server.domain": "4.adbrite.com", + "service.type": "squid", + "source.bytes": 1577, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "4.adbrite.com", + "url.original": "http://4.adbrite.com/mb/text_group.php?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif", + "file.name": "FFR.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1958, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 9, + "rsa.time.event_time": "2006-09-08T04:22:07.000Z", + "rsa.time.event_time_str": "1157689327", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 1353, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FFR.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:09.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "FAU.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2080, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1431, + "rsa.time.event_time": "2006-09-08T04:22:09.000Z", + "rsa.time.event_time_str": "1157689329", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 214, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FAU.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:09.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "spacer.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2215, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1414, + "rsa.time.event_time": "2006-09-08T04:22:09.000Z", + "rsa.time.event_time_str": "1157689329", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 213, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/graphics/spacer.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:10.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "64.127.126.178" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html", + "file.name": "text_group.php", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2356, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "64.127.126.178" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "4.adbrite.com", + "rsa.time.duration_time": 1686, + "rsa.time.event_time": "2006-09-08T04:22:10.000Z", + "rsa.time.event_time_str": "1157689330", + "rsa.web.alias_host": "4.adbrite.com", + "server.domain": "4.adbrite.com", + "service.type": "squid", + "source.bytes": 1784, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "4.adbrite.com", + "url.original": "http://4.adbrite.com/mb/text_group.php?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:11.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.161" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 -", + "file.name": "image", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2494, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.161", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "302", + "rsa.network.domain": "ff.connextra.com", + "rsa.time.duration_time": 3997, + "rsa.time.event_time": "2006-09-08T04:22:11.000Z", + "rsa.time.event_time_str": "1157689331", + "rsa.web.alias_host": "ff.connextra.com", + "server.domain": "ff.connextra.com", + "service.type": "squid", + "source.bytes": 851, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "ff.connextra.com", + "url.original": "http://ff.connextra.com/Ladbrokes/selector/image?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:15.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.160" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif", + "file.name": "controller", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2633, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.160", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "dd.connextra.com", + "rsa.time.duration_time": 3962, + "rsa.time.event_time": "2006-09-08T04:22:15.000Z", + "rsa.time.event_time_str": "1157689335", + "rsa.web.alias_host": "dd.connextra.com", + "server.domain": "dd.connextra.com", + "service.type": "squid", + "source.bytes": 30904, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "dd.connextra.com", + "url.original": "http://dd.connextra.com/servlet/controller?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:17.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2776, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 4, + "rsa.time.event_time": "2006-09-08T04:22:17.000Z", + "rsa.time.event_time_str": "1157689337", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 1661, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:22.000Z", + "destination.as.number": 36752, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.73.177.115" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2871, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "209.73.177.115", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "login.yahoo.com", + "rsa.time.duration_time": 3657, + "rsa.time.event_time": "2006-09-08T04:22:22.000Z", + "rsa.time.event_time_str": "1157689342", + "rsa.web.alias_host": "login.yahoo.com", + "server.domain": "login.yahoo.com", + "service.type": "squid", + "source.bytes": 12569, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.yahoo.com", + "url.original": "login.yahoo.com:443", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:23.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html", + "file.name": "msgrcli7.html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2986, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "update.messenger.yahoo.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:23.000Z", + "rsa.time.event_time_str": "1157689343", + "rsa.web.alias_host": "update.messenger.yahoo.com", + "server.domain": "update.messenger.yahoo.com", + "service.type": "squid", + "source.bytes": 1752, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "update.messenger.yahoo.com", + "url.original": "http://update.messenger.yahoo.com/msgrcli7.html", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:23.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3113, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.155.194.239" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1371, + "rsa.time.event_time": "2006-09-08T04:22:23.000Z", + "rsa.time.event_time_str": "1157689343", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 484, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:24.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3256, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "204.13.51.238", + "10.105.47.218" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 4969, + "rsa.time.event_time": "2006-09-08T04:22:24.000Z", + "rsa.time.event_time_str": "1157689344", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 29359, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:24.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css", + "file.name": "homepage.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3370, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218", + "204.13.51.238" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 1631, + "rsa.time.event_time": "2006-09-08T04:22:24.000Z", + "rsa.time.event_time_str": "1157689344", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 5930, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/friend/styles/homepage.css", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:25.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3508, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.155.194.239" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1810, + "rsa.time.event_time": "2006-09-08T04:22:25.000Z", + "rsa.time.event_time_str": "1157689345", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 1645, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:26.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html", + "file.name": "read0600win_ENUadbe0000.xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3652, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.58" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "rms.adobe.com", + "rsa.time.duration_time": 880, + "rsa.time.event_time": "2006-09-08T04:22:26.000Z", + "rsa.time.event_time_str": "1157689346", + "rsa.web.alias_host": "rms.adobe.com", + "server.domain": "rms.adobe.com", + "service.type": "squid", + "source.bytes": 1812, + "source.ip": [ + "10.105.37.58" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "rms.adobe.com", + "url.original": "http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:27.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css", + "file.name": "style.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3798, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "304", + "rsa.network.domain": "images.hi5.com", + "rsa.time.duration_time": 10, + "rsa.time.event_time": "2006-09-08T04:22:27.000Z", + "rsa.time.event_time_str": "1157689347", + "rsa.web.alias_host": "images.hi5.com", + "server.domain": "images.hi5.com", + "service.type": "squid", + "source.bytes": 217, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "images.hi5.com", + "url.original": "http://images.hi5.com/styles/style.css", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:27.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css", + "file.name": "buttons_en_us.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3921, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "304", + "rsa.network.domain": "images.hi5.com", + "rsa.time.duration_time": 116, + "rsa.time.event_time": "2006-09-08T04:22:27.000Z", + "rsa.time.event_time_str": "1157689347", + "rsa.web.alias_host": "images.hi5.com", + "server.domain": "images.hi5.com", + "service.type": "squid", + "source.bytes": 217, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "images.hi5.com", + "url.original": "http://images.hi5.com/friend/styles/buttons_en_us.css", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:27.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4059, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "204.13.51.238", + "10.105.47.218" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 6160, + "rsa.time.event_time": "2006-09-08T04:22:27.000Z", + "rsa.time.event_time_str": "1157689347", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 27799, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:29.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css", + "file.name": "headernav.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4173, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218", + "204.13.51.238" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 1758, + "rsa.time.event_time": "2006-09-08T04:22:29.000Z", + "rsa.time.event_time_str": "1157689349", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 4470, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/friend/styles/headernav.css", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:30.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4312, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.155.194.239" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1393, + "rsa.time.event_time": "2006-09-08T04:22:30.000Z", + "rsa.time.event_time_str": "1157689350", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 382, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:33.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.194.14" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4455, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.194.14" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 3667, + "rsa.time.event_time": "2006-09-08T04:22:33.000Z", + "rsa.time.event_time_str": "1157689353", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 24095, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:33.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "playmessenger.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4592, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 4899, + "rsa.time.event_time": "2006-09-08T04:22:33.000Z", + "rsa.time.event_time_str": "1157689353", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 22964, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/play/playmessenger.asp", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:34.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4758, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.155.194.239" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1349, + "rsa.time.event_time": "2006-09-08T04:22:34.000Z", + "rsa.time.event_time_str": "1157689354", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 646, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:35.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.191.93.51" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml", + "file.name": "us", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4901, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "209.191.93.51" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "address.yahoo.com", + "rsa.time.duration_time": 1578, + "rsa.time.event_time": "2006-09-08T04:22:35.000Z", + "rsa.time.event_time_str": "1157689355", + "rsa.web.alias_host": "address.yahoo.com", + "server.domain": "address.yahoo.com", + "service.type": "squid", + "source.bytes": 699, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "address.yahoo.com", + "url.original": "http://address.yahoo.com/yab/us?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:36.000Z", + "destination.as.number": 36856, + "destination.as.organization.name": "Mozilla Corporation", + "destination.geo.city_name": "Sacramento", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.6415, + "destination.geo.location.lon": -121.5114, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "63.245.209.21" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html", + "file.name": "rss20.xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5037, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "63.245.209.21" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "fxfeeds.mozilla.org", + "rsa.time.duration_time": 6741, + "rsa.time.event_time": "2006-09-08T04:22:36.000Z", + "rsa.time.event_time_str": "1157689356", + "rsa.web.alias_host": "fxfeeds.mozilla.org", + "server.domain": "fxfeeds.mozilla.org", + "service.type": "squid", + "source.bytes": 734, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "fxfeeds.mozilla.org", + "url.original": "http://fxfeeds.mozilla.org/rss20.xml", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:37.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.231.252" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5170, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.231.252", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 6424, + "rsa.time.event_time": "2006-09-08T04:22:37.000Z", + "rsa.time.event_time_str": "1157689357", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 31400, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:37.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.194.14" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5316, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.194.14" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 2831, + "rsa.time.event_time": "2006-09-08T04:22:37.000Z", + "rsa.time.event_time_str": "1157689357", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 21152, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5461, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1667, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "us.mcafee.com:443", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "file.name": "appinstru.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5561, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1767, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "file.name": "appsync.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5693, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1761, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5823, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1667, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "us.mcafee.com:443", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "btn_stations.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5923, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 711, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6102, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1667, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "us.mcafee.com:443", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:39.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "btn_stations_over.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6202, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 713, + "rsa.time.event_time": "2006-09-08T04:22:39.000Z", + "rsa.time.event_time_str": "1157689359", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:39.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6386, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.155.194.239", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1982, + "rsa.time.event_time": "2006-09-08T04:22:39.000Z", + "rsa.time.event_time_str": "1157689359", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 362, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:39.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_left.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6529, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 725, + "rsa.time.event_time": "2006-09-08T04:22:39.000Z", + "rsa.time.event_time_str": "1157689359", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 511, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:40.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "launchcast_radio.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6711, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 687, + "rsa.time.event_time": "2006-09-08T04:22:40.000Z", + "rsa.time.event_time_str": "1157689360", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:40.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "file.name": "appinstru.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6894, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.191" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:40.000Z", + "rsa.time.event_time_str": "1157689360", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1767, + "source.ip": [ + "10.105.47.191" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:41.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "file.name": "appsync.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7027, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.191" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:41.000Z", + "rsa.time.event_time_str": "1157689361", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1761, + "source.ip": [ + "10.105.47.191" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:41.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_right.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7158, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 783, + "rsa.time.event_time": "2006-09-08T04:22:41.000Z", + "rsa.time.event_time_str": "1157689361", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:41.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_center.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7341, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 2242, + "rsa.time.event_time": "2006-09-08T04:22:41.000Z", + "rsa.time.event_time_str": "1157689361", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_controls_off.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7525, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 827, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "t.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7715, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 751, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif", + "file.name": "btn_off_state_station.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7891, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 3, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 218, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif", + "file.name": "bg_controls_fill.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8068, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_IMS_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 13, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 218, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif", + "file.name": "toolbar50x50.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8248, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.i1.yimg.com", + "rsa.time.duration_time": 8, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "us.i1.yimg.com", + "server.domain": "us.i1.yimg.com", + "service.type": "squid", + "source.bytes": 2263, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.i1.yimg.com", + "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:43.000Z", + "destination.as.number": 2818, + "destination.as.organization.name": "BBC", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.4964, + "destination.geo.location.lon": -0.1224, + "destination.ip": [ + "212.58.226.33" + ], + "event.action": "TCP_REFRESH_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml", + "file.name": "rss.xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8394, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "212.58.226.33", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_MISS", + "GET" + ], + "rsa.misc.content_type": "application/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "newsrss.bbc.co.uk", + "rsa.time.duration_time": 6517, + "rsa.time.event_time": "2006-09-08T04:22:43.000Z", + "rsa.time.event_time_str": "1157689363", + "rsa.web.alias_host": "newsrss.bbc.co.uk", + "server.domain": "newsrss.bbc.co.uk", + "service.type": "squid", + "source.bytes": 17396, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "newsrss.bbc.co.uk", + "url.original": "http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:44.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.231.252" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif", + "file.name": "beacon.php", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8579, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.231.252", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 2140, + "rsa.time.event_time": "2006-09-08T04:22:44.000Z", + "rsa.time.event_time_str": "1157689364", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 407, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:44.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg", + "file.name": "32457654.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8733, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "304", + "rsa.network.domain": "us.ent1.yimg.com", + "rsa.time.duration_time": 7, + "rsa.time.event_time": "2006-09-08T04:22:44.000Z", + "rsa.time.event_time_str": "1157689364", + "rsa.web.alias_host": "us.ent1.yimg.com", + "server.domain": "us.ent1.yimg.com", + "service.type": "squid", + "source.bytes": 219, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.ent1.yimg.com", + "url.original": "http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:44.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg", + "file.name": "thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8900, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.news1.yimg.com", + "rsa.time.duration_time": 8, + "rsa.time.event_time": "2006-09-08T04:22:44.000Z", + "rsa.time.event_time_str": "1157689364", + "rsa.web.alias_host": "us.news1.yimg.com", + "server.domain": "us.news1.yimg.com", + "service.type": "squid", + "source.bytes": 10593, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.news1.yimg.com", + "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:45.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "authplay.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9113, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 2420, + "rsa.time.event_time": "2006-09-08T04:22:45.000Z", + "rsa.time.event_time_str": "1157689365", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 1270, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:46.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "file.name": "thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9274, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.news1.yimg.com", + "rsa.time.duration_time": 1966, + "rsa.time.event_time": "2006-09-08T04:22:46.000Z", + "rsa.time.event_time_str": "1157689366", + "rsa.web.alias_host": "us.news1.yimg.com", + "server.domain": "us.news1.yimg.com", + "service.type": "squid", + "source.bytes": 10519, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.news1.yimg.com", + "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:48.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "file.name": "initstationfeed.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9504, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.music.yahoo.com", + "rsa.time.duration_time": 1703, + "rsa.time.event_time": "2006-09-08T04:22:48.000Z", + "rsa.time.event_time_str": "1157689368", + "rsa.web.alias_host": "radio.music.yahoo.com", + "server.domain": "radio.music.yahoo.com", + "service.type": "squid", + "source.bytes": 515, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.music.yahoo.com", + "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:48.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "file.name": "initstationfeed.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9677, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.music.yahoo.com", + "rsa.time.duration_time": 3057, + "rsa.time.event_time": "2006-09-08T04:22:48.000Z", + "rsa.time.event_time_str": "1157689368", + "rsa.web.alias_host": "radio.music.yahoo.com", + "server.domain": "radio.music.yahoo.com", + "service.type": "squid", + "source.bytes": 14411, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.music.yahoo.com", + "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:48.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "authplay.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9852, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 808, + "rsa.time.event_time": "2006-09-08T04:22:48.000Z", + "rsa.time.event_time_str": "1157689368", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 1627, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:49.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html", + "file.name": "iesocks", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10013, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.65" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "natrocket.kmip.net", + "rsa.time.duration_time": 1226, + "rsa.time.event_time": "2006-09-08T04:22:49.000Z", + "rsa.time.event_time_str": "1157689369", + "rsa.web.alias_host": "natrocket.kmip.net", + "server.domain": "natrocket.kmip.net", + "service.type": "squid", + "source.bytes": 1728, + "source.ip": [ + "10.105.37.65" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "natrocket.kmip.net", + "url.original": "http://natrocket.kmip.net:5288/iesocks?", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:49.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html", + "file.name": "return", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10131, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.65" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "natrocket.kmip.net", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:49.000Z", + "rsa.time.event_time_str": "1157689369", + "rsa.web.alias_host": "natrocket.kmip.net", + "server.domain": "natrocket.kmip.net", + "service.type": "squid", + "source.bytes": 1725, + "source.ip": [ + "10.105.37.65" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "natrocket.kmip.net", + "url.original": "http://natrocket.kmip.net:5288/return?", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:50.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "file.name": "thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10248, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.159", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.news1.yimg.com", + "rsa.time.duration_time": 1202, + "rsa.time.event_time": "2006-09-08T04:22:50.000Z", + "rsa.time.event_time_str": "1157689370", + "rsa.web.alias_host": "us.news1.yimg.com", + "server.domain": "us.news1.yimg.com", + "service.type": "squid", + "source.bytes": 13124, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.news1.yimg.com", + "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:50.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "starter.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10482, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 736, + "rsa.time.event_time": "2006-09-08T04:22:50.000Z", + "rsa.time.event_time_str": "1157689370", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 912, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:51.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "default.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10651, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 828, + "rsa.time.event_time": "2006-09-08T04:22:51.000Z", + "rsa.time.event_time_str": "1157689371", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 1450, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/player/default.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:51.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.152" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash", + "file.name": "081106_lrec_msgr_interophitchhiker.swf", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10813, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.152", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "application/x-shockwave-flash", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.a2.yimg.com", + "rsa.time.duration_time": 3617, + "rsa.time.event_time": "2006-09-08T04:22:51.000Z", + "rsa.time.event_time_str": "1157689371", + "rsa.web.alias_host": "us.a2.yimg.com", + "server.domain": "us.a2.yimg.com", + "service.type": "squid", + "source.bytes": 30432, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.a2.yimg.com", + "url.original": "http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:53.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "stickwall.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11035, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 1626, + "rsa.time.event_time": "2006-09-08T04:22:53.000Z", + "rsa.time.event_time_str": "1157689373", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 14643, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/player/stickwall.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:54.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.213.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif", + "file.name": "b", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11200, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.213.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.bc.yahoo.com", + "rsa.time.duration_time": 2078, + "rsa.time.event_time": "2006-09-08T04:22:54.000Z", + "rsa.time.event_time_str": "1157689374", + "rsa.web.alias_host": "us.bc.yahoo.com", + "server.domain": "us.bc.yahoo.com", + "service.type": "squid", + "source.bytes": 425, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.bc.yahoo.com", + "url.original": "http://us.bc.yahoo.com/b?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:56.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.194.14" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif", + "file.name": "beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11331, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.194.14" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 2130, + "rsa.time.event_time": "2006-09-08T04:22:56.000Z", + "rsa.time.event_time_str": "1157689376", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 407, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:57.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.109.124.55" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11551, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.109.124.55", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "pclick.internal.yahoo.com", + "rsa.time.duration_time": 3412, + "rsa.time.event_time": "2006-09-08T04:22:57.000Z", + "rsa.time.event_time_str": "1157689377", + "rsa.web.alias_host": "pclick.internal.yahoo.com", + "server.domain": "pclick.internal.yahoo.com", + "service.type": "squid", + "source.bytes": 1476, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "pclick.internal.yahoo.com", + "url.original": "pclick.internal.yahoo.com:443", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:57.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript", + "file.name": "rapiBridge_1_4.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11683, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 11, + "rsa.time.event_time": "2006-09-08T04:22:57.000Z", + "rsa.time.event_time_str": "1157689377", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 233, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:57.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css", + "file.name": "other.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11922, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 1159, + "rsa.time.event_time": "2006-09-08T04:22:57.000Z", + "rsa.time.event_time_str": "1157689377", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 236, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "file.name": "bg_left.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12133, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 797, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 36752, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.73.177.115" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12362, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "209.73.177.115" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "login.yahoo.com", + "rsa.time.duration_time": 3288, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "login.yahoo.com", + "server.domain": "login.yahoo.com", + "service.type": "squid", + "source.bytes": 2681, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.yahoo.com", + "url.original": "login.yahoo.com:443", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.167" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 -", + "file.name": "noaccess_msgr_uk.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12476, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.167", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 1405, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 136, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "file.name": "bg_right.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12706, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.159", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 702, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 237, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif", + "file.name": "t.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12936, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 4, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 218, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:59.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.167" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "file.name": "bg_controls_off.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13147, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.167" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 563, + "rsa.time.event_time": "2006-09-08T04:22:59.000Z", + "rsa.time.event_time_str": "1157689379", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:59.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "file.name": "bg_center.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13384, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.159", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 560, + "rsa.time.event_time": "2006-09-08T04:22:59.000Z", + "rsa.time.event_time_str": "1157689379", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:23:00.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.167" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "file.name": "bg_controls_fill.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13615, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.167" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 685, + "rsa.time.event_time": "2006-09-08T04:23:00.000Z", + "rsa.time.event_time_str": "1157689380", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:23:01.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html", + "file.name": "supported_domains", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13853, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.180" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:23:01.000Z", + "rsa.time.event_time_str": "1157689381", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 1728, + "source.ip": [ + "10.105.37.180" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/supported_domains", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:23:01.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html", + "file.name": "chknews.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13972, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.191" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:23:01.000Z", + "rsa.time.event_time_str": "1157689381", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1782, + "source.ip": [ + "10.105.47.191" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp?", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:23:01.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.109.125.112" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif", + "file.name": "l", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14109, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.109.125.112" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "launch.adserver.yahoo.com", + "rsa.time.duration_time": 2171, + "rsa.time.event_time": "2006-09-08T04:23:01.000Z", + "rsa.time.event_time_str": "1157689381", + "rsa.web.alias_host": "launch.adserver.yahoo.com", + "server.domain": "launch.adserver.yahoo.com", + "service.type": "squid", + "source.bytes": 449, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "launch.adserver.yahoo.com", + "url.original": "http://launch.adserver.yahoo.com/l?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:23:02.000Z", + "destination.as.number": 34010, + "destination.as.organization.name": "Yahoo! UK Services Limited", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.4964, + "destination.geo.location.lon": -0.1224, + "destination.ip": [ + "217.12.10.96" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html", + "file.name": "launch", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14251, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "217.12.10.96" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "uk.f250.mail.yahoo.com", + "rsa.time.duration_time": 3700, + "rsa.time.event_time": "2006-09-08T04:23:02.000Z", + "rsa.time.event_time_str": "1157689382", + "rsa.web.alias_host": "uk.f250.mail.yahoo.com", + "server.domain": "uk.f250.mail.yahoo.com", + "service.type": "squid", + "source.bytes": 11746, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "uk.f250.mail.yahoo.com", + "url.original": "http://uk.f250.mail.yahoo.com/dc/launch?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:02.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14389, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.180" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "CONNECT" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "login.live.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:23:02.000Z", + "rsa.time.event_time_str": "1157689382", + "rsa.web.alias_host": "login.live.com", + "server.domain": "login.live.com", + "service.type": "squid", + "source.bytes": 1670, + "source.ip": [ + "10.105.37.180" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.live.com", + "url.original": "login.live.com:443", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:23:04.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.169" + ], + "event.action": "TCP_SWAPFAIL_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "file.name": "77cf3e56414f974dfd8616f56f0f632c_1.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14491, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.169", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_SWAPFAIL_MISS", + "GET" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js2.yimg.com", + "rsa.time.duration_time": 2828, + "rsa.time.event_time": "2006-09-08T04:23:04.000Z", + "rsa.time.event_time_str": "1157689384", + "rsa.web.alias_host": "us.js2.yimg.com", + "server.domain": "us.js2.yimg.com", + "service.type": "squid", + "source.bytes": 633, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js2.yimg.com", + "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:05.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css", + "file.name": "ygma5.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14714, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js1.yimg.com", + "rsa.time.duration_time": 1397, + "rsa.time.event_time": "2006-09-08T04:23:05.000Z", + "rsa.time.event_time_str": "1157689385", + "rsa.web.alias_host": "us.js1.yimg.com", + "server.domain": "us.js1.yimg.com", + "service.type": "squid", + "source.bytes": 1742, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js1.yimg.com", + "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.169" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "file.name": "f7fc76100697c9c2d25dd0ec35e563b0_1.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14848, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "213.160.98.169" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js2.yimg.com", + "rsa.time.duration_time": 1977, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.js2.yimg.com", + "server.domain": "us.js2.yimg.com", + "service.type": "squid", + "source.bytes": 14561, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js2.yimg.com", + "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript", + "file.name": "ac.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 15064, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js1.yimg.com", + "rsa.time.duration_time": 80, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.js1.yimg.com", + "server.domain": "us.js1.yimg.com", + "service.type": "squid", + "source.bytes": 68733, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js1.yimg.com", + "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript", + "file.name": "yahoo_2.0.0-b4.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 15231, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js2.yimg.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.js2.yimg.com", + "server.domain": "us.js2.yimg.com", + "service.type": "squid", + "source.bytes": 898, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js2.yimg.com", + "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif", + "file.name": "liam_ball_1.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 15402, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.i1.yimg.com", + "rsa.time.duration_time": 60, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.i1.yimg.com", + "server.domain": "us.i1.yimg.com", + "service.type": "squid", + "source.bytes": 26803, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.i1.yimg.com", + "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif", + "user.name": "badeyek" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md new file mode 100644 index 00000000000..5900664019f --- /dev/null +++ b/x-pack/filebeat/module/tenable/README.md @@ -0,0 +1,7 @@ +# tenable module + +This is a module for Tenable Network Security Nessus logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 +at 2020-07-13 17:55:39.468229 +0000 UTC. + diff --git a/x-pack/filebeat/module/tenable/_meta/config.yml b/x-pack/filebeat/module/tenable/_meta/config.yml new file mode 100644 index 00000000000..5d4527eb47b --- /dev/null +++ b/x-pack/filebeat/module/tenable/_meta/config.yml @@ -0,0 +1,19 @@ +- module: tenable + nessus_security: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9516 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/tenable/_meta/docs.asciidoc b/x-pack/filebeat/module/tenable/_meta/docs.asciidoc new file mode 100644 index 00000000000..a0b811750cb --- /dev/null +++ b/x-pack/filebeat/module/tenable/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: tenable +:has-dashboards: false + +== Tenable module + +experimental[] + +This is a module for receiving Tenable Network Security Nessus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nessus_security + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nessus_security` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nessusvs" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9516` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/tenable/_meta/fields.yml b/x-pack/filebeat/module/tenable/_meta/fields.yml new file mode 100644 index 00000000000..1c69ddd4b1f --- /dev/null +++ b/x-pack/filebeat/module/tenable/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: tenable + title: Tenable Network Security Nessus + description: > + tenable fields. + fields: diff --git a/x-pack/filebeat/module/tenable/fields.go b/x-pack/filebeat/module/tenable/fields.go new file mode 100644 index 00000000000..884611ba842 --- /dev/null +++ b/x-pack/filebeat/module/tenable/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package tenable + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "tenable", asset.ModuleFieldsPri, AssetTenable); err != nil { + panic(err) + } +} + +// AssetTenable returns asset data. +// This is the base64 encoded gzipped contents of module/tenable. +func AssetTenable() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JBUmnAv5CiOVWwGvy0f+BvAe7UvqKXAJrNLdr8h6MacxfCCnBMM1ry5V8Tf7tL4SQFgqZcRClmfyFhP96jZ+6/31HJK3gNZEe7IRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8d1iuly97fS5jRRtgCl3xNZlQY2Pp4gG77v/e0AqJmxC6gRYx0iJHVAjTgZ1bT2YwzsqCGTAEkUVMDegnlZECfNvQOxMy1aurbk7LL1M2yiLWkYou88dXH1o8tsVmkMvOtv+9fYXzDBrvyccGN+x7hhjQGSmIVYbS2TeC/pitSgTF07v5NLWGqAuOIVu7zHdCEvFVzcgpMlaDjhHhYfBepQ8lp4cISpC0caYkBB4Qzcz+w3CDPmZIWpDXufnBpLJW2RcNEcbS8OgTBktrdD4bYcY+TW4JQS1YLzhaEEgPGcCXJgltDqBNZv3MrwZh29yeDo9ERaxaqESWRsARNptCdu5pqA+QdWOpQo2SmVdVb6ulbNTcvLii7AmueDcCfcg3MivVzYgPelHwALyz8CZc9NCdRRgpYgjiAk0LJ3fu5xclTqDUwagMmJcy4hJIoKRAtixK8onUcq8rMi2QXZs8evwv3/Pz0B7Kkogk3npcgLZ/xcDrhmjJLhJr7/dKDjUDquAMfTgt+z21HTbXlrBFU4+/Dxk5GT8YA9EEnJXYyBpDHT8roliyPuycv//+e7N8Tt2qeDbnf9VXTPwokZHdbHg12S3qI0MuOmgajGs0yvb33Z1uu+38/zIylFiqQ9jEiR5uS24IJunOHHwl6IK1eP0bEFk6neoyIcXkYYnk1plZyPN6TVgI9RHrkZdsMoExpQ43oNTE7s/fF1i3gsBnoIQMl4X5WxI4eMoB+gxUxzsUd18qRuCh7XpUo+zy7BmQmYh+JcPDO7GPHUKsbyb80sFGjdUd/+NN626g9UZK5x4Fa9dgt2xFxs+R5xWGfuyduGT7jjPbv81s1J2dLkJZconAmjSxBOxNEQxBUA9Jn/BpKYsA6IFs/3l7DjBss7SYMYN/bYOk2YQD6Tpsy9ASm9y8ddjAHdN2BJ3fjwUKZTPpq/1z+qozti0ixeyINyJLLefuhiR2bng/p6+EvP+SADX40ytjzi+VPhJaldrJy7LrvMndAvVVfK3OXr3Kz99X/u+x13MovG3blgnek9b1lJaFkzpcgOyfZ16sIOBYd5r/Ia4GUj1H5+zoiGqMODVWvCw1fMux1P3iIG4x0T9fI5TO/NLnAi/Q8eLMtJR/XNRBGhxJkCgS4XYAmn86l/eEVUZr8IhS1P74kU2rwFLUBshmfNxpVvxvoPkTd/YrpxjBoPuMzgX/B/XqucrnZ9lnH7cpfvYNB6RXVZTalrifRemT3OXl+8XlL36NEg6C7W0qIWRsLVXhEA9oO2gL8STWeee7fSvM5l1S0v9nWVm7gQy79a09ixPnF51cRFgT0B5y4Pws6jIZcTvH6bA7qUHE89PVZAC1BHyV2/SsuRc5P7xMl9fj2g6UI5rBY6aN2sglWZPez0VbROt8oWnhRnOlyooQAZpX+GgWw494D5Ny4M8cNYZ51UDpMtxTVt2pXbSF7GP0ILb6KTR+Lqlopg8lulZJkuh5sGiEavjRgrANoeFWLddgn92Un6AlQtiCGl0Cefk/sQjfk5c8/PyMraogBkN0qezjxKJTXW3DC1EoayMcK9tWcCqYaaTufQlNNvdBzV9lEIZCndKqW0GMGl9HMyla8GauBVqP3h301x+aBWQUlb3b1tBSM+iamOXaOBT4j3P6zefn9D381XqS/qFGAtkj/c0DNP509+JauQZOX5EwyWptG+MiKMynvJNdj0O8Z/IjkVsZW+fEl+VdH7nPy44/kXwlT2unLSEVY9Dn578L+T/dFbsg2U76JbqFUJTxaW1euoGBUiCllV3k1YI+cVBavDbXernBMBFnWikuLpomFeIIzHo4CtFaZ8tM2+qCpgXEqEGPE1FilnWYt117rcB8sqeClPxgxpAiZqUaW7oURgMhzOQ/K0Y3Ji9s3YgA5RSwwXIc9YaORXVgLRcvH8s4FdIjhfwKpwGrOIlZHMIX7X0Zb2D/3rRB2zz61G41Wzdptm5Bf1cptzdDm5JIo7Ywxq8gVQH0D0x7Fi/eVME0rBsYUS14WZa6o61kreeYgQVOLl7x0HOzZhUuubUOFM9q3fO8y4uLgFXdmN8bKkRmeinDVz0+JdtLaoEMFmUb1HGz3tRs5YXSmpKcH54TPhNvPCZ0lFDQU/Oenre/1A1TKArkM551pwId2uh4TlO5/bSDmKwi8hJUKUwueM7PhUZvzhg/U/kehmzmZm/G8461zb0A46+2pa62W8IT814gwevEy4+IBYvRuVWccXZy8uQi6L6PSsYdXtdK7Gi/BJ/KrS4NoHof745N/qtAQR9M95krdNuWbzU82BrvXc9Ayn5CXP78iK+R7BVQSKkTcV4BOfVSTNv4jsgINHiy1RAA1lii5Uy6yzcQHVxO/biZG7mqOsG3g3e9Kl8g4zGoCtpBKqPl6NxA343qgxRLyM2ELqimznonuUq8Rf3SaS9LIkNMjtnzmoxW1qQu6faA+ZxBhT+wSLYrKKZlKtmEETVejMg0l645aSRlqrD5GIYPPQTHW6BaisVSWVJdEKl1Rwf+M5fcqXUX5U4Ysh4NZpJrp4Em6E5M2WHfIvBB8BkhxxMA3wJQsRxTszXYXxub0s+whiEumqlqAjR6AUScqRQXear4jBnv1Zto+0EG+dGtHj/PYUd4+maPHr1LSLhJt06Y+NVXOyybLqXwgxp/JMgfbHcg/lczdbWGPWHSrtyqmT6/9uMvhgYjKdqPfEAvXNlw+sgRteuUU5b48sMj+3vewrYGmInNTpseULqHM9w6GJJvwTJluxVbHaDNtui/24+vD10qraoJQGyzKNwwk1Vx5tb5qhOXfWQ6a0LoWbfXLppdNRSWdx0pzCREY3mntRY+Ux9UQbp8YolbSR8Ysrepdz2DA2K3mUBzePmsIW3Bn3agSzIS8a4xFM6kP1N1KakfycqmFAzdprwCbzRzeSziGJoSb3C7oeadhBhok8weCOtW65EteOs0Gz0NckF22guzjDvPiRF7XXB+Nws1++ljQtTuJ3Iq1J9Y4oef0NYcUHtD9vtGEmz7qwnnupHEnzyaDJbt0MtWklkDVQJG7L8SO/6mvCmqQXxpojnaU3On2p2gjH1fUEESiHDk3iNwPqZmaUCnYYmgGmTavbIbXd17lwLUuMqBaFzm05zqlKNoG+jI51Ay6Uu8VeRgTcsd8jL4xg+fyTm/OoWLzJrl2SLBg80DsdENI7QiibKDEp1CsTSNyh51GrCjVWKYqeOFx6IwXzMpWs8EJoTKwYMuAHDkgsATNbc7SkT2EtauHIsBeZGefyydv8eKgd6B/pbtKFwcN4041MD7jG8Mnrt36YM5YT5WgK+fPZopsQOdi5OWmYKJ1UZUhyBLFO5jNx9qEz9tWet8SVJr8dhlSY7lpEwJ2/Wq4frtDY1WSplaGJxQctzpbaE7L0neYwlT+9u6OduFphC3ytS66oyiSTQWas7vKoihtR6hi20NYv5KtuxleLPn7PSBtCbJUOiTM7qVMTf94gO41bWhXTf8AFrejHWL5a8EH7HYSdD9iXtLn7FX3zfBChqr/IGaCl2tBu9xiqSyhZBE6XsQTaIWaF22iyoMI9fYg3lmoH6Nnypbs+zumW2HXahQfccVfCc7WuW/PHrlwgQiE5tpSrEfkciNy5k3HGfihEYCIxcWpkhauc2usHULn0vvrNv1QaVka93/4qFLRIhRrAHPD48wWVM6hkLDKLQvGApew6oX6UQmxVvNpY6EnIYY5+saj7rT1/vMXFx2mpsmEXcc5wbO1rdzHNDQEd/OLPDJ9/S1i3GIFmGNY23DQbHK+9BL0hFyC35TGgJ7QOWAr75DpPlO6xWEAuwXj9XaGvyf+972+FUqTqVYr91n716BrerNrtJ/0eXlBtU3tpusAp/aohDulBtWhx7pTSpSd2pjrSqkaQkAx11v8RhIqQNsuu0hvFg1/8+GtID56TQAwCSmiMJdEKvmdhhrQktmX/YBmwzGfHNZo7S5MZ6/gTqIe94L7CFsb/hlQtuJ2EZRlL+vJKS44xWoTSZT8bq7cf+95CVBJKSKKY0a6aS8Y+AIRcEiqGXHSwXIwE3K5kSm7gw36lVV5MD7x5XyNcUaMLxn1yTZlEL+B8ZQw0RjbHsjwj8E24U+4cTsZaqKDf8MpvvjpuAp0dO3H37C4Re/bMuVTyp7cZHg5LE8RC0KNUYyjv9TtRtSexA17y6/gNaGkXqwNZ1SQkpur56TWOBPlOQHLnsQVZarpIbWXd3zofZ2NphVY0IbU1GAXL4ONHHwvAqaqykkxtRW0H5bWgGV71T3/HjyUxtfbwwwPkxffTFV1M7yDGbaNkhWXpVqFfFqmJIPaPu8yKUaZMSBz1gixJl8aKrzzs1QV5TJIDdlbSKiRp6vv9UylLu0h3amEb7m8gjLUArWJ6NSgdyoYKO6TbzrUJrzct3Fi0BUiq6jrT3byboldBFr0frt8KLx+q4PnlVwO2/V0QWfQFd8d7JTbxRrWRGz9+d+vaf+YWNOecZH/jnck/4KrdddYQ9kwIG3kCOLuNgOaU1FEXtNsj8glLtmqzbvvY+8BdC/MqF8A2JU5qOVACo9xWN09dAtqFt0NdWphpMqwYQuf+dvW2HRlhictpJ0WYY6QbpmJ0cz9qvv3sNKUOHkuCcecu0YyAVS7P2EjvA1qoYAweDt1W9h5c/TBC79m2OfpUb9YTFVTLru+2f0HK5SN6ju8XkuuG3NsT19fG0EExj1+xwmQRq7EiV/d92Qc95R6Cy67a7xjn/cyn5+S917SPA2NG4iftheKfh1uz+J6tXdAP4Qvv+d+Pj9FloaSt05MDL0H2xE5nwboSZj4Q+RkwYqbuJG6NOucvey3o7qhQNurC3v92NIb30c8NY71J93C5Pz0Rk02lX/uBk3WIfZSlhuNdkJOfH1m6Hcq/Af7tVlEUG9/44dvgjtu2tiuclPZ7jFqpADjOaP8g7JSZEk1p1MxqAL0TRm4JLWgI4LAgDRZ+6NsbWhfVfUrT5ykchpGW1/I3T5fvji/2NWhSWgZ6z0KY3XZBw4UvHUt5CbS4pEk59KSSz6XFIXFyBGtlc7ZvPbJQH65Q3rR6m4KuzrifzpEencZT1mpIgfn/W8fCZdMNCU4cRYG2bqfT8jTs2ta1QJekwvvEPFgUXpP4n4RjMwdPbaJzqnN0xLHjJsrp3IfgNcdSvF6bsz34Wn4wM3VnpCr1Xw+B51vhF2cZZ/7sYCAA2qnCw1moUTpTo+31UcmjW6F3o/gWRjG3oNUfvrB6xjPumYc56fxMpJbR+eZquriyHlXuCsh9wrHuHr/nmmm3zl0lMT61BmOm1Flw8astKCWPlDWWB/zTloqjZ0HnFxv8RuZEkd1uaL6YTL0hl31nXSl4SFyRIy0Rn7qhCgl7yhr+ynHlVsngo5qxyj5Xaug6v1SyNuayYdaa6AmeW6wsdQ2qRTnzh9FuXgws8MtPlXXhJcvxt8v97I2x8DQYfRp0PjY3wWHRfzqtu9Y5ul7g0N+Opy7d8hzxqVqUsU4e3UkZp78TjlJmtLpMPDI/pQYcO7OjFtH4o0QTu4R0zAGxswaQc7c+oSpEow7Em2z37hlwWUJ14kZILixh2me95QtuDCaYrpFYgoa45sV1VxgBk/Eg+fj73JOKDLxO/fbKGUywzlUU99c6IE04rA6edrlc9agTR2Kbr2EGbAsqAibhPi2w9OzkSJD7+Yavse5E0q88tUleQVflf+2+5ByaUgJlnIRcTJMVWN7vxshTYmj52a2Hlva5bEhHuMPqYWqFtmyed6QEmY0hIBC58s2hh+yNZ1WvAQt6BoLuawKjyt5GrmR7gO0usOvYdZWgXtfvbHcNtiYkUQJ29gGw4ZN972uSaNYPf8Oo6kxzSCrmKoqd5/yHKMTD53wXrJvrdWSl95/1naRq8CMJkKVih0eaLy7t+wXLjZaI+vn5cVVg+sak54eRta3q+eV9X+o6YF+p4PJ+99qGgIw8dtV83yNc08xodjv/OXFOTkfKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0nfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGRyh8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9Lz757jltIAqTNa6BNX0vgk/9mkKsvLXtwrQvceMIjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4cO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNbofK+XKj1EzVXCLgc7JXaFaY5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyaFb5yecz8jTUSnxuhNOVp1xgAQfmgZ1d18q4bz4j3w0dDXI3CnMl1UpuGUIGWIPNLJbb0EcmbTJ6BBfcblroSVvl/j6UJr2FOWVr8mnUXBN8qulDFOWHhbdYzCWpKJczTSvYm45RU41Te/P3SdhSLi9wWfJelT45etMWsJd1FkGK3KB9YaqAY0QuC2m7b9x7WJFfG4mm5DtVgiBPuVxOvn1OuGLPydT9H7j/o5KKteFm8m08vmhZXcwEHUzOT61DbWv4JxcEF0VfF8rJdTv8Ss32NmqwKium/q/TgGfbBsGAdgc5itCySit3dzD7/O53qoF89AnA3377+d3vbz6cffutz7ldUk356JlcKX2VsmT5xgv2e7tgP8I26gSjMrUSEWp20nYp6Z4Dytxzsc5gwsyUBmk4SylAeq6kDBhX6b0gkfhAKqDFivLhcOJ7ewew93lqoO76pC5RN80006Ww09JYnbryHeu1sznE+m9psne0rfnI5yQ9tNhlMxhsoNKEYpNN3Uuod3EgZnzU0dSSms0Reyip0W5EETJ3y3viQvngfoJ3d1w45IP+/2G46kZl9pP/HuSIlT0ffUBkL5IPcjjaOO4+/JQ6QtLW1s727NKntstob7PssE/mM3S7DU7uzZHptmU1P0Y8DIu+ZpQLx+u2mctFkBnnp/3aNuzE5cxBC/NIC4PxrMI257pwKuIB9BySeI3p1qH66ERVVSN3PVED7ORhjZvui917uLZ/h7hO3eFmDtOs74vbJZXlv6t41GyDm6WWHyIZ7o3dcOEt5Exjas64SpYleiwLHrFfUS2HQYfHjrqRVV2oXML48v27C/Kb96NuklLjiHw5airB5X+8JV8a0CO9WxshCw27nTrzJjf0HKJr8qEtOoumdXVaOkv4kPaBqtRjBBzQ+iDH0U1QbSQ4dm+4ZfoBDVRQXWXYLQc2g3uB1gkLkDugTZlsKu0WzLTdrrZAl9TuaoX3hTsFyRYV1anKSjq465oOxhffO/pE2SCdKgnMYpH8LDCYpS2g6gDP5thqKQNYNf0jA9SaJp+E4TtOJT9eGHQveOoHJ3Ruq8CpnsmRlgVlOBglffmJg21kQuO9B3g6r5c/yWu7SP6+M1kwq4vSJO273oPuIB8WeboF4KWgySWGLEDOuUxYFDkEnSM3Whazwqy4ZcnlhyxmQq0MrdLnrvRhS7vMBz1D1IXJgsuc4oTLGnQ1XSdLeB/ArtlVHuBLKnKcFV4XtVZWFelDUgh9+VOBHsf0sEW2uynUvChzMNsBTp//xmRR0evC2lRug23A7kQLyPAoVFxmQprLfEjXwhRiKorUYdEt2N9nBJ68M3gPdupeiH3Yqat6+7B/zgj7VUbY/5IR9v/ICPuveWBbVQs6hRwipYOe3jyTRdUIVL6n6wzvZAu8vsqgl1SN4POqzqN9Oy2TinnqJKQAmedQSgx8Yel9I7IwPiExww4azfJYkw5wHmvSrE1TZ5hFymRXVp3FVLXKOtMDrjOIEKusM8xywUazJgvwRvJrSaUywDIcwuUrx5VMj8LylartAmiZwa2mqrpgIoMP2wHOECRBuHq6tundog6yyQK5booMMQ2mueWMigwFRKagc5BsnTDrqg9bUrH+E8ppDryXBbYBzQLZt4PJg7VPrM0CfTqvl6/y+KBNMeX2r1kajTFTpJ0VtwNYq+Si2mS55ggVmE5f5Wa8jz/ZrK0eYLAL7+dP7xzxwFHtywLcd5NP10GuB3vGBeSwYUwxy7GJfJayOHsbcA7dwBS8xiTFIouo4/Xyp9LYetDMPxFso1kW2ILPIIcZY9DRXEHJkxWMbsPmMs8pqVTZCDBM5eB2AM7nGWSTqs2K2qQz/3vQYxnkSQBrmHNjNU3vCdnAzqDxaahzsVpn47XBTuQ6k3z1mfn+iGeAbjXQKoMi6UuBcqGdT7leLRQ3hZ8wmx76mmqa5YCXI4WwKSAv/Xz71HC5sVQmn3NcGjttdKphgS1U8LOCckBtkuOaXo9ua5JTg8XJDbP0w64P7TSwD+aclmXqO8DL1GHVtnVQhreIVwXTSlVZuhI5wBnMNF4VeZIjQ8ejHGyur5K3Z6pN+palvDa15omBCmq5bZJnnwkuIV2LnQ1Uk3SiTgcXi2/Tu7WE8l1Pi5lQyZ/zDniGlH9n8yaXOg5oBonjbOgMqCbPTRBqnuXoynmWC1wrnVqAVdNmnuOaVdywHGKhMlkObI45EBIsNldKDje5DPcNoFNn/HmoqdPx5GqV2gLJUlGm/ADo5JaoSq8ZKc3nRWQe173hriTo9G9WXfihvMnBJp1MvQHrR7xmOWQZCjfDTJzUwiCATS0N6sI7kpKjS41xHxZskarOfwAarmuePBBQg67mmko76LmbAvIqC+D0T6/vRPbp084U0ASAtZoX1NQJBwb0QWuaGqoGKnLodxoY8sF3Hc0EPD2THeS0LVx7kJUuM2Cc3pFpMviGjfcNZ8gHMJA6EcAPPM5gnBj4kv4AxBq0JoOawZQyfJ5B8Jo6tZfNaJbjHmhWJlekjWaxrrgJANt0I7b6MBuTvKvmksnUhRLRabH3BeqbdKYm385t+mPlgaaP6HUzPVPDXdfJu7U25TRLHnqjRYa3sDGgi5KnrnrPMraijQzlYINlxtIqtTd4WXBpLJ1l0AyWXNscaviylhlaN1mlG5nSzRprixbpKPqmsYp8aCQZLN1lj2QclveZCl6SEw0lt+SE6jJ0MzTY/j2Ojp+clZFLYxNCEQwO0SfY34ApQWKlOl0+BJf5OHdW1UKtYTBY8Eb+zVSTrKn3Lc+Y46H3GeG8Mw1zuCYV3W20sInFynmzOwwkO5KCGxzO0K4eth4bKBHT1LXSlgwbjxKyWlBLuCW1htnYUbhHWu5dhlDEGB+sjg4FwmXo7D7SF1pwmXsifw9Vt1ofT0OsmoNdgJ5svm8Wqhm8aIRIWILuxhFZRWqqDZB3YClOBPd3lXYsePpWzc2LC1/2+oychhFfz4ldRKYUYTPgDxBGHyPakrwH+zu3Ekx8n4eHOgvzZjiyu7tFuLgn1gDVbDHhkkfxw5m7R+ivvSM+cRYGJkO8ELSROOt33uAc17aJe7yB+06/9j005W/H3dHUNeEO84tHjH23EUXCmqbbdV7FZclHuLZ4K8bcBceYRj0ikDaD697jhGopRiZeYvfcjOPAsX+uAUs0fGnA2D1Nuw/PVr57r3yvMuBYHr+ql9i7Hqku73TbnbIPJ48Rxsa2/o4d2s3rKOUpZ//fPN/QLXZ+2goFXDt+NtBqSJfEe8cj7B6XKTVAfLp2hw0Z3Kpul8IvHgZf2Y2C7zBX2revj7KREGqIAcBxZ3T/vCpNpaHsCON9Bx2m/dIS1d7NoWGNxglo+5CuQVfcqxvHQnqzpB/MwZdcwByIgCUIQo3hc+k3bjOvP370sSXzA8pvXH/PSZ8+yKRnh1kj+ZcGdsck0vjl6+F7WMfEw6agtBoNL/2FZEpKwNwKsuJ2MSYoCIlUhnQau4aDyovubFo4dqI86Z4ooeacUUEcBiOmD2LxsNjhUiNjGh+Od/VibeLo9dLZVmonqzX1A08Fp6ZYqOw2gTfiOnMNZ6lshho5qdgfwRPvB0D8pXHY4psWBrEwAVRP3gijnCG+dd9OMVhOfg2/mJA3ct39awDdoi1vpCW0nDBV1Y0FHRfDWdz4jrB85tk3u3uBMxa3NoTbfzYvv//hr872Pe1tR8uxb6Joh3NapI2Y3dZxQ9egyb90PjnzIqCByMVvfer6n/xnXm5w3jr1e/fjwOTlm2Tbk92BKW6dCXn/28czRzto8M4T9JeW3DANNZVs7bTKoJ6J3VwQghx6Tj6+e03Opf3x5XNy/v707D9fk0/n0r76iTxdLdZEArcL0IQtlAmj0pTWwCx+64dX/+u/PXsS5QjYRUYZt8sPlKmTisbH8ZjMp++O1/zSn8XzFqn4FS8fF9J92XQD5gc2jLv1Ax/Dd0cx3Vgnn7m2DRXk7Zv3UWT/VBLy+bIOOxn/R0mYxHnr0P1qRCgScrPwxC14jG/wnn2YUwsr+gAj0vF0X5A3ZanRT+tPeQyd7ullVX1onPO+sZDzk3cX/lUaDY9V1Bwx+rHlVPKaani7yfmFQ2XE++V4eOAkiCQ8dGuP87DVxAo/Xeu4AqKHLi1L7r5MxSZg25vlH3/njngAnEmIF1yFG366fQQGqGxyrbPodbd90ih5HzC8UNp2InkgdEsMsOEGcLu+WfKaI/Pe08PlvH1MWrLejTFeQsxuPJYXN2CHli81RjHuVE7vNxroOMTJZU3lHCad6cSUnPF5o6Ek0zXCBFli1lBcztQHth4YFI2OaMvRRWcZ+h2IhLp/v4QruQNAQ6UsFCGzO32eUXrWltIUtPCp+BlA11bnAT7LcCRmGaqFRY7rkKv/SZ2BqbQsWk9cPrV814J3dEx2V+s7Ex5Agz2zC9ASLPm4ruE5+dQ+Y2/RAfYjuWgdYIOX4LcxTa0d1XMEZWLENG6RDn7x54QKEVUm6s0XMcGNakzMW4J2byCXVhFj8THnknw6HxUoDBNks8mr5CLbAVV1hrFvDrAGkzqj14HNUOLiX8TUqejob8+ArR+tUAiQ8+STIhFnp3xk1EJHNFCv8lDRC8BIwjCdYEYo+UXpFdXlcE43IW/mmOylCXU3/hpz6aZgVwAyrnom7pp41xi3slT0Q3UeGYIt4zEzYkAhlyHPFdMSKm6dWAojNuIkLgWVx4jj38JB2SaI9FyUAwK3XZabSMrSWbBzNGC3X57UkUpg2IVgma4f3O0i9lRbzhpBNcF+0aRF4unZ9eu3aq5ms/j0d2CFXUD27d1C9qNb0N/GHt5nDm+H7pvGLkDakCw+irZpUnZOuF1Cj19yHPVPBvQowqqxTB2X02HJcYQvG8bAmBGcsfP4Yc3RDks8QbyIU3HnSq9JpDBhgNsxhNMWjrCDo5NKGOAztZLuXXFyK6Ycdj8kA0Vpm6plun50I+8mJb5rKdYMCA5lR0/ww+zow1wSw20TkZ8EiwsgiOgAdUENoaWq3etiF8A1USu52TLPOEuvlVTVSF4tzuQw3LeoP64S4ZR7Lksnf5Q2HQMo+YULIG8CYpMBG27j7JUdYf5OjiaMd/Q/SLrCKAsuQ9ZCWi7EaIwwImW9+z0Y4fP1LkO9RmpOjCeETlXO6oEI8VNY0CVXDWqXTFW1VhUfyVCEYyN3JulUYBHZjJzsx43LZSd2MiK5i+GW1kmiCGxhmHS4zAEIRtbv8Mu9u71XdnPfRo/dpsyykXa3nC21Rl9iGXjBDjHrb6UF4Xs8Bwmas5YkZAgm+u2mFnC7wKc2NtuNBGQn7IeJsXo8+NnSdEjbrQej6eV+moJ64dfKSFfUNO2McMsrME6ue21PQw2jQaSwC8maQty4Edh48J7boG95tA7p3f1gR+vH29H0Q2GSDTm9NWnBYXwThQPakOKNQLiFMPh6qXt5I3X6qHvnL1oS2vTNO5esl+pxBMgNcrwTIF/vcfzx5i1LNdrgOFt2O/mojypBUt6xW8iPox7HlLQNDmOn1GMJ2o6fOnnlTmMXRQV2oR4gSkK3PMnEoxG+Nrrh2EtJq6xepz1RnQ9KBH+tQ2TPuczkCfnPyc/ff0+evj19c/GMnHJjuZw33CygxFL4KC5CzVX2vkD7ImGYLTvzeIRtxi+OZIxpldmruK/+0+1qDIPuxqBHPtnQ57tcF4Zp/13db8/xhzjFYqZUxtqkbzLFqEjVnW6HkA+05I3xKxClieEVF1R78eTEprtDDN/1eHkV3nPDy2N2Gulnyn9yB6H1Iu70xdxc8nx1Fm/kvruOYY1Qadjz/wYnEX4yOAvBcQO9sowy7spUOmdiwCBkg6xWek4l/3NPVrXMdxRuy+wDON0/UyPsnnEdrSXN1PXnF7ccvha+xZfvXbSV1fwrUGEXjGogtYZSVVzSaMFdTzxdUMtBWnNjerygx6T2LX1QYn3rR6gzHVx3dZ44wVVTbbEZ0obU/WL1iM2OgrC5jUSdQQmaWiiLZElle86HEz6/tCt2wbMLrZa87JqHhe/RuhZBUx0cjND8xz1r2zptXMHZEMnLI1HZLRl6/dn1CJnR4aGYObnkPnq+2FXcR1rAdUpnyqHgd9U84Rp1pt6PepXQ8wihXkdFjZUaYqzSXuI7aBVYiqs9wW9N3LeexKmveFkKOJ6Ue4fr3VbORba3J/cOknPteIzjkHsRVut1GJLrNjr7nNSCui1z77PSBCTT63rMy4+pkEewJ2+RQac72/JXZSx5R9mCyxGTrqSZJMc3u7z+JDHTv9bgxIfTj3yTMzMhb0tak8/4D68flUr6utN/Dh9PsqBLcJqTAKrJlwb0mmAPQlMraaDVqOLFqY7eAn9zHHkZeuAxB1nztguk9OT7vnzjeLYkHQHVzQH6EJqj3hZTnPKU12G2e8bb1tJbTYycbRgeXm6IbqSM2rHmeffy+MizbyM1UmMXIBbBwsy/EZSsuCzVyhBTA+Mzztwnz2N1giFPdnhBHHke303ODXmKHWFBss0zhKHLZz1ukUbiO/4W5pStySez3fi2i8BWu4W0ybNr3QpHMNhHXvu+qYWoYK0aHjL3Ig443vUBiFT/b1WaYjnPkH3bZOdXqMe683r1OkIxUhg9aOE3BxB7nLzeMVJDhm9wvbey7gxJH+8COqTmOA67LmCwvTebhEy/DYMdijekuLn4GcsGUo4EHK1wQ5JLmHEZfPUonLCrX0XrkaaDiN1BhWKZcNs4YHbUv9SCsfPZ5qY99FIa6U3Z+bCtpWxRHbkF/mZVZDgZWEf97cgy5GXKZboJYknvhiMZiwrzPp4RIdUv28Ft8W20N+X9kamdA6zzvn03YF1T3Z4p9+fnG1JWCz5opU7c7XC2rE9+vxV5NvnMEt/WQul1vg3/m6mp/LcbO8a0iGx3UW/V89jT5NjytxcI/QbaHkwlGlDV9lvfT9XoKShAWq3qQ0RHqZrpwLlwqzMe1nTWNtxQjoA4+uqO497DE1XVVK67+4jXDsfpe3tlCdo9QwWXMxVXCqi5yl0jdIP82LEiW8xWkLcr+uxLrhyBXxoh1uQ/Gir4jENJTrHu2TsHo6isYFowpa74AwXdf4cp8etv7GcqxrT55N1mN+HwurGoch84wvTmu/6hWyJM2QnuaO+Tn5CP69qTvvEcOOb4HRzfPA2zImkz2R20HQ7eEaGfmFjb2l1kjuGq65TLbey8Z7FWuvX2Y4j5w9uRLe/1ykl8nFpe1HnnEO1hhVv5Rs99i6ZWKpMmso2UW8ftB6mpjbsmmSyoSRnt7wHWoZw+MeRGi4Tb3IOacFc6Y7RodCpvSA+mAV3QeTqbcgM6+fO0DTpp+uM26HDqMwgWuLYgUbVKb5w4+MlOc6foLTTspMqk1qj8EseoJdySuR9xWVSvXoT/PgkovAj/EfKaYm5/KkDHs/MCOQ8YPffE9IPn6HHtjVobkFOGgWjOpOJyBlqPxF2HdB+Frr7ifyPro+7ZIyDZ9iWe9bYhcqUwrK2yXqnIEkc7fmc+bu+O3UfMINb9P/0Dhgla4wM/eb0AfRx/hNPZQ8bT0xMc/fiMnOD6cdRA2yM1Sxnh8wnoMPwTtrIw9zTnhayh4x4jexvuFn1iep2i9+40//NQr+TdW6PEd5tc8j/j3hp+lUmmnP/jjEiYK8v9BtYLakYmQBl27LZCva30i48PF3RbnW0C1CDBZeeMtY3T2/qbeEKK4fNjVFRs9zfqph5+HB207KQJN6ZJrnQiZEyWyuetu18MBTEErbP6QAeb0peeZ25xconB6X3S6SgZEl1n8BBFfnqJqZ37H6Oe9DwMybtLzz04jotQY0SxzPmi74ZUgyM7ikxZuKNHm+RtGk0uwPwKgkWdqbnBN5txJf0HCWXrT8RgvE5pcn755h/vLsiFe6fIb3Jk+soG20yV1Idg+3Gl4tiiGGILYFfmICfy7YRw3h5ksaFzXb/OrkUYpoGGEYQbKbhHywXNB00hH0DJ9Xh0XUFGjQbE2VLbHG3CZx/LJRW89AcxgsSuIDxaV+t9ghA5dgVrsyu2E538NoE0MeyFtbUpOM6gzQIatzIHQxh9BLeJz2Vb+aI0t+sbbhRTVZW1T9wt8fZ4BIdQvAR/xTWIXUsztYtlJagsjHmogbduZS/Dfw/UtjVaUWx9qXFRK36MtOoYwh4DghggUnFrANnKFlTKQeOM3O2mwqqIyEjM9khtm7uHJcw8/P3tm/fh3Xuxs3z3oFild33/yXu2cXNVLJVocjHgTTvHWYY5N91k7HacbyO5NeSpR8I8w24dWNjbTtTdAU8Q6Sg1oskkzd4GXD9JbkO6wGS76GAJGjMFZo0gTEkGtXWG8qXfw5H2CqtVTunrGe8M9naEtkO0VtoS5fj767+/iaXgRtme+twpPT9+guVugcGWi3VKfbOTaKOYv5/9dnF+Qd7R64rLshvrHd9WR9vR0zC3hiiOkBXIGFC3j6xOfYqXLCZPz/ZVjsXseAWbD12E35KcXe3YcpYFqXx+Grr0Biz2YiiOtykP3Cugpbj6L1833BXmyHKoSaa+3egvcSb0A2U3hnHVaMV3Qd3KF/c+J6aJpKhTQ/5mrFZy/m9TQdmV4MZC+bcX4W/Pu0+5nAGLfzTjGlZURBUZOhW93xAqS2IUGTmWGubcWL12lv0xhUVN7SI06+9wILs4DJBEp9Sx0PSF0L5eiynd60Le6ZMd5iCtXv/l/wYAAP//FuPA1g==" +} diff --git a/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml b/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/input.yml b/x-pack/filebeat/module/tenable/nessus_security/config/input.yml new file mode 100644 index 00000000000..b91f14239e9 --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Tenable" + product: "Nessus" + type: "Vulnerability" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/tenable/nessus_security/config/liblogparser.js + - ${path.home}/module/tenable/nessus_security/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %NESSUSVS-%{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(": "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{hfld5->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(": "), + field("hfld5"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#4:0005", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#5:0006", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} (%{messageid->} %{hfld5}) %{hfld6->} %{payload}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(" ("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(") "), + field("hfld6"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, +]); + +var part1 = match("MESSAGE#0:REPORTITEM", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^Host_start=%{fld30}^^Host_end=%{fld31}^^Severity=%{severity}^^Risk_factor=%{risk}^^Service_name=%{service}^^Protocol=%{protocol}^^Vulnerability_refs=%{vuln_ref}^^CVSS_base_score=%{risk_num}^^CVSS_vector=%{fld32}^^PluginID=%{rule}^^Plugin_name=%{rulename}^^Plugin Family=%{rule_group}^^Synopsis=%{event_description}", processor_chain([ + dup1, + dup2, +])); + +var msg1 = msg("REPORTITEM", part1); + +var part2 = match("MESSAGE#1:REPORTITEM:01", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^%{event_description}", processor_chain([ + dup1, + dup2, +])); + +var msg2 = msg("REPORTITEM:01", part2); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var part3 = match("MESSAGE#2:connection", "nwparser.payload", "connection from %{hostip}", processor_chain([ + dup3, + dup2, + dup4, + setc("action","connecting"), +])); + +var msg3 = msg("connection", part3); + +var part4 = match("MESSAGE#3:Deleting", "nwparser.payload", "Deleting user %{username}", processor_chain([ + dup3, + setc("ec_subject","User"), + setc("ec_activity","Delete"), + dup2, + dup4, + setc("action","Deleting"), +])); + +var msg4 = msg("Deleting", part4); + +var part5 = match("MESSAGE#4:Finished", "nwparser.payload", "Finished testing %{hostip}. %{fld5}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Finished testing"), +])); + +var msg5 = msg("Finished", part5); + +var part6 = match("MESSAGE#5:Finished:01", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Finished"), +])); + +var msg6 = msg("Finished:01", part6); + +var select3 = linear_select([ + msg5, + msg6, +]); + +var part7 = match("MESSAGE#6:finished", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","finished"), +])); + +var msg7 = msg("finished", part7); + +var part8 = match("MESSAGE#7:user", "nwparser.payload", "user %{username->} : test complete", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Test Complete"), +])); + +var msg8 = msg("user", part8); + +var part9 = match("MESSAGE#8:user:01", "nwparser.payload", "user %{username->} : testing %{hostname->} (%{hostip}) %{fld1}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","testing"), +])); + +var msg9 = msg("user:01", part9); + +var part10 = match("MESSAGE#21:user:02", "nwparser.payload", "user %{username->} starts a new scan. Target(s) : %{hostname}, %{info}", processor_chain([ + dup5, + dup2, + dup4, + dup6, +])); + +var msg10 = msg("user:02", part10); + +var part11 = match("MESSAGE#26:user_launching", "nwparser.payload", "user %{username->} : launching %{rulename->} against %{url->} [%{process_id}]", processor_chain([ + setc("eventcategory","1401000000"), + dup2, + dup4, + setc("event_description","User launched rule scan"), +])); + +var msg11 = msg("user_launching", part11); + +var part12 = match("MESSAGE#27:user_not_launching", "nwparser.payload", "user %{username->} : Not launching %{rulename->} against %{url->} %{reason}", processor_chain([ + dup7, + dup2, + dup4, +])); + +var msg12 = msg("user_not_launching", part12); + +var select4 = linear_select([ + msg8, + msg9, + msg10, + msg11, + msg12, +]); + +var part13 = match("MESSAGE#9:Scan", "nwparser.payload", "Scan done: %{info}", processor_chain([ + dup5, + dup2, + dup4, + setc("action","Scan complete"), +])); + +var msg13 = msg("Scan", part13); + +var msg14 = msg("Total", dup14); + +var msg15 = msg("Task", dup14); + +var msg16 = msg("started", dup15); + +var part14 = match("MESSAGE#13:failed", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","failed"), +])); + +var msg17 = msg("failed", part14); + +var part15 = match("MESSAGE#14:Nessus", "nwparser.payload", "%{event_description->} (pid=%{process_id})", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg18 = msg("Nessus", part15); + +var part16 = match("MESSAGE#15:Reloading", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Reloading"), +])); + +var msg19 = msg("Reloading", part16); + +var part17 = match("MESSAGE#16:New", "nwparser.payload", "New connection timeout -- closing the socket%{}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","connection timeout"), +])); + +var msg20 = msg("New", part17); + +var part18 = match("MESSAGE#17:Invalid", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + setc("action","Invalid"), +])); + +var msg21 = msg("Invalid", part18); + +var msg22 = msg("Client", dup14); + +var msg23 = msg("auth_check_user", dup14); + +var part19 = match("MESSAGE#20:bad", "nwparser.payload", "bad login attempt from %{hostip}", processor_chain([ + dup9, + dup2, + dup4, + dup10, +])); + +var msg24 = msg("bad", part19); + +var msg25 = msg("Reducing", dup14); + +var msg26 = msg("Redirecting", dup14); + +var msg27 = msg("Missing", dup14); + +var part20 = match("MESSAGE#25:User", "nwparser.payload", "User '%{username}' %{event_description}", processor_chain([ + setc("eventcategory","1401060000"), + dup2, + dup4, +])); + +var msg28 = msg("User", part20); + +var part21 = match("MESSAGE#32:User:01", "nwparser.payload", "User %{username->} starts a new scan (%{fld25})", processor_chain([ + dup5, + dup2, + dup4, + dup6, +])); + +var msg29 = msg("User:01", part21); + +var select5 = linear_select([ + msg28, + msg29, +]); + +var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_description}, as %{reason}", processor_chain([ + dup1, + dup11, + dup2, + dup4, +])); + +var msg30 = msg("Plugins", part22); + +var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename->} (process %{process_id}) finished its job in %{duration->} seconds", processor_chain([ + dup1, + dup12, + setc("ec_outcome","Success"), + dup2, + dup4, + setc("event_description","Rule scan finished"), +])); + +var msg31 = msg("process_finished", part23); + +var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename->} (pid %{process_id}) is slow to finish - killing it", processor_chain([ + dup7, + dup12, + dup11, + dup2, + dup4, + setc("event_description","Rule scan killed due to slow response"), +])); + +var msg32 = msg("process_notfinished_killed", part24); + +var part25 = match("MESSAGE#31:TCP", "nwparser.payload", "%{fld1->} TCP sessions in parallel", processor_chain([ + dup1, + dup2, + dup4, + setc("event_description","TCP sessions in parallel"), +])); + +var msg33 = msg("TCP", part25); + +var msg34 = msg("nessusd", dup14); + +var msg35 = msg("installation", dup14); + +var msg36 = msg("Running", dup14); + +var msg37 = msg("started.", dup15); + +var msg38 = msg("scanner", dup14); + +var part26 = match("MESSAGE#38:Another", "nwparser.payload", "%{event_description->} (pid %{process_id})", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg39 = msg("Another", part26); + +var part27 = match("MESSAGE#39:Bad", "nwparser.payload", "Bad login attempt for user '%{username}' %{info}", processor_chain([ + dup9, + dup2, + dup4, + dup10, +])); + +var msg40 = msg("Bad", part27); + +var msg41 = msg("Full", dup14); + +var msg42 = msg("System", dup14); + +var msg43 = msg("Initial", dup14); + +var part28 = match("MESSAGE#43:Adding", "nwparser.payload", "Adding new user '%{username}'", processor_chain([ + setc("eventcategory","1402020200"), + dup2, + dup4, +])); + +var msg44 = msg("Adding", part28); + +var part29 = match("MESSAGE#44:Granting", "nwparser.payload", "Granting admin privileges to user '%{username}'", processor_chain([ + setc("eventcategory","1402030000"), + dup2, + dup4, +])); + +var msg45 = msg("Granting", part29); + +var msg46 = msg("Could", dup16); + +var msg47 = msg("depends", dup16); + +var msg48 = msg("Converting", dup14); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "Adding": msg44, + "Another": msg39, + "Bad": msg40, + "Client": msg22, + "Converting": msg48, + "Could": msg46, + "Deleting": msg4, + "Finished": select3, + "Full": msg41, + "Granting": msg45, + "Initial": msg43, + "Invalid": msg21, + "Missing": msg27, + "Nessus": msg18, + "New": msg20, + "Plugins": msg30, + "REPORTITEM": select2, + "Redirecting": msg26, + "Reducing": msg25, + "Reloading": msg19, + "Running": msg36, + "Scan": msg13, + "System": msg42, + "TCP": msg33, + "Task": msg15, + "Total": msg14, + "User": select5, + "auth_check_user": msg23, + "bad": msg24, + "connection": msg3, + "depends": msg47, + "failed": msg17, + "finished": msg7, + "installation": msg35, + "nessusd": msg34, + "pid": msg32, + "process": msg31, + "scanner": msg38, + "started": msg16, + "started.": msg37, + "user": select4, + }), +]); + +var part30 = match("MESSAGE#10:Total", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, +])); + +var part31 = match("MESSAGE#12:started", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup4, + dup8, +])); + +var part32 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}", processor_chain([ + dup13, + dup2, + dup4, +])); diff --git a/x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml b/x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml new file mode 100644 index 00000000000..7482d9c4c9d --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Tenable Network Security Nessus + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/tenable/nessus_security/manifest.yml b/x-pack/filebeat/module/tenable/nessus_security/manifest.yml new file mode 100644 index 00000000000..eeaa83f86c5 --- /dev/null +++ b/x-pack/filebeat/module/tenable/nessus_security/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["tenable.nessus_security", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9516 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md new file mode 100644 index 00000000000..3a24ecf13e5 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/README.md @@ -0,0 +1,7 @@ +# tomcat module + +This is a module for Apache Tomcat logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 +at 2020-07-13 17:55:32.188756 +0000 UTC. + diff --git a/x-pack/filebeat/module/tomcat/_meta/config.yml b/x-pack/filebeat/module/tomcat/_meta/config.yml new file mode 100644 index 00000000000..25592f0ad30 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/_meta/config.yml @@ -0,0 +1,19 @@ +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc new file mode 100644 index 00000000000..c68f663b190 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: tomcat +:has-dashboards: false + +== Tomcat module + +experimental[] + +This is a module for receiving Apache Tomcat logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" device revision 105. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9501` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/tomcat/_meta/fields.yml b/x-pack/filebeat/module/tomcat/_meta/fields.yml new file mode 100644 index 00000000000..4c67d0156af --- /dev/null +++ b/x-pack/filebeat/module/tomcat/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: tomcat + title: Apache Tomcat + description: > + tomcat fields. + fields: diff --git a/x-pack/filebeat/module/tomcat/fields.go b/x-pack/filebeat/module/tomcat/fields.go new file mode 100644 index 00000000000..638b1ce26d5 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package tomcat + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "tomcat", asset.ModuleFieldsPri, AssetTomcat); err != nil { + panic(err) + } +} + +// AssetTomcat returns asset data. +// This is the base64 encoded gzipped contents of module/tomcat. +func AssetTomcat() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JVRWj9i+EWG4FvCZvasoWQD62fy7BMM1ry5V8Tf7tL4SQ8BMy4yBKM/kLCf/1Gj90//uOSFrBayLBrpS+mnBpQc8og4n7e/c1QtQS9EpzC6+J1U3/E7uu4bXDcKV02ft7CTPaCFvgkq/JjAoDWx8PsG3/955WQNSM2AW0iJEOMbJagAb8zGo6m3FGFtSQKYAkampAL6GcDOjTht6BmLlWTX17UnaZulkWsZZUbJE3vvrY+rElNotUZr719/0rjG/YYFc+Lrhx3yPckMZASawijNa2CfzXdEUqMIbO3b+pJUxVYBzRyn2+A5qQt2pOToGpEnScEA+L7yJ1KDktXFiCtIUjLTHggHBm7geWG+Q5U9KCtMbdDy6NpdK2aJgojpZXhyBYUrv7wRA77nFySxBqyWrB2YJQYsAYriRZcGsIJe/B/s6tBGPa3Z8MjkZHrFmoRpREwhI0mUJ37mqqDZB3YKlDjZKZVlVvqadv1dy8uKDsCqx5NgB/yjUwK9bPiQ14U/IBvLDwJ1z20JxEGSlgCeIATgold+/nFidPodbAqA2YlDDjEkqipEC0LJ0KIBWt41hVZl4kuzB79vhduOfnpz+QJRVNuPG8BGn5jIfTCdeUWSLU3O+XHmwEUscd+HBa8HtuO2qqLWeNoBp/HzZ2MnoyBqAPOimxkzGAPH5SRrdkedw9efn/92T/nrhV82zI/a6vmv5RICG72/JosFvSQ4RedtQ0GNVoluntvT/bct3/+2FmLLVQgbSPETnalNwWTNCdO/xI0ANp9foxIrZwOtVjRIzLwxDLqzG1kuPxnrQS6CHSIy/bZgBlShtqRK+J2Zm9L7ZuAYfNQA8ZKAn3syJ29JAB9BusiHEu7rhWjsRF2fOqRNnn2TUgMxH7SISDd2YfO4Za3Uj+pYGNGq07+sOf1ttG7YmSzD0O1KrHbtmOiJslzysO+9w9ccvwGWe0f5/fqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4q/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/OnKfkx9/JP9KmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8TSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Zyy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qlk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0ITWtWirXza9bCoq6TxWmkuIwPBOay96pDyuhnD7xBC1kj4yZmlV73oGA8ZuNYfi8PZZQ9iCO+tGlWAm5F1jLJpJfaDuVlI7kpdLLRy4SXsF2Gzm8F7CMTQh3OR2Qc87DTPQIJk/ENSp1iVf8tJpNnge4oLsshVkH3eYFyfyuub6aBRu9tPHgq7dSeRWrD2xxgk9p685pPCA7veNJtz0URfOcyeNO3k2GSzZpZOpJrUEqgaK3H0hdvxPfVVQg/zSQHO0o+ROtz9FG/m4ooYgEuXIuUHkfkjN1IRKwRZDM8i0eWUzvL7zKgeudZEB1brIoT3XKUXRNtCXyaFm0JV6r8jDmJA75mP0jRk8l3d6cw4VmzfJtUOCBZsHYqcbQmpHEGUDJT6FYm0akTvsNGJFqcYyVcELj0NnvGBWtpoNTgiVgQVbBuTIAYElaG5zlo7sIaxdPRQB9iI7+1w+eYsXB70D/SvdVbo4aBh3qoHxGd8YPnHt1gdzxnqqBF05fzZTZAM6FyMvNwUTrYuqDEGWKN7BbD7WJnzettL7lqDS5LfLkBrLTZsQsOtXw/XbHRqrkjS1Mjyh4LjV2UJzWpa+wxSm8rd3d7QLTyNska910R1FkWwq0JzdVRZFaTtCFdsewvqVbN3N8GLJ3+8BaUuQpdIhYXYvZWr6xwN0r2lDu2r6B7C4He0Qy18LPmC3k6D7EfOSPmevum+GFzJU/QcxE7xcC9rlFktlCSWL0PEinkAr1LxoE1UeRKi3B/HOQv0YPVO2ZN/fMd0Ku1aj+Igr/kpwts59e/bIhQtEIDTXlmI9IpcbkTNvOs7AD40ARCwuTpW0cJ1bY+0QOpfeX7fph0rL0rj/w0eVihahWAOYGx5ntqByDoWEVW5ZMBa4hFUv1I9KiLWaTxsLPQkxzNE3HnWnrfefv7joMDVNJuw6zgmerW3lPqahIbibX+SR6etvEeMWK8Acw9qGg2aT86WXoCfkEvymNAb0hM4BW3mHTPeZ0i0OA9gtGK+3M/w98b/v9a1Qmky1WrnP2r8GXdObXaP9pM/LC6ptajddBzi1RyXcKTWoDj3WnVKi7NTGXFdK1RACirne4jeSUAHadtlFerNo+JsPbwXx0WsCgElIEYW5JFLJ7zTUgJbMvuwHNBuO+eSwRmt3YTp7BXcS9bgX3EfY2vDPgLIVt4ugLHtZT05xwSlWm0ii5Hdz5f57z0uASkoRURwz0k17wcAXiIBDUs2Ikw6Wg5mQy41M2R1s0K+syoPxiS/na4wzYnzJqE+2KYP4DYynhInG2PZAhn8Mtgl/wo3byVATHfwbTvHFT8dVoKNrP/6GxS1635Ypn1L25CbDy2F5ilgQaoxiHP2lbjei9iRu2Ft+Ba8JJfVibTijgpTcXD0ntcaZKM8JWPYkrihTTQ+pvbzjQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmtoP2wtAYs26vu+ffgoTS+3h5meJi8+GaqqpvhHcywbZSsuCzVKuTTMiUZ1PZ5l0kxyowBmbNGiDX50lDhnZ+lqiiXQWrI3kJCjTxdfa9nKnVpD+lOJXzL5RWUoRaoTUSnBr1TwUBxn3zToTbh5b6NE4OuEFlFXX+yk3dL7CLQovfb5UPh9VsdPK/kctiupws6g6747mCn3C7WsCZi68//fk37x8Sa9oyL/He8I/kXXK27xhrKhgFpI0cQd7cZ0JyKIvKaZntELnHJVm3efR97D6B7YUb9AsCuzEEtB1J4jMPq7qFbULPobqhTCyNVhg1b+MzftsamKzM8aSHttAhzhHTLTIxm7lfdv4eVpsTJc0k45tw1kgmg2v0JG+FtUAsFhMHbqdvCzpujD174NcM+T4/6xWKqmnLZ9c3uP1ihbFTf4fVact2YY3v6+toIIjDu8TtOgDRyJU786r4n47in1Ftw2V3jHfu8l/n8lLz3kuZpaNxA/LS9UPTrcHsW16u9A/ohfPk99/P5KbI0lLx1YmLoPdiOyPk0QE/CxB8iJwtW3MSN1KVZ5+xlvx3VDQXaXl3Y68eW3vg+4qlxrD/pFibnpzdqsqn8czdosg6xl7LcaLQTcuLrM0O/U+E/2K/NIoJ6+xs/fBPccdPGdpWbynaPUSMFGM8Z5R+UlSJLqjmdikEVoG/KwCWpBR0RBAakydofZWtD+6qqX3niJJXTMNr6Qu72+fLF+cWuDk1Cy1jvURiryz5woOCtayE3kRaPJDmXllzyuaQoLEaOaK10zua1Twbyyx3Si1Z3U9jVEf/TIdK7y3jKShU5OO9/+0i4ZKIpwYmzMMjW/XxCnp5d06oW8JpceIeIB4vSexL3i2Bk7uixTXRObZ6WOGbcXDmV+wC87lCK13Njvg9PwwdurvaEXK3m8znofCPs4iz73I8FBBxQO11oMAslSnd6vK0+Mml0K/R+BM/CMPYepPLTD17HeNY14zg/jZeR3Do6z1RVF0fOu8JdCblXOMbV+/dMM/3OoaMk1qfOcNyMKhs2ZqUFtfSBssb6mHfSUmnsPODkeovfyJQ4qssV1Q+ToTfsqu+kKw0PkSNipDXyUydEKXlHWdtPOa7cOhF0VDtGye9aBVXvl0Le1kw+1FoDNclzg42ltkmlOHf+KMrFg5kdbvGpuia8fDH+frmXtTkGhg6jT4PGx/4uOCziV7d9xzJP3xsc8tPh3L1DnjMuVZMqxtmrIzHz5HfKSdKUToeBR/anxIBzd2bcOhJvhHByj5iGMTBm1ghy5tYnTJVg3JFom/3GLQsuS7hOzADBjT1M87ynbMGF0RTTLRJT0BjfrKjmAjN4Ih48H3+Xc0KRid+530YpkxnOoZr65kIPpBGH1cnTLp+zBm3qUHTrJcyAZUFF2CTEtx2eno0UGXo31/A9zp1Q4pWvLskr+Kr8t92HlEtDSrCUi4iTYaoa2/vdCGlKHD03s/XY0i6PDfEYf0gtVLXIls3zhpQwoyEEFDpftjH8kK3ptOIlaEHXWMhlVXhcydPIjXQfoNUdfg2ztgrc++qN5bbBxowkStjGNhg2bLrvdU0axer5dxhNjWkGWcVUVbn7lOcYnXjohPeSfWutlrz0/rO2i1wFZjQRqlTs8EDj3b1lv3Cx0RpZPy8vrhpc15j09DCyvl09r6z/Q00P9DsdTN7/VtMQgInfrprna5x7ignFfucvL87J+UCh6qORrWttqC7Zj0HCwq6uGnae1JC+iz8s5FbHlXsvIoqpKnNXfA0q7naVjoALcbiMqEeL9N0SfMjgCJXnPRdwKB32CbRdPITPedmFckaceFVqq3FQBp7g5U+n5HV0103OZ6qd7n3xyXfPaQNRmKxxDazpexF86tcUYuWtbRemfYkbR3CERL3i5bZDpKuupEvKBR0GMkjnCidYXzkDrUcmLfg7dIivP13cLRgrVWgA5QOwA5JCuoHh88mIRORVMW3Kcp3cP8OrImkdUA9uY+CwRud7vVTpIWquEnY52CmxK0xzjIIEbvrZq77nKm1KbrvKuk1ftIBRbLDdpmLDi5JNeGE/kT5LLDUHl0ezyk8+n5GnoVbicyOcrjzlAgs4MA/s7LpWxn3zGflu6GiQu1GYK6lWcssQMsAabGax3IY+MmmT0SO44HbTQk/aKvf3oTTpLcwpW5NPo+aa4FNNH6IoPyy8xWIuSUW5nGlawd50jJpqnNqbv0/ClnJ5gcuS96r0ydGbtoC9rLMIUuQG7QtTBRwjcllI233j3sOK/NpINCXfqRIEecrlcvLtc8IVe06m7v/A/R+VVKwNN5Nv4/FFy+piJuhgcn5qHWpbwz+5ILgo+rpQTq7b4VdqtrdRg1VZMfV/nQY82zYIBrQ7yFGEllVaubuD2ed3v1MN5KNPAP7228/vfn/z4ezbb33O7ZJqykfP5Erpq5QlyzdesN/bBfsRtlEnGJWplYhQs5O2S0n3HFDmnot1BhNmpjRIw1lKAdJzJWXAuErvBYnEB1IBLVaUD4cT39s7gL3PUwN11yd1ibppppkuhZ2WxurUle9Yr53NIdZ/S5O9o23NRz4n6aHFLpvBYAOVJhSbbOpeQr2LAzHjo46mltRsjthDSY12I4qQuVveExfKB/cTvLvjwiEf9P8Pw1U3KrOf/PcgR6zs+egDInuRfJDD0cZx9+Gn1BGStrZ2tmeXPrVdRnubZYd9Mp+h221wcm+OTLctq/kx4mFY9DWjXDhet81cLoLMOD/t17ZhJy5nDlqYR1oYjGcVtjnXhVMRD6DnkMRrTLcO1UcnqqoaueuJGmAnD2vcdF/s3sO1/TvEdeoON3OYZn1f3C6pLP9dxaNmG9wstfwQyXBv7IYLbyFnGlNzxlWyLNFjWfCI/YpqOQw6PHbUjazqQuUSxpfv312Q37wfdZOUGkfky1FTCS7/4y350oAe6d3aCFlo2O3UmTe5oecQXZMPbdFZNK2r09JZwoe0D1SlHiPggNYHOY5ugmojwbF7wy3TD2igguoqw245sBncC7ROWIDcAW3KZFNpt2Cm7Xa1BbqkdlcrvC/cKUi2qKhOVVbSwV3XdDC++N7RJ8oG6VRJYBaL5GeBwSxtAVUHeDbHVksZwKrpHxmg1jT5JAzfcSr58cKge8FTPzihc1sFTvVMjrQsKMPBKOnLTxxsIxMa7z3A03m9/Ele20Xy953JglldlCZp3/UedAf5sMjTLQAvBU0uMWQBcs5lwqLIIegcudGymBVmxS1LLj9kMRNqZWiVPnelD1vaZT7oGaIuTBZc5hQnXNagq+k6WcL7AHbNrvIAX1KR46zwuqi1sqpIH5JC6MufCvQ4poctst1NoeZFmYPZDnD6/Dcmi4peF9amchtsA3YnWkCGR6HiMhPSXOZDuhamEFNRpA6LbsH+PiPw5J3Be7BT90Lsw05d1duH/XNG2K8ywv6XjLD/R0bYf80D26pa0CnkECkd9PTmmSyqRqDyPV1neCdb4PVVBr2kagSfV3Ue7dtpmVTMUychBcg8h1Ji4AtL7xuRhfEJiRl20GiWx5p0gPNYk2ZtmjrDLFImu7LqLKaqVdaZHnCdQYRYZZ1hlgs2mjVZgDeSX0sqlQGW4RAuXzmuZHoUlq9UbRdAywxuNVXVBRMZfNgOcIYgCcLV07VN7xZ1kE0WyHVTZIhpMM0tZ1RkKCAyBZ2DZOuEWVd92JKK9Z9QTnPgvSywDWgWyL4dTB6sfWJtFujTeb18lccHbYopt3/N0miMmSLtrLgdwFolF9UmyzVHqMB0+io34338yWZt9QCDXXg/f3rniAeOal8W4L6bfLoOcj3YMy4ghw1jilmOTeSzlMXZ24Bz6Aam4DUmKRZZRB2vlz+VxtaDZv6JYBvNssAWfAY5zBiDjuYKSp6sYHQbNpd5TkmlykaAYSoHtwNwPs8gm1RtVtQmnfnfgx7LIE8CWMOcG6tpek/IBnYGjU9DnYvVOhuvDXYi15nkq8/M90c8A3SrgVYZFElfCpQL7XzK9WqhuCn8hNn00NdU0ywHvBwphE0Beenn26eGy42lMvmc49LYaaNTDQtsoYKfFZQDapMc1/R6dFuTnBosTm6YpR92fWingX0w57QsU98BXqYOq7atgzK8RbwqmFaqytKVyAHOYKbxqsiTHBk6HuVgc32VvD1TbdK3LOW1qTVPDFRQy22TPPtMcAnpWuxsoJqkE3U6uFh8m96tJZTvelrMhEr+nHfAM6T8O5s3udRxQDNIHGdDZ0A1eW6CUPMsR1fOs1zgWunUAqyaNvMc16zihuUQC5XJcmBzzIGQYLG5UnK4yWW4bwCdOuPPQ02djidXq9QWSJaKMuUHQCe3RFV6zUhpPi8i87juDXclQad/s+rCD+VNDjbpZOoNWD/iNcshy1C4GWbipBYGAWxqaVAX3pGUHF1qjPuwYItUdf4D0HBd8+SBgBp0NddU2kHP3RSQV1kAp396fSeyT592poAmAKzVvKCmTjgwoA9a09RQNVCRQ7/TwJAPvutoJuDpmewgp23h2oOsdJkB4/SOTJPBN2y8bzhDPoCB1IkAfuBxBuPEwJf0ByDWoDUZ1AymlOHzDILX1Km9bEazHPdAszK5Im00i3XFTQDYphux1YfZmORdNZdMpi6UiE6LvS9Q36QzNfl2btMfKw80fUSvm+mZGu66Tt6ttSmnWfLQGy0yvIWNAV2UPHXVe5axFW1kKAcbLDOWVqm9wcuCS2PpLINmsOTa5lDDl7XM0LrJKt3IlG7WWFu0SEfRN41V5EMjyWDpLnsk47C8z1TwkpxoKLklJ1SXoZuhwfbvcXT85KyMXBqbEIpgcIg+wf4GTAkSK9Xp8iG4zMe5s6oWag2DwYI38m+mmmRNvW95xhwPvc8I551pmMM1qehuo4VNLFbOm91hINmRFNzgcIZ29bD12ECJmKaulbZk2HiUkNWCWsItqTXMxo7CPdJy7zKEIsb4YHV0KBAuQ2f3kb7QgsvcE/l7qLrV+ngaYtUc7AL0ZPN9s1DN4EUjRMISdDeOyCpSU22AvANLcSK4v6u0Y8HTt2puXlz4stdn5DSM+HpO7CIypQibAX+AMPoY0ZbkPdjfuZVg4vs8PNRZmDfDkd3dLcLFPbEGqGaLCZc8ih/O3D1Cf+0d8YmzMDAZ4oWgjcRZv/MG57i2TdzjDdx3+rXvoSl/O+6Opq4Jd5hfPGLsu40oEtY03a7zKi5LPsK1xVsx5i44xjTqEYG0GVz3HidUSzEy8RK752YcB479cw1YouFLA8buadp9eLby3Xvle5UBx/L4Vb3E3vVIdXmn2+6UfTh5jDA2tvV37NBuXkcpTzn7/+b5hm6x89NWKODa8bOBVkO6JN47HmH3uEypAeLTtTtsyOBWdbsUfvEw+MpuFHyHudK+fX2UjYRQQwwAjjuj++dVaSoNZUcY7zvoMO2Xlqj2bg4NazROQNuHdA264l7dOBbSmyX9YA6+5ALmQAQsQRBqDJ9Lv3Gbef3xo48tmR9QfuP6e0769EEmPTvMGsm/NLA7JpHGL18P38M6Jh42BaXVaHjpLyRTUgLmVpAVt4sxQUFIpDKk09g1HFRedGfTwrET5Un3RAk154wK4jAYMX0Qi4fFDpcaGdP4cLyrF2sTR6+XzrZSO1mtqR94Kjg1xUJltwm8EdeZazhLZTPUyEnF/gieeD8A4i+NwxbftDCIhQmgevJGGOUM8a37dorBcvJr+MWEvJHr7l8D6BZteSMtoeWEqapuLOi4GM7ixneE5TPPvtndC5yxuLUh3P6zefn9D391tu9pbztajn0TRTuc0yJtxOy2jhu6Bk3+pfPJmRcBDUQufutT1//kP/Nyg/PWqd+7HwcmL98k257sDkxx60zI+98+njnaQYN3nqC/tOSGaaipZGunVQb1TOzmghDk0HPy8d1rci7tjy+fk/P3p2f/+Zp8Opf21U/k6WqxJhK4XYAmbKFMGJWmtAZm8Vs/vPpf/+3ZkyhHwC4yyrhdfqBMnVQ0Po7HZD59d7zml/4snrdIxa94+biQ7sumGzA/sGHcrR/4GL47iunGOvnMtW2oIG/fvI8i+6eSkM+XddjJ+D9KwiTOW4fuVyNCkZCbhSduwWN8g/fsw5xaWNEHGJGOp/uCvClLjX5af8pj6HRPL6vqQ+Oc942FnJ+8u/Cv0mh4rKLmiNGPLaeS11TD203OLxwqI94vx8MDJ0Ek4aFbe5yHrSZW+OlaxxUQPXRpWXL3ZSo2AdveLP/4O3fEA+BMQrzgKtzw0+0jMEBlk2udRa+77ZNGyfuA4YXSthPJA6FbYoANN4Db9c2S1xyZ954eLuftY9KS9W6M8RJiduOxvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrD1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwABrsmV2AlmDJx3UNz8mn9hl7iw6wH8lF6wAbvAS/jWlq7aieIygTI6Zxi3Twiz8nVIioMlFvvogJblRjYt4StHsDubSKGIuPOZfk0/moQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwnnxSJODvlI6MWOqKBepWHil4ARhKG6QQzQskvSq+oLodzugl5M8dkL02ou/HXmEs3BbsCkHHVM3HXxLvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxGHP8WDso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eBuF7Gn2nLWCKoJ9osmLRJPz65fv1VzNZvFp78DK+wCsm/vFrIf3YL+NvbwPnN4O3TfNHYB0oZk8VG0TZOyc8LtEnr8kuOofzKgRxFWjWXquJwOS44jfNkwBsaM4Iydxw9rjnZY4gniRZyKO1d6TSKFCQPcjiGctnCEHRydVMIAn6mVdO+Kk1sx5bD7IRkoSttULdP1oxt5NynxXUuxZkBwKDt6gh9mRx/mkhhum4j8JFhcAEFEB6gLaggtVe1eF7sArolayc2WecZZeq2kqkbyanEmh+G+Rf1xlQin3HNZOvmjtOkYQMkvXAB5ExCbDNhwG2ev7Ajzd3I0Ybyj/0HSFUZZcBmyFtJyIUZjhBEp693vwQifr3cZ6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIhwbuTNJpwKLyGbkZD9uXC47sZMRyV0Mt7ROEkVgC8Okw2UOQDCyfodf7t3tvbKb+zZ67DZllo20u+VsqTX6EsvAC3aIWX8rLQjf4zlI0Jy1JCFDMNFvN7WA2wU+tbHZbiQgO2E/TIzV48HPlqZD2m49GE0v99MU1Au/Vka6oqZpZ4RbXoFxct1rexpqGA0ihV1I1hTixo3AxoP33AZ9y6N1SO/uBztaP96Oph8Kk2zI6a1JCw7jmygc0IYUbwTCLYTB10vdyxup00fdO3/RktCmb965ZL1UjyNAbpDjnQD5eo/jjzdvWarRBsfZstvJR31UCZLyjt1Cfhz1OKakbXAYO6UeS9B2/NTJK3cauygqsAv1AFESuuVJJh6N8LXRDcdeSlpl9Trtiep8UCL4ax0ie85lJk/If05+/v578vTt6ZuLZ+SUG8vlvOFmASWWwkdxEWqusvcF2hcJw2zZmccjbDN+cSRjTKvMXsV99Z9uV2MYdDcGPfLJhj7f5bowTPvv6n57jj/EKRYzpTLWJn2TKUZFqu50O4R8oCVvjF+BKE0Mr7ig2osnJzbdHWL4rsfLq/CeG14es9NIP1P+kzsIrRdxpy/m5pLnq7N4I/fddQxrhErDnv83OInwk8FZCI4b6JVllHFXptI5EwMGIRtktdJzKvmfe7KqZb6jcFtmH8Dp/pkaYfeM62gtaaauP7+45fC18C2+fO+irazmX4EKu2BUA6k1lKrikkYL7nri6YJaDtKaG9PjBT0mtW/pgxLrWz9CnenguqvzxAmummqLzZA2pO4Xq0dsdhSEzW0k6gxK0NRCWSRLKttzPpzw+aVdsQueXWi15GXXPCx8j9a1CJrq4GCE5j/uWdvWaeMKzoZIXh6Jym7J0OvPrkfIjA4PxczJJffR88Wu4j7SAq5TOlMOBb+r5gnXqDP1ftSrhJ5HCPU6Kmqs1BBjlfYS30GrwFJc7Ql+a+K+9SROfcXLUsDxpNw7XO+2ci6yvT25d5Cca8djHIfci7Bar8OQXLfR2eekFtRtmXuflSYgmV7XY15+TIU8gj15iww63dmWvypjyTvKFlyOmHQlzSQ5vtnl9SeJmf61Bic+nH7km5yZCXlb0pp8xn94/ahU0ted/nP4eJIFXYLTnARQTb40oNcEexCaWkkDrUYVL0519Bb4m+PIy9ADjznImrddIKUn3/flG8ezJekIqG4O0IfQHPW2mOKUp7wOs90z3raW3mpi5GzD8PByQ3QjZdSONc+7l8dHnn0bqZEauwCxCBZm/o2gZMVlqVaGmBoYn3HmPnkeqxMMebLDC+LI8/hucm7IU+wIC5JtniEMXT7rcYs0Et/xtzCnbE0+me3Gt10EttotpE2eXetWOILBPvLa900tRAVr1fCQuRdxwPGuD0Ck+n+r0hTLeYbs2yY7v0I91p3Xq9cRipHC6EELvzmA2OPk9Y6RGjJ8g+u9lXVnSPp4F9AhNcdx2HUBg+292SRk+m0Y7FC8IcXNxc9YNpByJOBohRuSXMKMy+CrR+GEXf0qWo80HUTsDioUy4TbxgGzo/6lFoydzzY37aGX0khvys6HbS1li+rILfA3qyLDycA66m9HliEvUy7TTRBLejccyVhUmPfxjAipftkObotvo70p749M7RxgnfftuwHrmur2TLk/P9+QslrwQSt14m6Hs2V98vutyLPJZ5b4thZKr/Nt+N9MTeW/3dgxpkVku4t6q57HnibHlr+9QOg30PZgKtGAqrbf+n6qRk9BAdJqVR8iOkrVTAfOhVud8bCms7bhhnIExNFXdxz3Hp6oqqZy3d1HvHY4Tt/bK0vQ7hkquJypuFJAzVXuGqEb5MeOFdlitoK8XdFnX3LlCPzSCLEm/9FQwWccSnKKdc/eORhFZQXTgil1xR8o6P47TIlff2M/UzGmzSfvNrsJh9eNRZX7wBGmN9/1D90SYcpOcEd7n/yEfFzXnvSN58Axx+/g+OZpmBVJm8nuoO1w8I4I/cTE2tbuInMMV12nXG5j5z2LtdKttx9DzB/ejmx5r1dO4uPU8qLOO4doDyvcyjd67ls0tVKZNJFtpNw6bj9ITW3cNclkQU3KaH8PsA7l9IkhN1ok3OYe1IS70hmjRaNTeUN6MA3ogs7T2ZQb0Mmfp23QSdMft0GHU59BsMC1BYmqVXrjxMFPdpo7RW+hYSdVJrVG5Zc4Ri3hlsz9iMuievUi/PdJQOFF+I+Q1xRz+1MBOp6dF8h5wOi5J6YfPEePa2/U2oCcMgxEcyYVlzPQeiTuOqT7KHT1Ff8bWR91zx4BybYv8ay3DZErhWFtlfVKRZY42vE783F7d+w+Ygax7v/pHzBM0Bof+MnrBejj+COczh4ynp6e4OjHZ+QE14+jBtoeqVnKCJ9PQIfhn7CVhbmnOS9kDR33GNnbcLfoE9PrFL13p/mfh3ol794aJb7b5JL/GffW8KtMMuX8H2dEwlxZ7jewXlAzMgHKsGO3FeptpV98fLig2+psE6AGCS47Z6xtnN7W38QTUgyfH6OiYru/UTf18OPooGUnTbgxTXKlEyFjslQ+b939YiiIIWid1Qc62JS+9Dxzi5NLDE7vk05HyZDoOoOHKPLTS0zt3P8Y9aTnYUjeXXruwXFchBojimXOF303pBoc2VFkysIdPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KU/iBEkdgXh0bpa7xOEyLErWJtdsZ3o5LcJpIlhL6ytTcFxBm0W0LiVORjC6CO4TXwu28oXpbld33CjmKqqrH3ibom3xyM4hOIl+CuuQexamqldLCtBZWHMQw28dSt7Gf57oLat0Ypi60uNi1rxY6RVxxD2GBDEAJGKWwPIVragUg4aZ+RuNxVWRURGYrZHatvcPSxh5uHvb9+8D+/ei53luwfFKr3r+0/es42bq2KpRJOLAW/aOc4yzLnpJmO343wbya0hTz0S5hl268DC3nai7g54gkhHqRFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/R6OtFdYrXJKX894Z7C3I7QdorXSlijH31///U0sBTfK9tTnTun58RMsdwsMtlysU+qbnUQbxfz97LeL8wvyjl5XXJbdWO/4tjrajp6GuTVEcYSsQMaAun1kdepTvGQxeXq2r3IsZscr2HzoIvyW5Oxqx5azLEjl89PQpTdgsRdDcbxNeeBeAS3F1X/5uuGuMEeWQ00y9e1Gf4kzoR8ouzGMq0YrvgvqVr649zkxTSRFnRryN2O1kvN/mwrKrgQ3Fsq/vQh/e959yuUMWPyjGdewoiKqyNCp6P2GUFkSo8jIsdQw58bqtbPsjyksamoXoVl/hwPZxWGAJDqljoWmL4T29VpM6V4X8k6f7DAHafX6L/83AAD///txuRw=" +} diff --git a/x-pack/filebeat/module/tomcat/log/_meta/fields.yml b/x-pack/filebeat/module/tomcat/log/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml new file mode 100644 index 00000000000..256f657133f --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Apache" + product: "TomCat" + type: "Web" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/tomcat/log/config/liblogparser.js + - ${path.home}/module/tomcat/log/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var msg1 = msg("ABCD", dup7); + +var msg2 = msg("BADMETHOD", dup7); + +var msg3 = msg("BADMTHD", dup7); + +var msg4 = msg("BDMTHD", dup7); + +var msg5 = msg("INDEX", dup7); + +var msg6 = msg("CFYZ", dup7); + +var msg7 = msg("CONNECT", dup7); + +var msg8 = msg("DELETE", dup7); + +var msg9 = msg("DETECT_METHOD_TYPE", dup7); + +var msg10 = msg("FGET", dup7); + +var msg11 = msg("GET", dup7); + +var msg12 = msg("get", dup7); + +var msg13 = msg("HEAD", dup7); + +var msg14 = msg("id", dup7); + +var msg15 = msg("LOCK", dup7); + +var msg16 = msg("MKCOL", dup7); + +var msg17 = msg("NCIRCLE", dup7); + +var msg18 = msg("OPTIONS", dup7); + +var msg19 = msg("POST", dup7); + +var msg20 = msg("PRONECT", dup7); + +var msg21 = msg("PROPFIND", dup7); + +var msg22 = msg("PUT", dup7); + +var msg23 = msg("QUALYS", dup7); + +var msg24 = msg("SEARCH", dup7); + +var msg25 = msg("TRACK", dup7); + +var msg26 = msg("TRACE", dup7); + +var msg27 = msg("uGET", dup7); + +var msg28 = msg("null", dup7); + +var msg29 = msg("rndmmtd", dup7); + +var msg30 = msg("RNDMMTD", dup7); + +var msg31 = msg("asdf", dup7); + +var msg32 = msg("DEBUG", dup7); + +var msg33 = msg("COOK", dup7); + +var msg34 = msg("nGET", dup7); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "ABCD": msg1, + "BADMETHOD": msg2, + "BADMTHD": msg3, + "BDMTHD": msg4, + "CFYZ": msg6, + "CONNECT": msg7, + "COOK": msg33, + "DEBUG": msg32, + "DELETE": msg8, + "DETECT_METHOD_TYPE": msg9, + "FGET": msg10, + "GET": msg11, + "HEAD": msg13, + "INDEX": msg5, + "LOCK": msg15, + "MKCOL": msg16, + "NCIRCLE": msg17, + "OPTIONS": msg18, + "POST": msg19, + "PRONECT": msg20, + "PROPFIND": msg21, + "PUT": msg22, + "QUALYS": msg23, + "RNDMMTD": msg30, + "SEARCH": msg24, + "TRACE": msg26, + "TRACK": msg25, + "asdf": msg31, + "get": msg12, + "id": msg14, + "nGET": msg34, + "null": msg28, + "rndmmtd": msg29, + "uGET": msg27, + }), +]); + +var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, +])); diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml new file mode 100644 index 00000000000..e5cd87682ea --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Apache Tomcat + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/tomcat/log/manifest.yml b/x-pack/filebeat/module/tomcat/log/manifest.yml new file mode 100644 index 00000000000..22d091842cf --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["tomcat.log", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9501 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log b/x-pack/filebeat/module/tomcat/log/test/generated.log new file mode 100644 index 00000000000..6d52ed9cd2e --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log @@ -0,0 +1,100 @@ +%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu +%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari +February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul +%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec +%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug +%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi +April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed +May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam +%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera +%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc +June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain +July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq +July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto +%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese +%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio +August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn +%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu +September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender +%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab +October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor +November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol +%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan +%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea +%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure +January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec +January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain +%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol +%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium +March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed +%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita +April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe +April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni +%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo +May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto +%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec +June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica +June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites +%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae +%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun +%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq +August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq +%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni +%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq +October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo +%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc +%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo +%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd +December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo +December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim +December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet +%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF +January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon +%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem +%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua +March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll +%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq +April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo +%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa +%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla +May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except +June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer +%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul +July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau +%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola +August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore +August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco +August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met +%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq +September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt +%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi +%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat +November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq +November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit +December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut +%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem +%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa +%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor +February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd +February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con +March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti +%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau +%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq +April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse +April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel +May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit +%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw +%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq +June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari +July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid +%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu +August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa +%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo +%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides +%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea +October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol +October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau +November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta +November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve +November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua +%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json new file mode 100644 index 00000000000..4df04b99e4d --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -0,0 +1,5522 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.code": "asdf", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu", + "event.timezone": "OMST", + "file.name": "vol", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer", + "input.type": "log", + "log.offset": 0, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.251.224.219" + ], + "related.user": [ + "rci" + ], + "rsa.internal.level": 1516, + "rsa.internal.messageid": "asdf", + "rsa.misc.action": [ + "exercita" + ], + "rsa.misc.result_code": "ntsunti", + "rsa.network.network_service": "oremi", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.com/illumqui/ventore.html?min=ite#utl", + "rsa.web.fqdn": "https://example.com/illumqui/ventore.html?min=ite#utl", + "rsa.web.web_cookie": "aliqu", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 5293, + "source.ip": [ + "10.251.224.219" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "amremap", + "user.name": "rci", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari", + "event.timezone": "PST", + "file.name": "pisciv", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn", + "input.type": "log", + "log.offset": 369, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.196.153.12" + ], + "related.user": [ + "abo" + ], + "rsa.internal.level": 259, + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "umqui" + ], + "rsa.misc.result_code": "estlabo", + "rsa.network.network_service": "umexe", + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", + "rsa.web.fqdn": "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", + "rsa.web.web_cookie": "nulapari", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 5222, + "source.ip": [ + "10.196.153.12" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "uii", + "user.name": "abo", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "event.code": "COOK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul", + "event.timezone": "PT", + "file.name": "emape", + "fileset.name": "log", + "host.name": "ctetur5806.api.home", + "http.request.referrer": "https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons", + "input.type": "log", + "log.offset": 708, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.156.194.38" + ], + "related.user": [ + "enatus" + ], + "rsa.internal.messageid": "COOK", + "rsa.misc.action": [ + "incid" + ], + "rsa.misc.result_code": "tia", + "rsa.network.alias_host": [ + "ctetur5806.api.home" + ], + "rsa.network.network_service": "lupt", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "rsa.web.fqdn": "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "rsa.web.web_cookie": "nul", + "rsa.web.web_ref_domain": "www.example.com", + "service.type": "tomcat", + "source.bytes": 7019, + "source.ip": [ + "10.156.194.38" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "aer", + "user.name": "enatus", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec", + "event.timezone": "CT", + "file.name": "ionofde", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit", + "input.type": "log", + "log.offset": 1166, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.196.118.192" + ], + "related.user": [ + "tur" + ], + "rsa.internal.level": 1060, + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "equat" + ], + "rsa.misc.result_code": "quiavo", + "rsa.network.network_service": "uia", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", + "rsa.web.fqdn": "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", + "rsa.web.web_cookie": "tconsec", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 1156, + "source.ip": [ + "10.196.118.192" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "con", + "user.name": "tur", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug", + "event.timezone": "GMT+02:00", + "file.name": "equuntu", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat", + "input.type": "log", + "log.offset": 1603, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.246.209.145" + ], + "related.user": [ + "llu" + ], + "rsa.internal.level": 4141, + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "ommod" + ], + "rsa.misc.result_code": "rmagni", + "rsa.network.network_service": "enimad", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", + "rsa.web.fqdn": "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", + "rsa.web.web_cookie": "fug", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 1998, + "source.ip": [ + "10.246.209.145" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "eos", + "user.name": "llu", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "event.code": "BADMETHOD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi", + "event.timezone": "PST", + "file.name": "pori", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu", + "input.type": "log", + "log.offset": 1997, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.114.191.225" + ], + "related.user": [ + "tempo" + ], + "rsa.internal.level": 2964, + "rsa.internal.messageid": "BADMETHOD", + "rsa.misc.action": [ + "exercit" + ], + "rsa.misc.result_code": "reetdolo", + "rsa.network.network_service": "ect", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", + "rsa.web.fqdn": "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", + "rsa.web.web_cookie": "tanimi", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 2770, + "source.ip": [ + "10.114.191.225" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "occ", + "user.name": "tempo", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-04-24T14:25:25.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed", + "event.timezone": "PT", + "file.name": "loremagn", + "fileset.name": "log", + "host.name": "erep2696.www.home", + "http.request.referrer": "https://api.example.com/uovol/dmi.txt?quunt=ptat#ore", + "input.type": "log", + "log.offset": 2400, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.38.77.13" + ], + "related.user": [ + "liqu" + ], + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "ehend" + ], + "rsa.misc.result_code": "tatevel", + "rsa.network.alias_host": [ + "erep2696.www.home" + ], + "rsa.network.network_service": "gelits", + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "rsa.web.fqdn": "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "rsa.web.web_cookie": "tsed", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 3856, + "source.ip": [ + "10.38.77.13" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "ipis", + "user.name": "liqu", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.code": "DEBUG", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam", + "event.timezone": "CEST", + "file.name": "inB", + "fileset.name": "log", + "host.name": "mUt2398.invalid", + "http.request.referrer": "https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio", + "input.type": "log", + "log.offset": 2830, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.11.201.109" + ], + "related.user": [ + "ugits" + ], + "rsa.internal.messageid": "DEBUG", + "rsa.misc.action": [ + "iinea" + ], + "rsa.misc.result_code": "ntsuntin", + "rsa.network.alias_host": [ + "mUt2398.invalid" + ], + "rsa.network.network_service": "tquovol", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "rsa.web.fqdn": "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "rsa.web.web_cookie": "iam", + "rsa.web.web_ref_domain": "mail.example.org", + "service.type": "tomcat", + "source.bytes": 3341, + "source.ip": [ + "10.11.201.109" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "deomni", + "user.name": "ugits", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera", + "event.timezone": "CT", + "file.name": "iqu", + "fileset.name": "log", + "http.request.referrer": "https://example.org/uaera/sitas.txt?aedic=atquovo#iumto", + "input.type": "log", + "log.offset": 3299, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.182.166.181" + ], + "related.user": [ + "mol" + ], + "rsa.internal.level": 3097, + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "olupta" + ], + "rsa.misc.result_code": "aper", + "rsa.network.network_service": "usan", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", + "rsa.web.fqdn": "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", + "rsa.web.web_cookie": "mquaera", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 5529, + "source.ip": [ + "10.182.166.181" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.query": "ollit", + "user.name": "mol", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "event.code": "null", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc", + "event.timezone": "OMST", + "file.name": "metcon", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist", + "input.type": "log", + "log.offset": 3696, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.185.126.247" + ], + "related.user": [ + "quu" + ], + "rsa.internal.level": 6283, + "rsa.internal.messageid": "null", + "rsa.misc.action": [ + "avol" + ], + "rsa.misc.result_code": "emporinc", + "rsa.network.network_service": "litessec", + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "rsa.web.fqdn": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "rsa.web.web_cookie": "caecatc", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 5075, + "source.ip": [ + "10.185.126.247" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "smo", + "user.name": "quu", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain", + "event.timezone": "PST", + "file.name": "antiumto", + "fileset.name": "log", + "host.name": "siuta2896.www.localhost", + "http.request.referrer": "https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea", + "input.type": "log", + "log.offset": 4044, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.72.114.23" + ], + "related.user": [ + "nsequu" + ], + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "rsint" + ], + "rsa.misc.result_code": "usmod", + "rsa.network.alias_host": [ + "siuta2896.www.localhost" + ], + "rsa.network.network_service": "ctetura", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "rsa.web.fqdn": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "rsa.web.web_cookie": "orain", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 1640, + "source.ip": [ + "10.72.114.23" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "strude", + "user.name": "nsequu", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq", + "event.timezone": "PST", + "file.name": "onproide", + "fileset.name": "log", + "host.name": "oin6316.www5.host", + "http.request.referrer": "https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE", + "input.type": "log", + "log.offset": 4460, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.129.241.147" + ], + "related.user": [ + "lapariat" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "etc" + ], + "rsa.misc.result_code": "imaven", + "rsa.network.alias_host": [ + "oin6316.www5.host" + ], + "rsa.network.network_service": "itaut", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "rsa.web.fqdn": "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "rsa.web.web_cookie": "inculpaq", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 152, + "source.ip": [ + "10.129.241.147" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "luptat", + "user.name": "lapariat", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto", + "event.timezone": "GMT+02:00", + "file.name": "tectobe", + "fileset.name": "log", + "host.name": "tionemu7691.www.local", + "http.request.referrer": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", + "input.type": "log", + "log.offset": 4878, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.185.101.76" + ], + "related.user": [ + "des" + ], + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "stl" + ], + "rsa.misc.result_code": "etdolo", + "rsa.network.alias_host": [ + "tionemu7691.www.local" + ], + "rsa.network.network_service": "iusmodt", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "rsa.web.fqdn": "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "rsa.web.web_cookie": "itecto", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 3768, + "source.ip": [ + "10.185.101.76" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "colabor", + "user.name": "des", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese", + "event.timezone": "OMST", + "file.name": "ici", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten", + "input.type": "log", + "log.offset": 5364, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.57.170.140" + ], + "related.user": [ + "onse" + ], + "rsa.internal.level": 3217, + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "inibusBo" + ], + "rsa.misc.result_code": "dexeac", + "rsa.network.network_service": "eritquii", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "rsa.web.fqdn": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "rsa.web.web_cookie": "iadese", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 3088, + "source.ip": [ + "10.57.170.140" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "giatquov", + "user.name": "onse", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio", + "event.timezone": "GMT+02:00", + "file.name": "idolor", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu", + "input.type": "log", + "log.offset": 5761, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.33.153.47" + ], + "related.user": [ + "atquovo" + ], + "rsa.internal.level": 1109, + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "iineavo" + ], + "rsa.misc.result_code": "lupt", + "rsa.network.network_service": "CSed", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", + "rsa.web.fqdn": "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", + "rsa.web.web_cookie": "tio", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 6136, + "source.ip": [ + "10.33.153.47" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "emeumfu", + "user.name": "atquovo", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "event.code": "FGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn", + "event.timezone": "CET", + "file.name": "olorema", + "fileset.name": "log", + "host.name": "conse2991.internal.lan", + "http.request.referrer": "https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit", + "input.type": "log", + "log.offset": 6206, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.116.104.101" + ], + "related.user": [ + "tat" + ], + "rsa.internal.messageid": "FGET", + "rsa.misc.action": [ + "lumqui" + ], + "rsa.misc.result_code": "datatn", + "rsa.network.alias_host": [ + "conse2991.internal.lan" + ], + "rsa.network.network_service": "siarchi", + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", + "rsa.web.fqdn": "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", + "rsa.web.web_cookie": "remagn", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 5076, + "source.ip": [ + "10.116.104.101" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "iades", + "user.name": "tat", + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-09-13T12:51:07.000Z", + "event.code": "null", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu", + "event.timezone": "ET", + "file.name": "iadese", + "fileset.name": "log", + "http.request.referrer": "https://example.com/tlabori/oin.jpg?quisnos=ite#ationul", + "input.type": "log", + "log.offset": 6628, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.202.194.67" + ], + "related.user": [ + "ittenbyC" + ], + "rsa.internal.level": 3361, + "rsa.internal.messageid": "null", + "rsa.misc.action": [ + "eirure" + ], + "rsa.misc.result_code": "utei", + "rsa.network.network_service": "utla", + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "rsa.web.fqdn": "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "rsa.web.web_cookie": "eritqu", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 2716, + "source.ip": [ + "10.202.194.67" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "nsectet", + "user.name": "ittenbyC", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender", + "event.timezone": "PST", + "file.name": "eaq", + "fileset.name": "log", + "host.name": "wri2784.api.domain", + "http.request.referrer": "https://www.example.com/adeseru/emoe.html?atur=itanimi#itame", + "input.type": "log", + "log.offset": 7086, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.153.111.103" + ], + "related.user": [ + "modocon" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "taevit" + ], + "rsa.misc.result_code": "labore", + "rsa.network.alias_host": [ + "wri2784.api.domain" + ], + "rsa.network.network_service": "ctetura", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "rsa.web.fqdn": "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "rsa.web.web_cookie": "rehender", + "rsa.web.web_ref_domain": "www.example.com", + "service.type": "tomcat", + "source.bytes": 4621, + "source.ip": [ + "10.153.111.103" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "occae", + "user.name": "modocon", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab", + "event.timezone": "GMT+02:00", + "file.name": "radipisc", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", + "input.type": "log", + "log.offset": 7515, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.52.186.29" + ], + "related.user": [ + "doloreme" + ], + "rsa.internal.level": 1637, + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "ione" + ], + "rsa.misc.result_code": "uscipit", + "rsa.network.network_service": "fficiade", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", + "rsa.web.fqdn": "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", + "rsa.web.web_cookie": "mcolab", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 4168, + "source.ip": [ + "10.52.186.29" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "tmo", + "user.name": "doloreme", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor", + "event.timezone": "GMT-07:00", + "file.name": "boN", + "fileset.name": "log", + "host.name": "oquisqu2937.mail.domain", + "http.request.referrer": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", + "input.type": "log", + "log.offset": 7922, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.209.182.237" + ], + "related.user": [ + "olor" + ], + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "osqui" + ], + "rsa.misc.result_code": "aboN", + "rsa.network.alias_host": [ + "oquisqu2937.mail.domain" + ], + "rsa.network.network_service": "aevit", + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "rsa.web.fqdn": "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "rsa.web.web_cookie": "lor", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 3423, + "source.ip": [ + "10.209.182.237" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "eprehend", + "user.name": "olor", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol", + "event.timezone": "CT", + "file.name": "isnisiu", + "fileset.name": "log", + "host.name": "dolore1287.internal.lan", + "http.request.referrer": "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid", + "input.type": "log", + "log.offset": 8486, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.63.194.87" + ], + "related.user": [ + "sin" + ], + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "aliquam" + ], + "rsa.misc.result_code": "tcons", + "rsa.network.alias_host": [ + "dolore1287.internal.lan" + ], + "rsa.network.network_service": "tsu", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "rsa.web.fqdn": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "rsa.web.web_cookie": "dol", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 3128, + "source.ip": [ + "10.63.194.87" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "bore", + "user.name": "sin", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan", + "event.timezone": "OMST", + "file.name": "eroi", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema", + "input.type": "log", + "log.offset": 8961, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.62.191.18" + ], + "related.user": [ + "orporiss" + ], + "rsa.internal.level": 4307, + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "tlabo" + ], + "rsa.misc.result_code": "ofde", + "rsa.network.network_service": "aliquide", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "rsa.web.fqdn": "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "rsa.web.web_cookie": "udan", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 4940, + "source.ip": [ + "10.62.191.18" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "dtemp", + "user.name": "orporiss", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-12-08T07:06:33.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea", + "event.timezone": "ET", + "file.name": "iciadese", + "fileset.name": "log", + "http.request.referrer": "https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat", + "input.type": "log", + "log.offset": 9407, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.238.164.29" + ], + "related.user": [ + "utlabor" + ], + "rsa.internal.level": 6040, + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "temvel" + ], + "rsa.misc.result_code": "olupta", + "rsa.network.network_service": "tessec", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", + "rsa.web.fqdn": "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", + "rsa.web.web_cookie": "uiinea", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 2660, + "source.ip": [ + "10.238.164.29" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "quidolor", + "user.name": "utlabor", + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2016-12-23T14:09:07.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure", + "event.timezone": "CT", + "file.name": "ipsumdol", + "fileset.name": "log", + "http.request.referrer": "https://example.com/tetu/stru.htm?tlabore=Exc#pora", + "input.type": "log", + "log.offset": 9841, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.155.230.17" + ], + "related.user": [ + "ionevo" + ], + "rsa.internal.level": 1612, + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "Ute" + ], + "rsa.misc.result_code": "urerepr", + "rsa.network.network_service": "etdo", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "rsa.web.fqdn": "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "rsa.web.web_cookie": "uteirure", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 4674, + "source.ip": [ + "10.155.230.17" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "tet", + "user.name": "ionevo", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec", + "event.timezone": "PST", + "file.name": "niamqui", + "fileset.name": "log", + "host.name": "ide2767.www5.local", + "http.request.referrer": "https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav", + "input.type": "log", + "log.offset": 10224, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.102.229.102" + ], + "related.user": [ + "tenbyCi" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "tco" + ], + "rsa.misc.result_code": "atno", + "rsa.network.alias_host": [ + "ide2767.www5.local" + ], + "rsa.network.network_service": "sno", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.net/officiad/itam.html?madmi=tur#roi", + "rsa.web.fqdn": "https://example.net/officiad/itam.html?madmi=tur#roi", + "rsa.web.web_cookie": "sec", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 5263, + "source.ip": [ + "10.102.229.102" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "orem", + "user.name": "tenbyCi", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-20T04:14:16.000Z", + "event.code": "HEAD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain", + "event.timezone": "OMST", + "file.name": "etconsec", + "fileset.name": "log", + "host.name": "sBon1759.invalid", + "http.request.referrer": "https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol", + "input.type": "log", + "log.offset": 10625, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.194.14.7" + ], + "related.user": [ + "vita" + ], + "rsa.internal.messageid": "HEAD", + "rsa.misc.action": [ + "ullamcor" + ], + "rsa.misc.result_code": "ersp", + "rsa.network.alias_host": [ + "sBon1759.invalid" + ], + "rsa.network.network_service": "evolu", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", + "rsa.web.fqdn": "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", + "rsa.web.web_cookie": "orain", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 3536, + "source.ip": [ + "10.194.14.7" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "ios", + "user.name": "vita", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "event.code": "get", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol", + "event.timezone": "ET", + "file.name": "utp", + "fileset.name": "log", + "http.request.referrer": "https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi", + "input.type": "log", + "log.offset": 11083, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.99.0.226" + ], + "related.user": [ + "uidol" + ], + "rsa.internal.level": 6113, + "rsa.internal.messageid": "get", + "rsa.misc.action": [ + "quameius" + ], + "rsa.misc.result_code": "iciade", + "rsa.network.network_service": "rsitv", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "rsa.web.fqdn": "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "rsa.web.web_cookie": "uredol", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 5649, + "source.ip": [ + "10.99.0.226" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "ema", + "user.name": "uidol", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium", + "event.timezone": "OMST", + "file.name": "uamni", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/loreme/untu.htm?ven=con#nisist", + "input.type": "log", + "log.offset": 11478, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.107.174.213" + ], + "related.user": [ + "minimav" + ], + "rsa.internal.level": 6945, + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "taedicta" + ], + "rsa.misc.result_code": "uine", + "rsa.network.network_service": "ati", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "rsa.web.fqdn": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "rsa.web.web_cookie": "ium", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 2438, + "source.ip": [ + "10.107.174.213" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "ctet", + "user.name": "minimav", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed", + "event.timezone": "CET", + "file.name": "gitsedqu", + "fileset.name": "log", + "host.name": "idunt4707.host", + "http.request.referrer": "https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser", + "input.type": "log", + "log.offset": 11878, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.84.25.23" + ], + "related.user": [ + "isnost" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "rQuisau" + ], + "rsa.misc.result_code": "quam", + "rsa.network.alias_host": [ + "idunt4707.host" + ], + "rsa.network.network_service": "rsitvolu", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "rsa.web.fqdn": "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "rsa.web.web_cookie": "gitsed", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 5315, + "source.ip": [ + "10.84.25.23" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "borios", + "user.name": "isnost", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita", + "event.timezone": "PT", + "file.name": "rnatur", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre", + "input.type": "log", + "log.offset": 12362, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.193.143.108" + ], + "related.user": [ + "luptate" + ], + "rsa.internal.level": 4367, + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "atisun" + ], + "rsa.misc.result_code": "acommo", + "rsa.network.network_service": "essequam", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "rsa.web.fqdn": "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "rsa.web.web_cookie": "ercita", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 3105, + "source.ip": [ + "10.193.143.108" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "ofdeFin", + "user.name": "luptate", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe", + "event.timezone": "CT", + "file.name": "seq", + "fileset.name": "log", + "host.name": "emquia1497.www5.lan", + "http.request.referrer": "https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu", + "input.type": "log", + "log.offset": 12826, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.190.51.22" + ], + "related.user": [ + "siut" + ], + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "uisa" + ], + "rsa.misc.result_code": "atevelit", + "rsa.network.alias_host": [ + "emquia1497.www5.lan" + ], + "rsa.network.network_service": "sau", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.com/mexe/its.htm?ice=oles#edic", + "rsa.web.fqdn": "https://example.com/mexe/its.htm?ice=oles#edic", + "rsa.web.web_cookie": "orumSe", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 2450, + "source.ip": [ + "10.190.51.22" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "tutlab", + "user.name": "siut", + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "BADMETHOD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni", + "event.timezone": "PT", + "file.name": "rnatu", + "fileset.name": "log", + "host.name": "riat3854.www5.home", + "http.request.referrer": "https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla", + "input.type": "log", + "log.offset": 13211, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.194.90.130" + ], + "related.user": [ + "tconsect" + ], + "rsa.internal.messageid": "BADMETHOD", + "rsa.misc.action": [ + "piscinge" + ], + "rsa.misc.result_code": "quasia", + "rsa.network.alias_host": [ + "riat3854.www5.home" + ], + "rsa.network.network_service": "ima", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "rsa.web.fqdn": "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "rsa.web.web_cookie": "sequamni", + "rsa.web.web_ref_domain": "www5.example.com", + "service.type": "tomcat", + "source.bytes": 2382, + "source.ip": [ + "10.194.90.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.query": "elitse", + "user.name": "tconsect", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo", + "event.timezone": "OMST", + "file.name": "dolore", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim", + "input.type": "log", + "log.offset": 13540, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.10.213.83" + ], + "related.user": [ + "psum" + ], + "rsa.internal.level": 6198, + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "ncididun" + ], + "rsa.misc.result_code": "ect", + "rsa.network.network_service": "quidexea", + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", + "rsa.web.fqdn": "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", + "rsa.web.web_cookie": "labo", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 23, + "source.ip": [ + "10.10.213.83" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "uptate", + "user.name": "psum", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto", + "event.timezone": "ET", + "file.name": "liqua", + "fileset.name": "log", + "host.name": "aboreetd5461.host", + "http.request.referrer": "https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem", + "input.type": "log", + "log.offset": 14078, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.52.125.9" + ], + "related.user": [ + "urv" + ], + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "nimid" + ], + "rsa.misc.result_code": "uasiar", + "rsa.network.alias_host": [ + "aboreetd5461.host" + ], + "rsa.network.network_service": "isis", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "rsa.web.fqdn": "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "rsa.web.web_cookie": "rauto", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 2552, + "source.ip": [ + "10.52.125.9" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.query": "mvele", + "user.name": "urv", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec", + "event.timezone": "PT", + "file.name": "reprehe", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo", + "input.type": "log", + "log.offset": 14644, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.19.17.202" + ], + "related.user": [ + "mve" + ], + "rsa.internal.level": 5770, + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "isau" + ], + "rsa.misc.result_code": "itse", + "rsa.network.network_service": "suntin", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", + "rsa.web.fqdn": "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", + "rsa.web.web_cookie": "aec", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 814, + "source.ip": [ + "10.19.17.202" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "tincu", + "user.name": "mve", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica", + "event.timezone": "PT", + "file.name": "qua", + "fileset.name": "log", + "host.name": "iquidexe304.mail.test", + "http.request.referrer": "https://api.example.com/tdol/upt.htm?asper=idunt#luptat", + "input.type": "log", + "log.offset": 15012, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.195.64.5" + ], + "related.user": [ + "uat" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "moenimi" + ], + "rsa.misc.result_code": "ipsamvo", + "rsa.network.alias_host": [ + "iquidexe304.mail.test" + ], + "rsa.network.network_service": "ate", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "rsa.web.fqdn": "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "rsa.web.web_cookie": "ica", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 344, + "source.ip": [ + "10.195.64.5" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "rsita", + "user.name": "uat", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "event.code": "POST", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites", + "event.timezone": "OMST", + "file.name": "xce", + "fileset.name": "log", + "host.name": "remips4828.www5.host", + "http.request.referrer": "https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor", + "input.type": "log", + "log.offset": 15419, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.209.77.194" + ], + "related.user": [ + "itesseq" + ], + "rsa.internal.messageid": "POST", + "rsa.misc.action": [ + "snost" + ], + "rsa.misc.result_code": "nimadmin", + "rsa.network.alias_host": [ + "remips4828.www5.host" + ], + "rsa.network.network_service": "aincidu", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "rsa.web.fqdn": "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "rsa.web.web_cookie": "elites", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 4843, + "source.ip": [ + "10.209.77.194" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "dat", + "user.name": "itesseq", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.code": "MKCOL", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae", + "event.timezone": "GMT+02:00", + "file.name": "ariatur", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", + "input.type": "log", + "log.offset": 15838, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.168.6.90" + ], + "related.user": [ + "amvolupt" + ], + "rsa.internal.level": 1952, + "rsa.internal.messageid": "MKCOL", + "rsa.misc.action": [ + "atisund" + ], + "rsa.misc.result_code": "porincid", + "rsa.network.network_service": "iconseq", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "rsa.web.fqdn": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "rsa.web.web_cookie": "tae", + "rsa.web.web_ref_domain": "mail.example.org", + "service.type": "tomcat", + "source.bytes": 6941, + "source.ip": [ + "10.168.6.90" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "rer", + "user.name": "amvolupt", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "rndmmtd", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun", + "event.timezone": "OMST", + "file.name": "est", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc", + "input.type": "log", + "log.offset": 16270, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.89.137.238" + ], + "related.user": [ + "ore" + ], + "rsa.internal.level": 7717, + "rsa.internal.messageid": "rndmmtd", + "rsa.misc.action": [ + "emqu" + ], + "rsa.misc.result_code": "tla", + "rsa.network.network_service": "leumiu", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "rsa.web.fqdn": "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "rsa.web.web_cookie": "erun", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 4765, + "source.ip": [ + "10.89.137.238" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "uptatemU", + "user.name": "ore", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "event.code": "OPTIONS", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq", + "event.timezone": "CT", + "file.name": "giatquov", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame", + "input.type": "log", + "log.offset": 16704, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.246.61.213" + ], + "related.user": [ + "iusmodte" + ], + "rsa.internal.level": 4574, + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "loi" + ], + "rsa.misc.result_code": "toccaec", + "rsa.network.network_service": "miurerep", + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "rsa.web.fqdn": "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "rsa.web.web_cookie": "orroq", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 7645, + "source.ip": [ + "10.246.61.213" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "tconsec", + "user.name": "iusmodte", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-08-22T13:52:50.000Z", + "event.code": "MKCOL", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq", + "event.timezone": "PST", + "file.name": "oluptas", + "fileset.name": "log", + "host.name": "orin5238.host", + "http.request.referrer": "https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita", + "input.type": "log", + "log.offset": 17094, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.117.44.138" + ], + "related.user": [ + "rcit" + ], + "rsa.internal.messageid": "MKCOL", + "rsa.misc.action": [ + "enderit" + ], + "rsa.misc.result_code": "olorem", + "rsa.network.alias_host": [ + "orin5238.host" + ], + "rsa.network.network_service": "isnost", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "rsa.web.fqdn": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "rsa.web.web_cookie": "aliq", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 2760, + "source.ip": [ + "10.117.44.138" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "emvele", + "user.name": "rcit", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni", + "event.timezone": "OMST", + "file.name": "itlab", + "fileset.name": "log", + "http.request.referrer": "https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve", + "input.type": "log", + "log.offset": 17515, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.69.30.196" + ], + "related.user": [ + "elits" + ], + "rsa.internal.level": 4801, + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "ruredo" + ], + "rsa.misc.result_code": "equ", + "rsa.network.network_service": "omm", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "rsa.web.fqdn": "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "rsa.web.web_cookie": "nimveni", + "rsa.web.web_ref_domain": "www.example.net", + "service.type": "tomcat", + "source.bytes": 4808, + "source.ip": [ + "10.69.30.196" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "urmag", + "user.name": "elits", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq", + "event.timezone": "CT", + "file.name": "tate", + "fileset.name": "log", + "http.request.referrer": "https://example.org/onu/liquaUte.txt?velillu=ria#atDu", + "input.type": "log", + "log.offset": 17856, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.135.91.88" + ], + "related.user": [ + "eporroq" + ], + "rsa.internal.level": 7668, + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "ugiatn" + ], + "rsa.misc.result_code": "ectiono", + "rsa.network.network_service": "asi", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", + "rsa.web.fqdn": "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", + "rsa.web.web_cookie": "emq", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 2241, + "source.ip": [ + "10.135.91.88" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.query": "urExce", + "user.name": "eporroq", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo", + "event.timezone": "CEST", + "file.name": "estl", + "fileset.name": "log", + "host.name": "agnaaliq1829.mail.test", + "http.request.referrer": "https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl", + "input.type": "log", + "log.offset": 18224, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.81.45.174" + ], + "related.user": [ + "fugitse" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "liquide" + ], + "rsa.misc.result_code": "incidid", + "rsa.network.alias_host": [ + "agnaaliq1829.mail.test" + ], + "rsa.network.network_service": "iruredol", + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", + "rsa.web.fqdn": "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", + "rsa.web.web_cookie": "mipsamvo", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 7699, + "source.ip": [ + "10.81.45.174" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "erun", + "user.name": "fugitse", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.code": "rndmmtd", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc", + "event.timezone": "PST", + "file.name": "mve", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut", + "input.type": "log", + "log.offset": 18644, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.87.179.233" + ], + "related.user": [ + "avolu" + ], + "rsa.internal.level": 3517, + "rsa.internal.messageid": "rndmmtd", + "rsa.misc.action": [ + "eum" + ], + "rsa.misc.result_code": "lorem", + "rsa.network.network_service": "iciad", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "rsa.web.fqdn": "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "rsa.web.web_cookie": "dexerc", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 6137, + "source.ip": [ + "10.87.179.233" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "uia", + "user.name": "avolu", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "event.code": "COOK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo", + "event.timezone": "OMST", + "file.name": "eavolup", + "fileset.name": "log", + "http.request.referrer": "https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ", + "input.type": "log", + "log.offset": 19027, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.198.57.130" + ], + "related.user": [ + "henderit" + ], + "rsa.internal.level": 2669, + "rsa.internal.messageid": "COOK", + "rsa.misc.action": [ + "perspici" + ], + "rsa.misc.result_code": "erc", + "rsa.network.network_service": "ver", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", + "rsa.web.fqdn": "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", + "rsa.web.web_cookie": "emo", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 294, + "source.ip": [ + "10.198.57.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "emip", + "user.name": "henderit", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd", + "event.timezone": "ET", + "file.name": "iscive", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea", + "input.type": "log", + "log.offset": 19452, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.218.0.197" + ], + "related.user": [ + "econs" + ], + "rsa.internal.level": 494, + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "eritin" + ], + "rsa.misc.result_code": "teur", + "rsa.network.network_service": "aeab", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", + "rsa.web.fqdn": "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", + "rsa.web.web_cookie": "eetd", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 609, + "source.ip": [ + "10.218.0.197" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "quasiar", + "user.name": "econs", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "event.code": "get", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo", + "event.timezone": "PST", + "file.name": "turvel", + "fileset.name": "log", + "host.name": "iatqu7310.api.home", + "http.request.referrer": "https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed", + "input.type": "log", + "log.offset": 19817, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.123.199.198" + ], + "related.user": [ + "illumqui" + ], + "rsa.internal.messageid": "get", + "rsa.misc.action": [ + "tionula" + ], + "rsa.misc.result_code": "asuntexp", + "rsa.network.alias_host": [ + "iatqu7310.api.home" + ], + "rsa.network.network_service": "ipsa", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "rsa.web.fqdn": "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "rsa.web.web_cookie": "mpo", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 1390, + "source.ip": [ + "10.123.199.198" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "eratv", + "user.name": "illumqui", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.code": "POST", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim", + "event.timezone": "ET", + "file.name": "rsi", + "fileset.name": "log", + "host.name": "uamnihil6127.api.domain", + "http.request.referrer": "https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex", + "input.type": "log", + "log.offset": 20237, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.29.119.245" + ], + "related.user": [ + "leumiur" + ], + "rsa.internal.messageid": "POST", + "rsa.misc.action": [ + "ore" + ], + "rsa.misc.result_code": "ciun", + "rsa.network.alias_host": [ + "uamnihil6127.api.domain" + ], + "rsa.network.network_service": "mides", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "rsa.web.fqdn": "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "rsa.web.web_cookie": "anim", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 39, + "source.ip": [ + "10.29.119.245" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "taliqui", + "user.name": "leumiur", + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet", + "event.timezone": "PT", + "file.name": "des", + "fileset.name": "log", + "host.name": "uov1629.internal.invalid", + "http.request.referrer": "https://www.example.org/taedi/tquido.html?etconsec=elillum#upt", + "input.type": "log", + "log.offset": 20688, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.130.175.17" + ], + "related.user": [ + "quaU" + ], + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "inimav" + ], + "rsa.misc.result_code": "rroqu", + "rsa.network.alias_host": [ + "uov1629.internal.invalid" + ], + "rsa.network.network_service": "billo", + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", + "rsa.web.fqdn": "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", + "rsa.web.web_cookie": "onsectet", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 2170, + "source.ip": [ + "10.130.175.17" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "atnulapa", + "user.name": "quaU", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-01-12T12:18:32.000Z", + "event.code": "PROPFIND", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF", + "event.timezone": "CET", + "file.name": "lupta", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih", + "input.type": "log", + "log.offset": 21121, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.166.90.130" + ], + "related.user": [ + "eosquira" + ], + "rsa.internal.level": 5752, + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "lloinven" + ], + "rsa.misc.result_code": "caboNem", + "rsa.network.network_service": "etconsec", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", + "rsa.web.fqdn": "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", + "rsa.web.web_cookie": "deF", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 1043, + "source.ip": [ + "10.166.90.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "npr", + "user.name": "eosquira", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon", + "event.timezone": "GMT-07:00", + "file.name": "ugiatquo", + "fileset.name": "log", + "host.name": "orumw5960.www5.home", + "http.request.referrer": "https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema", + "input.type": "log", + "log.offset": 21574, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.248.111.207" + ], + "related.user": [ + "tiumto" + ], + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "quiavol" + ], + "rsa.misc.result_code": "autemv", + "rsa.network.alias_host": [ + "orumw5960.www5.home" + ], + "rsa.network.network_service": "quin", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", + "rsa.web.fqdn": "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", + "rsa.web.web_cookie": "atatnon", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 6174, + "source.ip": [ + "10.248.111.207" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.query": "incidid", + "user.name": "tiumto", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "event.code": "asdf", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem", + "event.timezone": "GMT+02:00", + "file.name": "red", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad", + "input.type": "log", + "log.offset": 21994, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.185.37.32" + ], + "related.user": [ + "tesseq" + ], + "rsa.internal.level": 2940, + "rsa.internal.messageid": "asdf", + "rsa.misc.action": [ + "tem" + ], + "rsa.misc.result_code": "luptas", + "rsa.network.network_service": "tatev", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "rsa.web.fqdn": "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "rsa.web.web_cookie": "ptatem", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 3286, + "source.ip": [ + "10.185.37.32" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "sinto", + "user.name": "tesseq", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-02-24T09:26:15.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua", + "event.timezone": "CET", + "file.name": "atcupi", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa", + "input.type": "log", + "log.offset": 22449, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.5.194.202" + ], + "related.user": [ + "ntmo" + ], + "rsa.internal.level": 4927, + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "riosa" + ], + "rsa.misc.result_code": "otamr", + "rsa.network.network_service": "qui", + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "rsa.web.fqdn": "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "rsa.web.web_cookie": "iqua", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 7278, + "source.ip": [ + "10.5.194.202" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "atem", + "user.name": "ntmo", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll", + "event.timezone": "CEST", + "file.name": "veleum", + "fileset.name": "log", + "host.name": "deriti6952.mail.domain", + "http.request.referrer": "https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio", + "input.type": "log", + "log.offset": 22822, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.183.34.1" + ], + "related.user": [ + "isn" + ], + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "der" + ], + "rsa.misc.result_code": "lmolesti", + "rsa.network.alias_host": [ + "deriti6952.mail.domain" + ], + "rsa.network.network_service": "nes", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "rsa.web.fqdn": "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "rsa.web.web_cookie": "ntmoll", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 1559, + "source.ip": [ + "10.183.34.1" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "piciatis", + "user.name": "isn", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq", + "event.timezone": "CEST", + "file.name": "odi", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab", + "input.type": "log", + "log.offset": 23258, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.101.163.40" + ], + "related.user": [ + "nBCSe" + ], + "rsa.internal.level": 4472, + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "remips" + ], + "rsa.misc.result_code": "ore", + "rsa.network.network_service": "runtmo", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", + "rsa.web.fqdn": "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", + "rsa.web.web_cookie": "liq", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 3512, + "source.ip": [ + "10.101.163.40" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "ptatems", + "user.name": "nBCSe", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo", + "event.timezone": "ET", + "file.name": "tatevel", + "fileset.name": "log", + "host.name": "nse3421.mail.localhost", + "http.request.referrer": "https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui", + "input.type": "log", + "log.offset": 23666, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.216.188.152" + ], + "related.user": [ + "ugitsedq" + ], + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "atDuis" + ], + "rsa.misc.result_code": "ict", + "rsa.network.alias_host": [ + "nse3421.mail.localhost" + ], + "rsa.network.network_service": "untu", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", + "rsa.web.fqdn": "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", + "rsa.web.web_cookie": "Nequepo", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 2699, + "source.ip": [ + "10.216.188.152" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "iumdolo", + "user.name": "ugitsedq", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "event.code": "nGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa", + "event.timezone": "OMST", + "file.name": "isiutali", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/unt/tass.html?tla=mquiad#CSe", + "input.type": "log", + "log.offset": 24141, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.94.140.77" + ], + "related.user": [ + "isnisiu" + ], + "rsa.internal.level": 1033, + "rsa.internal.messageid": "nGET", + "rsa.misc.action": [ + "dol" + ], + "rsa.misc.result_code": "ons", + "rsa.network.network_service": "onulamco", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", + "rsa.web.fqdn": "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", + "rsa.web.web_cookie": "psa", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 5050, + "source.ip": [ + "10.94.140.77" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "lumqu", + "user.name": "isnisiu", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla", + "event.timezone": "PST", + "file.name": "iamea", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", + "input.type": "log", + "log.offset": 24484, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.223.205.204" + ], + "related.user": [ + "ccaec" + ], + "rsa.internal.level": 4133, + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "ommo" + ], + "rsa.misc.result_code": "iam", + "rsa.network.network_service": "uiacon", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", + "rsa.web.fqdn": "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", + "rsa.web.web_cookie": "tutla", + "rsa.web.web_ref_domain": "mail.example.org", + "service.type": "tomcat", + "source.bytes": 7526, + "source.ip": [ + "10.223.205.204" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.query": "imaveni", + "user.name": "ccaec", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except", + "event.timezone": "CEST", + "file.name": "ditautf", + "fileset.name": "log", + "host.name": "tautfug689.localdomain", + "http.request.referrer": "https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag", + "input.type": "log", + "log.offset": 24917, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.85.137.156" + ], + "related.user": [ + "serror" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "isiut" + ], + "rsa.misc.result_code": "uamqu", + "rsa.network.alias_host": [ + "tautfug689.localdomain" + ], + "rsa.network.network_service": "ori", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "rsa.web.fqdn": "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "rsa.web.web_cookie": "Except", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 2804, + "source.ip": [ + "10.85.137.156" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "itametc", + "user.name": "serror", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "event.code": "QUALYS", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer", + "event.timezone": "PST", + "file.name": "iciadese", + "fileset.name": "log", + "host.name": "totam6886.api.localhost", + "http.request.referrer": "https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo", + "input.type": "log", + "log.offset": 25326, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.12.54.142" + ], + "related.user": [ + "liquam" + ], + "rsa.internal.messageid": "QUALYS", + "rsa.misc.action": [ + "lor" + ], + "rsa.misc.result_code": "dol", + "rsa.network.alias_host": [ + "totam6886.api.localhost" + ], + "rsa.network.network_service": "oeni", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "rsa.web.fqdn": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "rsa.web.web_cookie": "aer", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 3000, + "source.ip": [ + "10.12.54.142" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "riatur", + "user.name": "liquam", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul", + "event.timezone": "OMST", + "file.name": "umdolors", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/uovol/prehend.html?eque=eufug#est", + "input.type": "log", + "log.offset": 25746, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.158.6.52" + ], + "related.user": [ + "sed" + ], + "rsa.internal.level": 3864, + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "Nemoenim" + ], + "rsa.misc.result_code": "eFini", + "rsa.network.network_service": "acom", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.net/labori/porai.gif?utali=sed#xeac", + "rsa.web.fqdn": "https://example.net/labori/porai.gif?utali=sed#xeac", + "rsa.web.web_cookie": "ntincul", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 4262, + "source.ip": [ + "10.158.6.52" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "lumdo", + "user.name": "sed", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "MKCOL", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau", + "event.timezone": "CT", + "file.name": "atnul", + "fileset.name": "log", + "host.name": "tquo854.api.domain", + "http.request.referrer": "https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl", + "input.type": "log", + "log.offset": 26190, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.195.160.182" + ], + "related.user": [ + "urerepre" + ], + "rsa.internal.messageid": "MKCOL", + "rsa.misc.action": [ + "itessequ" + ], + "rsa.misc.result_code": "Nemoenim", + "rsa.network.alias_host": [ + "tquo854.api.domain" + ], + "rsa.network.network_service": "stquidol", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", + "rsa.web.fqdn": "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", + "rsa.web.web_cookie": "isau", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 1325, + "source.ip": [ + "10.195.160.182" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "umfugi", + "user.name": "urerepre", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "event.code": "CONNECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola", + "event.timezone": "ET", + "file.name": "udan", + "fileset.name": "log", + "http.request.referrer": "https://example.net/orum/Bonoru.txt?agnamal=quei#quio", + "input.type": "log", + "log.offset": 26601, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.20.68.117" + ], + "related.user": [ + "quas" + ], + "rsa.internal.level": 6084, + "rsa.internal.messageid": "CONNECT", + "rsa.misc.action": [ + "metco" + ], + "rsa.misc.result_code": "urQuis", + "rsa.network.network_service": "iutaliq", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "rsa.web.fqdn": "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "rsa.web.web_cookie": "lamcola", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 1742, + "source.ip": [ + "10.20.68.117" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "archi", + "user.name": "quas", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "event.code": "CONNECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore", + "event.timezone": "PST", + "file.name": "radip", + "fileset.name": "log", + "host.name": "venia6656.api.domain", + "http.request.referrer": "https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica", + "input.type": "log", + "log.offset": 26982, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.94.136.235" + ], + "related.user": [ + "iti" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.misc.action": [ + "amqu" + ], + "rsa.misc.result_code": "rumet", + "rsa.network.alias_host": [ + "venia6656.api.domain" + ], + "rsa.network.network_service": "tetura", + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "rsa.web.fqdn": "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "rsa.web.web_cookie": "ore", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 6923, + "source.ip": [ + "10.94.136.235" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "upta", + "user.name": "iti", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.code": "NCIRCLE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco", + "event.timezone": "GMT+02:00", + "file.name": "elillum", + "fileset.name": "log", + "host.name": "veniam1216.www5.invalid", + "http.request.referrer": "https://example.com/santi/ritati.gif?turadip=dip#idolo", + "input.type": "log", + "log.offset": 27454, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.152.11.26" + ], + "related.user": [ + "ugiat" + ], + "rsa.internal.messageid": "NCIRCLE", + "rsa.misc.action": [ + "oinBCSed" + ], + "rsa.misc.result_code": "nula", + "rsa.network.alias_host": [ + "veniam1216.www5.invalid" + ], + "rsa.network.network_service": "nsequatu", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "rsa.web.fqdn": "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "rsa.web.web_cookie": "aco", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 2783, + "source.ip": [ + "10.152.11.26" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "veleumi", + "user.name": "ugiat", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2018-08-29T04:59:40.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met", + "event.timezone": "GMT+02:00", + "file.name": "Finibus", + "fileset.name": "log", + "host.name": "runtm5729.invalid", + "http.request.referrer": "https://www5.example.com/itametco/vel.htm?rere=pta#nonn", + "input.type": "log", + "log.offset": 27908, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.82.118.95" + ], + "related.user": [ + "ptate" + ], + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "labo" + ], + "rsa.misc.result_code": "tau", + "rsa.network.alias_host": [ + "runtm5729.invalid" + ], + "rsa.network.network_service": "olupta", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", + "rsa.web.fqdn": "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", + "rsa.web.web_cookie": "met", + "rsa.web.web_ref_domain": "www5.example.com", + "service.type": "tomcat", + "source.bytes": 5211, + "source.ip": [ + "10.82.118.95" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "Utenimad", + "user.name": "ptate", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "event.code": "id", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq", + "event.timezone": "CEST", + "file.name": "amquaer", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/iat/ffic.htm?cte=aparia#CSe", + "input.type": "log", + "log.offset": 28378, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.187.152.213" + ], + "related.user": [ + "ventor" + ], + "rsa.internal.level": 4322, + "rsa.internal.messageid": "id", + "rsa.misc.action": [ + "mag" + ], + "rsa.misc.result_code": "lpa", + "rsa.network.network_service": "enby", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", + "rsa.web.fqdn": "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", + "rsa.web.web_cookie": "ugitsedq", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 3948, + "source.ip": [ + "10.187.152.213" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "aqui", + "user.name": "ventor", + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt", + "event.timezone": "GMT+02:00", + "file.name": "ever", + "fileset.name": "log", + "host.name": "pta6012.www.local", + "http.request.referrer": "https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei", + "input.type": "log", + "log.offset": 28738, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.98.71.45" + ], + "related.user": [ + "fugitse" + ], + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "eirur" + ], + "rsa.misc.result_code": "ipitlabo", + "rsa.network.alias_host": [ + "pta6012.www.local" + ], + "rsa.network.network_service": "eos", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "rsa.web.fqdn": "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "rsa.web.web_cookie": "unt", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 5440, + "source.ip": [ + "10.98.71.45" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "civelits", + "user.name": "fugitse", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi", + "event.timezone": "OMST", + "file.name": "rumSecti", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu", + "input.type": "log", + "log.offset": 29180, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.86.123.33" + ], + "related.user": [ + "meum" + ], + "rsa.internal.level": 5971, + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "doei" + ], + "rsa.misc.result_code": "orumS", + "rsa.network.network_service": "olore", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", + "rsa.web.fqdn": "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", + "rsa.web.web_cookie": "yCiceroi", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 757, + "source.ip": [ + "10.86.123.33" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "Utenima", + "user.name": "meum", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2018-10-25T09:09:57.000Z", + "event.code": "FGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat", + "event.timezone": "GMT-07:00", + "file.name": "tam", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc", + "input.type": "log", + "log.offset": 29627, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.6.112.183" + ], + "related.user": [ + "oluptat" + ], + "rsa.internal.level": 2852, + "rsa.internal.messageid": "FGET", + "rsa.misc.action": [ + "eni" + ], + "rsa.misc.result_code": "dunt", + "rsa.network.network_service": "eufugi", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "rsa.web.fqdn": "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "rsa.web.web_cookie": "idatat", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 6169, + "source.ip": [ + "10.6.112.183" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "oremip", + "user.name": "oluptat", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "LOCK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq", + "event.timezone": "CEST", + "file.name": "inimav", + "fileset.name": "log", + "host.name": "orsi2109.internal.home", + "http.request.referrer": "https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev", + "input.type": "log", + "log.offset": 30008, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.227.156.143" + ], + "related.user": [ + "idolo" + ], + "rsa.internal.messageid": "LOCK", + "rsa.misc.action": [ + "tsedquia" + ], + "rsa.misc.result_code": "nci", + "rsa.network.alias_host": [ + "orsi2109.internal.home" + ], + "rsa.network.network_service": "midestl", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", + "rsa.web.fqdn": "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", + "rsa.web.web_cookie": "seq", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 6587, + "source.ip": [ + "10.227.156.143" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "tatevel", + "user.name": "idolo", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "get", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit", + "event.timezone": "CT", + "file.name": "eprehen", + "fileset.name": "log", + "host.name": "quaeabil2539.www5.lan", + "http.request.referrer": "https://example.net/dolor/lorumwri.htm?mquis=lab#uido", + "input.type": "log", + "log.offset": 30458, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.124.129.248" + ], + "related.user": [ + "quide" + ], + "rsa.internal.messageid": "get", + "rsa.misc.action": [ + "cididun" + ], + "rsa.misc.result_code": "sectetu", + "rsa.network.alias_host": [ + "quaeabil2539.www5.lan" + ], + "rsa.network.network_service": "sequ", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "rsa.web.fqdn": "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "rsa.web.web_cookie": "mwrit", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 7182, + "source.ip": [ + "10.124.129.248" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "hilmole", + "user.name": "quide", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "event.code": "CONNECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut", + "event.timezone": "OMST", + "file.name": "eaqueip", + "fileset.name": "log", + "host.name": "aal1598.mail.host", + "http.request.referrer": "https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab", + "input.type": "log", + "log.offset": 30879, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.173.125.112" + ], + "related.user": [ + "upta" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.misc.action": [ + "umtota" + ], + "rsa.misc.result_code": "rep", + "rsa.network.alias_host": [ + "aal1598.mail.host" + ], + "rsa.network.network_service": "olorema", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "rsa.web.fqdn": "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "rsa.web.web_cookie": "isnisiut", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 3380, + "source.ip": [ + "10.173.125.112" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "itaedict", + "user.name": "upta", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem", + "event.timezone": "PST", + "file.name": "tno", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa", + "input.type": "log", + "log.offset": 31317, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.37.156.140" + ], + "related.user": [ + "olores" + ], + "rsa.internal.level": 5227, + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "epo" + ], + "rsa.misc.result_code": "lum", + "rsa.network.network_service": "taspe", + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", + "rsa.web.fqdn": "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", + "rsa.web.web_cookie": "idolorem", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 5911, + "source.ip": [ + "10.37.156.140" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "iss", + "user.name": "olores", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa", + "event.timezone": "ET", + "file.name": "nse", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq", + "input.type": "log", + "log.offset": 31660, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.121.225.135" + ], + "related.user": [ + "cin" + ], + "rsa.internal.level": 5776, + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "byC" + ], + "rsa.misc.result_code": "uatu", + "rsa.network.network_service": "evit", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "rsa.web.fqdn": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "rsa.web.web_cookie": "tnulapa", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 2448, + "source.ip": [ + "10.121.225.135" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "miurere", + "user.name": "cin", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-01-19T03:25:23.000Z", + "event.code": "DEBUG", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor", + "event.timezone": "CEST", + "file.name": "ipis", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam", + "input.type": "log", + "log.offset": 32096, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.123.68.56" + ], + "related.user": [ + "olore" + ], + "rsa.internal.level": 7708, + "rsa.internal.messageid": "DEBUG", + "rsa.misc.action": [ + "dentsunt" + ], + "rsa.misc.result_code": "tam", + "rsa.network.network_service": "nesci", + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "rsa.web.fqdn": "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "rsa.web.web_cookie": "ntor", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 1206, + "source.ip": [ + "10.123.68.56" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "itautfu", + "user.name": "olore", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2019-02-02T10:27:57.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd", + "event.timezone": "GMT-07:00", + "file.name": "orsitv", + "fileset.name": "log", + "host.name": "oid218.api.invalid", + "http.request.referrer": "https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi", + "input.type": "log", + "log.offset": 32480, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.63.56.164" + ], + "related.user": [ + "evo" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "avolu" + ], + "rsa.misc.result_code": "uun", + "rsa.network.alias_host": [ + "oid218.api.invalid" + ], + "rsa.network.network_service": "uisaute", + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "rsa.web.fqdn": "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "rsa.web.web_cookie": "umd", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 4638, + "source.ip": [ + "10.63.56.164" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "temseq", + "user.name": "evo", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "HEAD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con", + "event.timezone": "ET", + "file.name": "itl", + "fileset.name": "log", + "host.name": "sectetur2674.www5.test", + "http.request.referrer": "https://example.com/eumfu/lors.gif?upidata=ici#usant", + "input.type": "log", + "log.offset": 32919, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.62.10.137" + ], + "related.user": [ + "deomnisi" + ], + "rsa.internal.messageid": "HEAD", + "rsa.misc.action": [ + "issus" + ], + "rsa.misc.result_code": "quiav", + "rsa.network.alias_host": [ + "sectetur2674.www5.test" + ], + "rsa.network.network_service": "olor", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.net/deritinv/evelite.html?iav=odico#rsint", + "rsa.web.fqdn": "https://example.net/deritinv/evelite.html?iav=odico#rsint", + "rsa.web.web_cookie": "con", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 6648, + "source.ip": [ + "10.62.10.137" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "ttenb", + "user.name": "deomnisi", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti", + "event.timezone": "GMT+02:00", + "file.name": "umqui", + "fileset.name": "log", + "host.name": "sequatD4487.internal.localhost", + "http.request.referrer": "https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi", + "input.type": "log", + "log.offset": 33403, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.89.154.115" + ], + "related.user": [ + "nimv" + ], + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "tconse" + ], + "rsa.misc.result_code": "mquia", + "rsa.network.alias_host": [ + "sequatD4487.internal.localhost" + ], + "rsa.network.network_service": "temsequi", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", + "rsa.web.fqdn": "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", + "rsa.web.web_cookie": "cti", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 1119, + "source.ip": [ + "10.89.154.115" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "citation", + "user.name": "nimv", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau", + "event.timezone": "PST", + "file.name": "boreet", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/xerc/Nequep.htm?ria=beat#rro", + "input.type": "log", + "log.offset": 33846, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.122.252.130" + ], + "related.user": [ + "mmo" + ], + "rsa.internal.level": 4758, + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "tlaboru" + ], + "rsa.misc.result_code": "snostr", + "rsa.network.network_service": "ento", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "rsa.web.fqdn": "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "rsa.web.web_cookie": "uisau", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 3904, + "source.ip": [ + "10.122.252.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "luptasnu", + "user.name": "mmo", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-04-01T14:38:14.000Z", + "event.code": "id", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq", + "event.timezone": "GMT-07:00", + "file.name": "tesse", + "fileset.name": "log", + "http.request.referrer": "https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut", + "input.type": "log", + "log.offset": 34283, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.195.152.53" + ], + "related.user": [ + "ute" + ], + "rsa.internal.level": 2573, + "rsa.internal.messageid": "id", + "rsa.misc.action": [ + "tationu" + ], + "rsa.misc.result_code": "oluptas", + "rsa.network.network_service": "isno", + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", + "rsa.web.fqdn": "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", + "rsa.web.web_cookie": "paq", + "rsa.web.web_ref_domain": "www.example.net", + "service.type": "tomcat", + "source.bytes": 5560, + "source.ip": [ + "10.195.152.53" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.query": "olupta", + "user.name": "ute", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse", + "event.timezone": "CT", + "file.name": "mexerci", + "fileset.name": "log", + "host.name": "nul5107.www5.domain", + "http.request.referrer": "https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi", + "input.type": "log", + "log.offset": 34572, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.9.255.204" + ], + "related.user": [ + "emUtenim" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "uid" + ], + "rsa.misc.result_code": "ctetur", + "rsa.network.alias_host": [ + "nul5107.www5.domain" + ], + "rsa.network.network_service": "ditaut", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "rsa.web.fqdn": "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "rsa.web.web_cookie": "iaeconse", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 3089, + "source.ip": [ + "10.9.255.204" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "urEx", + "user.name": "emUtenim", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel", + "event.timezone": "GMT-07:00", + "file.name": "boriosa", + "fileset.name": "log", + "host.name": "nimadmin5630.localdomain", + "http.request.referrer": "https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost", + "input.type": "log", + "log.offset": 35009, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.214.235.133" + ], + "related.user": [ + "nulapari" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "tsunt" + ], + "rsa.misc.result_code": "moenimip", + "rsa.network.alias_host": [ + "nimadmin5630.localdomain" + ], + "rsa.network.network_service": "ditau", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "rsa.web.fqdn": "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "rsa.web.web_cookie": "evel", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 5930, + "source.ip": [ + "10.214.235.133" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "cillumdo", + "user.name": "nulapari", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit", + "event.timezone": "PT", + "file.name": "lors", + "fileset.name": "log", + "host.name": "sequuntu3563.internal.test", + "http.request.referrer": "https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi", + "input.type": "log", + "log.offset": 35444, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.5.134.204" + ], + "related.user": [ + "iarchit" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "orum" + ], + "rsa.misc.result_code": "tur", + "rsa.network.alias_host": [ + "sequuntu3563.internal.test" + ], + "rsa.network.network_service": "docons", + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", + "rsa.web.fqdn": "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", + "rsa.web.web_cookie": "taevit", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 3197, + "source.ip": [ + "10.5.134.204" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.query": "eumfu", + "user.name": "iarchit", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw", + "event.timezone": "CEST", + "file.name": "quaerat", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi", + "input.type": "log", + "log.offset": 35912, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.144.111.42" + ], + "related.user": [ + "vento" + ], + "rsa.internal.level": 6820, + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "asnu" + ], + "rsa.misc.result_code": "ptateve", + "rsa.network.network_service": "aturve", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "rsa.web.fqdn": "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "rsa.web.web_cookie": "lorumw", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 7615, + "source.ip": [ + "10.144.111.42" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "tDuisau", + "user.name": "vento", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "FGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq", + "event.timezone": "CT", + "file.name": "illumdo", + "fileset.name": "log", + "http.request.referrer": "https://www.example.com/uae/ata.htm?snulap=cidu#hilmol", + "input.type": "log", + "log.offset": 36349, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.122.0.80" + ], + "related.user": [ + "ola" + ], + "rsa.internal.level": 3071, + "rsa.internal.messageid": "FGET", + "rsa.misc.action": [ + "etquasia" + ], + "rsa.misc.result_code": "eseosq", + "rsa.network.network_service": "remaper", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.net/adm/snostr.jpg?tec=itaspe#con", + "rsa.web.fqdn": "https://example.net/adm/snostr.jpg?tec=itaspe#con", + "rsa.web.web_cookie": "quamq", + "rsa.web.web_ref_domain": "www.example.com", + "service.type": "tomcat", + "source.bytes": 2945, + "source.ip": [ + "10.122.0.80" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "antium", + "user.name": "ola", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2019-06-25T08:53:40.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari", + "event.timezone": "ET", + "file.name": "dit", + "fileset.name": "log", + "host.name": "tdolo2150.www.example", + "http.request.referrer": "https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug", + "input.type": "log", + "log.offset": 36779, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.165.33.19" + ], + "related.user": [ + "iusmodi" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "aparia" + ], + "rsa.misc.result_code": "tetura", + "rsa.network.alias_host": [ + "tdolo2150.www.example" + ], + "rsa.network.network_service": "yCic", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "rsa.web.fqdn": "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "rsa.web.web_cookie": "lapari", + "rsa.web.web_ref_domain": "www.example.net", + "service.type": "tomcat", + "source.bytes": 1569, + "source.ip": [ + "10.165.33.19" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "namaliqu", + "user.name": "iusmodi", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid", + "event.timezone": "CT", + "file.name": "quiav", + "fileset.name": "log", + "host.name": "cinge6032.api.local", + "http.request.referrer": "https://internal.example.org/unt/isni.htm?ecillum=olor#amei", + "input.type": "log", + "log.offset": 37193, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.87.92.17" + ], + "related.user": [ + "tamr" + ], + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "iutaliq" + ], + "rsa.misc.result_code": "sam", + "rsa.network.alias_host": [ + "cinge6032.api.local" + ], + "rsa.network.network_service": "elit", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "rsa.web.fqdn": "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "rsa.web.web_cookie": "quid", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 6211, + "source.ip": [ + "10.87.92.17" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "ctionofd", + "user.name": "tamr", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "BADMETHOD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu", + "event.timezone": "ET", + "file.name": "emp", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat", + "input.type": "log", + "log.offset": 37607, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.51.52.203" + ], + "related.user": [ + "itame" + ], + "rsa.internal.level": 7615, + "rsa.internal.messageid": "BADMETHOD", + "rsa.misc.action": [ + "dictasun" + ], + "rsa.misc.result_code": "mollit", + "rsa.network.network_service": "non", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", + "rsa.web.fqdn": "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", + "rsa.web.web_cookie": "mqu", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 5823, + "source.ip": [ + "10.51.52.203" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "arch", + "user.name": "itame", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "event.code": "rndmmtd", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa", + "event.timezone": "CEST", + "file.name": "utfugi", + "fileset.name": "log", + "host.name": "ende6053.local", + "http.request.referrer": "https://internal.example.net/tvol/lup.gif?ollita=qua#ionula", + "input.type": "log", + "log.offset": 37977, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.0.211.86" + ], + "related.user": [ + "imipsa" + ], + "rsa.internal.messageid": "rndmmtd", + "rsa.misc.action": [ + "int" + ], + "rsa.misc.result_code": "mmodicon", + "rsa.network.alias_host": [ + "ende6053.local" + ], + "rsa.network.network_service": "tio", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "rsa.web.fqdn": "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "rsa.web.web_cookie": "cusa", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 6776, + "source.ip": [ + "10.0.211.86" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "ursintoc", + "user.name": "imipsa", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.code": "OPTIONS", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo", + "event.timezone": "PST", + "file.name": "leumiur", + "fileset.name": "log", + "http.request.referrer": "https://example.net/undeomn/ape.jpg?amco=ons#onsecte", + "input.type": "log", + "log.offset": 38442, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.106.34.244" + ], + "related.user": [ + "nim" + ], + "rsa.internal.level": 264, + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "rehen" + ], + "rsa.misc.result_code": "taliqui", + "rsa.network.network_service": "ave", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "rsa.web.fqdn": "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "rsa.web.web_cookie": "atquo", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 3714, + "source.ip": [ + "10.106.34.244" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "ssequamn", + "user.name": "nim", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "nGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides", + "event.timezone": "OMST", + "file.name": "onorume", + "fileset.name": "log", + "http.request.referrer": "https://example.net/tionev/uasiarch.html?qui=ehender#equa", + "input.type": "log", + "log.offset": 38823, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.191.210.188" + ], + "related.user": [ + "ruredol" + ], + "rsa.internal.level": 2943, + "rsa.internal.messageid": "nGET", + "rsa.misc.action": [ + "ipit" + ], + "rsa.misc.result_code": "ofdeFini", + "rsa.network.network_service": "ametcon", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "rsa.web.fqdn": "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "rsa.web.web_cookie": "nimides", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 7052, + "source.ip": [ + "10.191.210.188" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "abill", + "user.name": "ruredol", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea", + "event.timezone": "GMT+02:00", + "file.name": "nemul", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira", + "input.type": "log", + "log.offset": 39233, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.2.38.49" + ], + "related.user": [ + "lor" + ], + "rsa.internal.level": 6165, + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "snula" + ], + "rsa.misc.result_code": "quatur", + "rsa.network.network_service": "lupt", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", + "rsa.web.fqdn": "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", + "rsa.web.web_cookie": "aea", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 5775, + "source.ip": [ + "10.2.38.49" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.query": "Duis", + "user.name": "lor", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "event.code": "id", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol", + "event.timezone": "PST", + "file.name": "cipitla", + "fileset.name": "log", + "host.name": "didun1193.example", + "http.request.referrer": "https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo", + "input.type": "log", + "log.offset": 39505, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.66.92.90" + ], + "related.user": [ + "atisu" + ], + "rsa.internal.messageid": "id", + "rsa.misc.action": [ + "tse" + ], + "rsa.misc.result_code": "ionevo", + "rsa.network.alias_host": [ + "didun1193.example" + ], + "rsa.network.network_service": "vel", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "rsa.web.fqdn": "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "rsa.web.web_cookie": "samvol", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 4580, + "source.ip": [ + "10.66.92.90" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "tlab", + "user.name": "atisu", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau", + "event.timezone": "PST", + "file.name": "sequines", + "fileset.name": "log", + "host.name": "apari2660.www5.lan", + "http.request.referrer": "https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve", + "input.type": "log", + "log.offset": 39956, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.97.108.108" + ], + "related.user": [ + "teirured" + ], + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "sistena" + ], + "rsa.misc.result_code": "lorum", + "rsa.network.alias_host": [ + "apari2660.www5.lan" + ], + "rsa.network.network_service": "sequa", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "rsa.web.fqdn": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "rsa.web.web_cookie": "toditau", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 7649, + "source.ip": [ + "10.97.108.108" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "olor", + "user.name": "teirured", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "COOK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta", + "event.timezone": "CET", + "file.name": "econ", + "fileset.name": "log", + "host.name": "nvolupta238.www.host", + "http.request.referrer": "https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons", + "input.type": "log", + "log.offset": 40457, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.147.147.248" + ], + "related.user": [ + "uira" + ], + "rsa.internal.messageid": "COOK", + "rsa.misc.action": [ + "ptatev" + ], + "rsa.misc.result_code": "catcup", + "rsa.network.alias_host": [ + "nvolupta238.www.host" + ], + "rsa.network.network_service": "rve", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", + "rsa.web.fqdn": "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", + "rsa.web.web_cookie": "lupta", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 177, + "source.ip": [ + "10.147.147.248" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "aborio", + "user.name": "uira", + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "event.code": "NCIRCLE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve", + "event.timezone": "GMT-07:00", + "file.name": "sedd", + "fileset.name": "log", + "host.name": "icer123.mail.example", + "http.request.referrer": "https://api.example.com/dan/pta.html?oNem=itaedict#eroi", + "input.type": "log", + "log.offset": 40863, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.152.190.61" + ], + "related.user": [ + "culp" + ], + "rsa.internal.messageid": "NCIRCLE", + "rsa.misc.action": [ + "nesciu" + ], + "rsa.misc.result_code": "oremeu", + "rsa.network.alias_host": [ + "icer123.mail.example" + ], + "rsa.network.network_service": "tvolup", + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "rsa.web.fqdn": "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "rsa.web.web_cookie": "uptateve", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 6708, + "source.ip": [ + "10.152.190.61" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "atione", + "user.name": "culp", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua", + "event.timezone": "GMT-07:00", + "file.name": "edictasu", + "fileset.name": "log", + "host.name": "lumqui6488.api.example", + "http.request.referrer": "https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe", + "input.type": "log", + "log.offset": 41290, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.129.232.105" + ], + "related.user": [ + "deFini" + ], + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "aliquaU" + ], + "rsa.misc.result_code": "noru", + "rsa.network.alias_host": [ + "lumqui6488.api.example" + ], + "rsa.network.network_service": "umS", + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "rsa.web.fqdn": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "rsa.web.web_cookie": "quamqua", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 5321, + "source.ip": [ + "10.129.232.105" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "eturadi", + "user.name": "deFini", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu", + "event.timezone": "PT", + "file.name": "litsedd", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse", + "input.type": "log", + "log.offset": 41781, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.12.173.112" + ], + "related.user": [ + "mco" + ], + "rsa.internal.level": 5473, + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "undeom" + ], + "rsa.misc.result_code": "hite", + "rsa.network.network_service": "inBC", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", + "rsa.web.fqdn": "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", + "rsa.web.web_cookie": "emeumfu", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 423, + "source.ip": [ + "10.12.173.112" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.org", + "url.query": "nidol", + "user.name": "mco", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md new file mode 100644 index 00000000000..0cd50920c35 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/README.md @@ -0,0 +1,7 @@ +# zscaler module + +This is a module for Zscaler NSS logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 +at 2020-07-13 17:55:42.808847 +0000 UTC. + diff --git a/x-pack/filebeat/module/zscaler/_meta/config.yml b/x-pack/filebeat/module/zscaler/_meta/config.yml new file mode 100644 index 00000000000..9afb8712afb --- /dev/null +++ b/x-pack/filebeat/module/zscaler/_meta/config.yml @@ -0,0 +1,19 @@ +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc new file mode 100644 index 00000000000..48199b9c7f3 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: zscaler +:has-dashboards: false + +== Zscaler module + +experimental[] + +This is a module for receiving Zscaler NSS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: zia + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `zia` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device revision 108. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9521` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/zscaler/_meta/fields.yml b/x-pack/filebeat/module/zscaler/_meta/fields.yml new file mode 100644 index 00000000000..d8e04d3db90 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: zscaler + title: Zscaler NSS + description: > + zscaler fields. + fields: diff --git a/x-pack/filebeat/module/zscaler/fields.go b/x-pack/filebeat/module/zscaler/fields.go new file mode 100644 index 00000000000..3dfbb284165 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package zscaler + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "zscaler", asset.ModuleFieldsPri, AssetZscaler); err != nil { + panic(err) + } +} + +// AssetZscaler returns asset data. +// This is the base64 encoded gzipped contents of module/zscaler. +func AssetZscaler() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZzqtXWzUFYpokVhhgDGBIMX/9FRqY4ZCDoSQKoOR3bz9sxSLZ6G4Ajf7d35ErWL8mfxhGBeg/EWK5FfCa/Kf/A3l/efknQkowTPPaciVfk7/+iRDS/oLMOIjSTP5Ewn+9xk/d/74jklbwmkiwK6WvJlxa0DPKYOL+3n2NELUEvdLcwmtiddP/xK5reO0wXCld9v5ewow2wha45Gsyo8LA1scDdNv/vacVEDUjdgEtYqRDjKwWoAE/s5rOZpyRBTVkCiCJmhrQSygnA/q0oXcgZq5VU9+elF2mbpZFrCUVW+SNrz62fmyJzSKVmW/9ff8K4xs22JWPC27c9wg3pDFQEqsIo7VtAv81XZEKjKFz929qCVMVGEe0cp/vgCbkrZqTU2CqxEMcIcTD4rtIHUpOCxeWIG3hSEsMOCCcmfuB5QZ5zpS0IK1x94NLY6m0LRomiqPl1SEIltTufjDEjnuc3BKEWrJacLYglBgwhitJFtwaQsl7sL9zK8GYdvcng6PREWsWqhElkbAETabQnbuaagPkHVjqUKNkplXVW+rpWzU3Ly4ouwJrng3An3INzIr1c2ID3pR8AC8s/AmXPTQnUUYKWII4gJNCyd37ucXJU6g1MGoDJiXMuISSKCkQLUunAkhF6zhWlZkXyS7Mnj1+F+75+ekPZElFE248L0FaPuPhdMI1ZZYINff7pQcbgdRxBz6cFvye246aastZI6jG34eNnYyejAHog05K7GQMII+flNEtWR53T17+957s3xO3ap4Nud/1VdN/FkjI7rY8GuyW9BChlx01DUY1mmV6e+/Ptlz3/36YGUstVCDtY0SONiW3BRN05w4/EvRAWr1+jIgtnE71GBHj8jDE8mpMreR4vCetBHqI9MjLthlAmdKGGtFrYnZm74utW8BhM9BDBkrC/ayIHT1kAP0GK2KcizuulSNxUfa8KlH2eXYNyEzEPhLh4J3Zx46hVjeSf2lgo0brjv7wp/W2UXuiJHOPA7XqsVu2I+JmyfOKwz53T9wyfMYZ7d/nt2pOzpYgLblE4UwaWYJ2JoiGIKgGpM/4NZTEgHVAtn68vYYZN1jaTRjAvrfB0m3CAPSdNmXoCUzvXzrsYA7ougNP7saDhTKZ9NX+ufxVGdsXkWL3RBqQJZfz9kMTOzY9H9LXw19+yAEb/GiUsecXy58ILUvtZOXYdd9l7oB6q75W5i5f5Wbvq/9/2eu4lV827MoF70jre8tKQsmcL0F2TrKvVxFwLDrMf5HXAikfo/L3dUQ0Rh0aql4XGr5k2Ot+8BA3GOmerpHLZ35pcoEX6XnwZltKPq5rIIwOJcgUCHC7AE0+nUv7wyuiNPlFKGp/fEmm1OApagNkMz5vNKp+N9B9iLr7FdONYdB8xmcC/4L79VzlcrPts47blb96B4PSK6rLbEpdT6L1yO5z8vzi85a+R4kGQXe3lBCzNhaq8IgGtB20BfiTajzz3L+V5nMuqWh/s62t3MCHXPrXnsSI84vPryIsCOgPOHF/FnQYDbmc4vXZHNSh4njo67MAWoI+Suz6V1yKnJ/eJ0rq8e0HSxHMYbHSR+1kE6zI7mejraJ1vlG08KI40+VECQHMKv01CmDHvQfIuXFnjhvCPOugdJhuKapv1a7aQvYw+hFafBWbPhZVtVIGk90qJcl0Pdg0QjR8acBYB9DwqhbrsE/uy07QE6BsQQwvgTz9ntiFbsjLn39+RlbUEAMgu1X2cOJRKK+34ISplTSQjxXsqzkVTDXSdj6Fppp6oeeusolCIE/pVC2hxwwuo5mVrXgzVgOtRu8P+2qOzQOzCkre7OppKRj1TUxz7BwLfEa4/Ufz8vsf/my8SH9RowBtkf7HgJp/OHvwLV2DJi/JmWS0No3wkRVnUt5Jrseg3zP4EcmtjK3y40vyr47c5+THH8m/Eqa005eRirDoc/I/hf3f7ovckG2mfBPdQqlKeLS2rlxBwagQU8qu8mrAHjmpLF4bar1d4ZgIsqwVlxZNEwvxBGc8HAVorTLlp230QVMD41QgxoipsUo7zVquvdbhPlhSwUt/MGJIETJTjSzdCyMAkedyHpSjG5MXt2/EAHKKWGC4DnvCRiO7sBaKlo/lnQvoEMP/AFKB1ZxFrI5gCve/jLawf+5bIeyefWo3Gq2atds2Ib+qlduaoc3JJVHaGWNWkSuA+gamPYoX7ythmlYMjCmWvCzKXFHXs1byzEGCphYveek42LMLl1zbhgpntG/53mXExcEr7sxujJUjMzwV4aqfnxLtpLVBhwoyjeo52O5rN3LC6ExJTw/OCZ8Jt58TOksoaCj4z09b3+sHqJQFchnOO9OAD+10PSYo3f/aQMxXEHgJKxWmFjxnZsOjNucNH6j9j0I3czI343nHW+fegHDW21PXWi3hCfmvEWH04mXGxQPE6N2qzji6OHlzEXRfRqVjD69qpXc1XoJP5FeXBtE8DvfHJ/9UoSGOpnvMlbptyjebn2wMdq/noGU+IS9/fkVWyPcKqCRUiLivAJ36qCZt/EdkBRo8WGqJAGosUXKnXGSbiQ+uJn7dTIzc1Rxh28C735UukXGY1QRsIZVQ8/VuIG7G9UCLJeRnwhZUU2Y9E92lXiP+6DSXpJEhp0ds+cxHK2pTF3T7QH3OIMKe2CVaFJVTMpVswwiarkZlGkrWHbWSMtRYfYxCBp+DYqzRLURjqSypLolUuqKC/xHL71W6ivKnDFkOB7NINdPBk3QnJm2w7pB5IfgMkOKIgW+AKVmOKNib7S6Mzeln2UMQl0xVtQAbPQCjTlSKCrzVfEcM9urNtH2gg3zp1o4e57GjvH0yR49fpaRdJNqmTX1qqpyXTZZT+UCMP5NlDrY7kH8ombvbwh6x6FZvVUyfXvtxl8MDEZXtRr8hFq5tuHxkCdr0yinKfXlgkf2972FbA01F5qZMjyldQpnvHQxJNuGZMt2KrY7RZtp0X+zH14evlVbVBKE2WJRvGEiqufJqfdUIy7+zHDShdS3a6pdNL5uKSjqPleYSIjC809qLHimPqyHcPjFEraSPjFla1buewYCxW82hOLx91hC24M66USWYCXnXGItmUh+ou5XUjuTlUgsHbtJeATabObyXcAxNCDe5XdDzTsMMNEjmDwR1qnXJl7x0mg2eh7ggu2wF2ccd5sWJvK65PhqFm/30saBrdxK5FWtPrHFCz+lrDik8oPt9owk3fdSF89xJ406eTQZLdulkqkktgaqBIndfiB3/U18V1CC/NNAc7Si50+1P0UY+rqghiEQ5cm4QuR9SMzWhUrDF0AwybV7ZDK/vvMqBa11kQLUucmjPdUpRtA30ZXKoGXSl3ivyMCbkjvkYfWMGz+Wd3pxDxeZNcu2QYMHmgdjphpDaEUTZQIlPoVibRuQOO41YUaqxTFXwwuPQGS+Yla1mgxNCZWDBlgE5ckBgCZrbnKUjewhrVw9FgL3Izj6XT97ixUHvQP9Kd5UuDhrGnWpgfMY3hk9cu/XBnLGeKkFXzp/NFNmAzsXIy03BROuiKkOQJYp3MJuPtQmft630viWoNPntMqTGctMmBOz61XD9dofGqiRNrQxPKDhudbbQnJal7zCFqfzt3R3twtMIW+RrXXRHUSSbCjRnd5VFUdqOUMW2h7B+JVt3M7xY8vd7QNoSZKl0SJjdS5ma/vMBute0oV01/SewuB3tEMtfCz5gt5Og+xHzkj5nr7pvhhcyVP0HMRO8XAva5RZLZQkli9DxIp5AK9S8aBNVHkSotwfxzkL9GD1TtmTf3zDdCrtWo/iIK/5KcLbOfXv2yIULRCA015ZiPSKXG5EzbzrOwA+NAEQsLk6VtHCdW2PtEDqX3l+36YdKy9K4/8NHlYoWoVgDmBseZ7agcg6FhFVuWTAWuIRVL9SPSoi1mk8bCz0JMczRNx51p633n7+46DA1TSbsOs4Jnq1t5T6moSG4m1/kkenrbxHjFivAHMPahoNmk/Oll6An5BL8pjQG9ITOAVt5h0z3mdItDgPYLRivtzP8PfG/7/WtUJpMtVq5z9q/Bl3Tm12j/aTPywuqbWo3XQc4tUcl3Ck1qA491p1SouzUxlxXStUQAoq53uI3klAB2nbZRXqzaPibD28F8dFrAoBJSBGFuSRSye801ICWzL7sBzQbjvnksEZrd2E6ewV3EvW4F9xH2Nrwz4CyFbeLoCx7WU9OccEpVptIouR3c+X+e89LgEpKEVEcM9JNe8HAF4iAQ1LNiJMOloOZkMuNTNkdbNCvrMqD8Ykv52uMM2J8yahPtimD+A2Mp4SJxtj2QIZ/DLYJf8KN28lQEx38G07xxU/HVaCjaz/+hsUtet+WKZ9S9uQmw8theYpYEGqMYhz9pW43ovYkbthbfgWvCSX1Ym04o4KU3Fw9J7XGmSjPCVj2JK4oU00Pqb2840Pv62w0rcCCNqSmBrt4GWzk4HsRMFVVToqpraD9sLQGLNur7vn34KE0vt4eZniYvPhmqqqb4R3MsG2UrLgs1Srk0zIlGdT2eZdJMcqMAZmzRog1+dJQ4Z2fpaool0FqyN5CQo08XX2vZyp1aQ/pTiV8y+UVlKEWqE1Epwa9U8FAcZ9806E24eW+jRODrhBZRV1/spN3S+wi0KL32+VD4fVbHTyv5HLYrqcLOoOu+O5gp9wu1rAmYuvP/35N+8fEmvaMi/x3vCP5F1ytu8YayoYBaSNHEHe3GdCciiLymmZ7RC5xyVZt3n0few+ge2FG/QLArsxBLQdSeIzD6u6hW1Cz6G6oUwsjVYYNW/jM37bGpiszPGkh7bQIc4R0y0yMZu5X3b+HlabEyXNJOObcNZIJoNr9CRvhbVALBYTB26nbws6bow9e+DXDPk+P+sViqppy2fXN7j9YoWxU3+H1WnLdmGN7+vraCCIw7vE7ToA0ciVO/Oq+J+O4p9RbcNld4x37vJf5/JS895LmaWjcQPy0vVD063B7FtervQP6IXz5Pffz+SmyNJS8dWJi6D3Yjsj5NEBPwsQfIicLVtzEjdSlWefsZb8d1Q0F2l5d2OvHlt74PuKpcaw/6RYm56c3arKp/HM3aLIOsZey3Gi0E3Li6zNDv1PhP9ivzSKCevsbP3wT3HHTxnaVm8p2j1EjBRjPGeUflJUiS6o5nYpBFaBvysAlqQUdEQQGpMnaH2VrQ/uqql954iSV0zDa+kLu9vnyxfnFrg5NQstY71EYq8s+cKDgrWshN5EWjyQ5l5Zc8rmkKCxGjmitdM7mtU8G8ssd0otWd1PY1RH/0yHSu8t4ykoVOTjvf/tIuGSiKcGJszDI1v18Qp6eXdOqFvCaXHiHiAeL0nsS94tgZO7osU10Tm2eljhm3Fw5lfsAvO5QitdzY74PT8MHbq72hFyt5vM56Hwj7OIs+9yPBQQcUDtdaDALJUp3erytPjJpdCv0fgTPwjD2HqTy0w9ex3jWNeM4P42Xkdw6Os9UVRdHzrvCXQm5VzjG1fv3TDP9zqGjJNanznDcjCobNmalBbX0gbLG+ph30lJp7Dzg5HqL38iUOKrLFdUPk6E37KrvpCsND5EjYqQ18lMnRCl5R1nbTzmu3DoRdFQ7RsnvWgVV75dC3tZMPtRaAzXJc4ONpbZJpTh3/ijKxYOZHW7xqbomvHwx/n65l7U5BoYOo0+Dxsf+Ljgs4le3fccyT98bHPLT4dy9Q54zLlWTKsbZqyMx8+R3yknSlE6HgUf2p8SAc3dm3DoSb4Rwco+YhjEwZtYIcubWJ0yVYNyRaJv9xi0LLku4TswAwY09TPO8p2zBhdEU0y0SU9AY36yo5gIzeCIePB9/l3NCkYnfud9GKZMZzqGa+uZCD6QRh9XJ0y6fswZt6lB06yXMgGVBRdgkxLcdnp6NFBl6N9fwPc6dUOKVry7JK/iq/Lfdh5RLQ0qwlIuIk2GqGtv73QhpShw9N7P12NIujw3xGH9ILVS1yJbN84aUMKMhBBQ6X7Yx/JCt6bTiJWhB11jIZVV4XMnTyI10H6DVHX4Ns7YK3PvqjeW2wcaMJErYxjYYNmy673VNGsXq+XcYTY1pBlnFVFW5+5TnGJ146IT3kn1rrZa89P6ztotcBWY0EapU7PBA4929Zb9wsdEaWT8vL64aXNeY9PQwsr5dPa+s/6eaHuh3Opi8/6umIQATv101z9c49xQTiv3OX16ck/OBQtVHI1vX2lBdsh+DhIVdXTXsPKkhfRd/WMitjiv3XkQUU1XmrvgaVNztKh0BF+JwGVGPFum7JfiQwREqz3su4FA67BNou3gIn/OyC+WMOPGq1FbjoAw8wcufTsnr6K6bnM9UO9374pPvntMGojBZ4xpY0/ci+NSvKcTKW9suTPsSN47gCIl6xctth0hXXUmXlAs6DGSQzhVOsL5yBlqPTFrwd+gQX3+6uFswVqrQAMoHYAckhXQDw+eTEYnIq2LalOU6uX+GV0XSOqAe3MbAYY3O93qp0kPUXCXscrBTYleY5hgFCdz0s1d9z1XalNx2lXWbvmgBo9hgu03Fhhclm/DCfiJ9llhqDi6PZpWffD4jT0OtxOdGOF15ygUWcGAe2Nl1rYz75jPy3dDRIHejMFdSreSWIWSANdjMYrkNfWTSJqNHcMHtpoWetFXu70Np0luYU7Ymn0bNNcGnmj5EUX5YeIvFXJKKcjnTtIK96Rg11Ti1N3+fhC3l8gKXJe9V6ZOjN20Be1lnEaTIDdoXpgo4RuSykLb7xr2HFfm1kWhKvlMlCPKUy+Xk2+eEK/acTN3/gfs/KqlYG24m38bji5bVxUzQweT81DrUtoZ/ckFwUfR1oZxct8Ov1GxvowarsmLq/zoNeLZtEAxod5CjCC2rtHJ3B7PP736nGshHnwD87bef3/3+5sPZt9/6nNsl1ZSPnsmV0lcpS5ZvvGC/twv2I2yjTjAqUysRoWYnbZeS7jmgzD0X6wwmzExpkIazlAKk50rKgHGV3gsSiQ+kAlqsKB8OJ763dwB7n6cG6q5P6hJ100wzXQo7LY3VqSvfsV47m0Os/5Yme0fbmo98TtJDi102g8EGKk0oNtnUvYR6FwdixkcdTS2p2Ryxh5Ia7UYUIXO3vCculA/uJ3h3x4VDPuj/H4arblRmP/nvQY5Y2fPRB0T2Ivkgh6ON4+7DT6kjJG1t7WzPLn1qu4z2NssO+2Q+Q7fb4OTeHJluW1bzY8TDsOhrRrlwvG6buVwEmXF+2q9tw05czhy0MI+0MBjPKmxzrgunIh5AzyGJ15huHaqPTlRVNXLXEzXATh7WuOm+2L2Ha/s3iOvUHW7mMM36vrhdUln+m4pHzTa4WWr5IZLh3tgNF95CzjSm5oyrZFmix7LgEfsV1XIYdHjsqBtZ1YXKJYwv37+7IL95P+omKTWOyJejphJc/vtb8qUBPdK7tRGy0LDbqTNvckPPIbomH9qis2haV6els4QPaR+oSj1GwAGtD3Ic3QTVRoJj94Zbph/QQAXVVYbdcmAzuBdonbAAuQPalMmm0m7BTNvtagt0Se2uVnhfuFOQbFFRnaqspIO7rulgfPG9o0+UDdKpksAsFsnPAoNZ2gKqDvBsjq2WMoBV039mgFrT5JMwfMep5McLg+4FT/3ghM5tFTjVMznSsqAMB6OkLz9xsI1MaLz3AE/n9fIneW0Xyd93JgtmdVGapH3Xe9Ad5MMiT7cAvBQ0ucSQBcg5lwmLIoegc+RGy2JWmBW3LLn8kMVMqJWhVfrclT5saZf5oGeIujBZcJlTnHBZg66m62QJ7wPYNbvKA3xJRY6zwuui1sqqIn1ICqEvfyrQ45getsh2N4WaF2UOZjvA6fPfmCwqel1Ym8ptsA3YnWgBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj7XzLC/l8ZYf85D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRm2EGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWIZDuHzluJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QDnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+OUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOTaRz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5jkllSobAYapHNwOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuVutsvDbYiVxnkq8+M98f8QzQrQZaZVAkfSlQLrTzKderheKm8BNm00NfU02zHPBypBA2BeSln2+fGi43lsrkc45LY6eNTjUssIUKflZQDqhNclzT69FtTXJqsDi5YZZ+2PWhnQb2wZzTskx9B3iZOqzatg7K8BbxqmBaqSpLVyIHOIOZxqsiT3Jk6HiUg831VfL2TLVJ37KU16bWPDFQQS23TfLsM8ElpGuxs4Fqkk7U6eBi8W16t5ZQvutpMRMq+XPeAc+Q8u9s3uRSxwHNIHGcDZ0B1eS5CULNsxxdOc9ygWulUwuwatrMc1yzihuWQyxUJsuBzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcshyxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDPviuo5mAp2eyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0h+AWIPWZFAzmFKGzzMIXlOn9rIZzXLcA83K5Iq00SzWFTcBYJtuxFYfZmOSd9VcMpm6UCI6Lfa+QH2TztTk27lNf6w80PQRvW6mZ2q46zp5t9amnGbJQ2+0yPAWNgZ0UfLUVe9Zxla0kaEcbLDMWFql9gYvCy6NpbMMmsGSa5tDDV/WMkPrJqt0I1O6WWNt0SIdRd80VpEPjSSDpbvskYzD8j5TwUtyoqHklpxQXYZuhgbbv8fR8ZOzMnJpbEIogsEh+gT7GzAlSKxUp8uH4DIf586qWqg1DAYL3si/mWqSNfW+5RlzPPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD1mMDJWKaulbakmHjUUJWC2oJt6TWMBs7CvdIy73LEIoY44PV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4FT9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgonv8/BQZ2HeDEd2d7cIF/fEGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvoem/O24O5q6JtxhfvGIse82okhY03S7zqu4LPkI1xZvxZi74BjTqEcE0mZw3XucUC3FyMRL7J6bcRw49s81YImGLw0Yu6dp9+HZynfvle9VBhzL41f1EnvXI9XlnW67U/bh5DHC2NjW37FDu3kdpTzl7P+b5xu6xc5PW6GAa8fPBloN6ZJ473iE3eMypQaIT9fusCGDW9XtUvjFw+Aru1HwHeZK+/b1UTYSQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rs5NKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Gbeb1x48+tmR+QPmN6+856dMHmfTsMGsk/9LA7phEGr98PXwP65h42BSUVqPhpb+QTEkJmFtBVtwuxgQFIZHKkE5j13BQedGdTQvHTpQn3RMl1JwzKojDYMT0QSweFjtcamRM48Pxrl6sTRy9XjrbSu1ktaZ+4Kng1BQLld0m8EZcZ67hLJXNUCMnFfsjeOL9AIi/NA5bfNPCIBYmgOrJG2GUM8S37tspBsvJr+EXE/JGrrt/DaBbtOWNtISWE6aqurGg42I4ixvfEZbPPPtmdy9wxuLWhnD7j+bl9z/82dm+p73taDn2TRTtcE6LtBGz2zpu6Bo0+ZfOJ2deBDQQufitT13/k//Myw3OW6d+734cmLx8k2x7sjswxa0zIe9/+3jmaAcN3nmC/tKSG6ahppKtnVYZ1DOxmwtCkEPPycd3r8m5tD++fE7O35+e/cdr8ulc2lc/kaerxZpI4HYBmrCFMmFUmtIamMVv/fDq//yPZ0+iHAG7yCjjdvmBMnVS0fg4HpP59N3xml/6s3jeIhW/4uXjQrovm27A/MCGcbd+4GP47iimG+vkM9e2oYK8ffM+iuwfSkI+X9ZhJ+M/lYRJnLcO3a9GhCIhNwtP3ILH+Abv2Yc5tbCiDzAiHU/3BXlTlhr9tP6Ux9Dpnl5W1YfGOe8bCzk/eXfhX6XR8FhFzRGjH1tOJa+phrebnF84VEa8X46HB06CSMJDt/Y4D1tNrPDTtY4rIHro0rLk7stUbAK2vVn+8XfuiAfAmYR4wVW44afbR2CAyibXOoted9snjZL3AcMLpW0nkgdCt8QAG24At+ubJa85Mu89PVzO28ekJevdGOMlxOzGY3lxA3Zo+VJjFONO5fR+o4GOQ5xc1lTOYdKZTkzJGZ83GkoyXSNMkCVmDcXlTH1g64FB0eiIthxddJah34FIqPv3S7iSOwA0VMpCETK70+cZpWdtKU1BC5+KnwF0bXUe4LMMR2KWoVpY5LgOufqf1BmYSsui9cTlU8t3LXhHx2R3tb4z4QE02DO7AC3Bko/rGp6TT+0z9hYdYD+Si9YBNngJfhvT1NpRPUdQJkZM4xbp4Bd/TqgQUWWi3nwRE9yoxsS8JWj3BnJpFTEWH3MuyafzUYHCMEE2m7xKLrIdUFVnGPvmAGswqTN6HdgMJS7+RUydio7+9gzY+tEKhQA5Tz4pEnF2ykdGLXREA/UqDxW9AIwkDNMJZoSSX5ReUV0O53QT8maOyV6aUHfjrzGXbgp2BSDjqmfirol3jXErS0U/VOeRIdgyHjMjBhRyGfJcMS2h4taJpTBiI07iUlB5jDj+LRyUbYJIz0U5IHDbZbmJpCydBTtHA3b75UkdqQSGXQiW6frB3S5iT7XlrBFUE+wXTVoknp5dv36r5mo2i09/B1bYBWTf3i1kP7oF/W3s4X3m8HbovmnsAqQNyeKjaJsmZeeE2yX0+CXHUf9kQI8irBrL1HE5HZYcR/iyYQyMGcEZO48f1hztsMQTxIs4FXeu9JpEChMGuB1DOG3hCDs4OqmEAT5TK+neFSe3Ysph90MyUJS2qVqm60c38m5S4ruWYs2A4FB29AQ/zI4+zCUx3DYR+UmwuACCiA5QF9QQWqravS52AVwTtZKbLfOMs/RaSVWN5NXiTA7DfYv64yoRTrnnsnTyR2nTMYCSX7gA8iYgNhmw4TbOXtkR5u/kaMJ4R/+DpCuMsuAyZC2k5UKMxggjUta734MRPl/vMtRrpObEeELoVOWsHogQP4UFXXLVoHbJVFVrVfGRDEU4NnJnkk4FFpHNyMl+3LhcdmInI5K7GG5pnSSKwBaGSYfLHIBgZP0Ov9y723tlN/dt9NhtyiwbaXfL2VJr9CWWgRfsELP+VloQvsdzkKA5a0lChmCi325qAbcLfGpjs91IQHbCfpgYq8eDny1Nh7TdejCaXu6nKagXfq2MdEVN084It7wC4+S61/Y01DAaRAq7kKwpxI0bgY0H77kN+pZH65De3Q92tH68HU0/FCbZkNNbkxYcxjdROKANKd4IhFsIg6+Xupc3UqePunf+oiWhTd+8c8l6qR5HgNwgxzsB8vUexx9v3rJUow2Os2W3k4/6qBIk5R27hfw46nFMSdvgMHZKPZag7fipk1fuNHZRVGAX6gGiJHTLk0w8GuFroxuOvZS0yup12hPV+aBE8Nc6RPacy0yekP+Y/Pz99+Tp29M3F8/IKTeWy3nDzQJKLIWP4iLUXGXvC7QvEobZsjOPR9hm/OJIxphWmb2K++o/3a7GMOhuDHrkkw19vst1YZj239X99hx/iFMsZkplrE36JlOMilTd6XYI+UBL3hi/AlGaGF5xQbUXT05sujvE8F2Pl1fhPTe8PGankX6m/Cd3EFov4k5fzM0lz1dn8Ubuu+sY1giVhj3/b3AS4SeDsxAcN9AryyjjrkylcyYGDEI2yGql51TyP/ZkVct8R+G2zD6A0/0zNcLuGdfRWtJMXX9+ccvha+FbfPneRVtZzb8CFXbBqAZSayhVxSWNFtz1xNMFtRykNTemxwt6TGrf0gcl1rd+hDrTwXVX54kTXDXVFpshbUjdL1aP2OwoCJvbSNQZlKCphbJIllS253w44fNLu2IXPLvQasnLrnlY+B6taxE01cHBCM1/3LO2rdPGFZwNkbw8EpXdkqHXn12PkBkdHoqZk0vuo+eLXcV9pAVcp3SmHAp+V80TrlFn6v2oVwk9jxDqdVTUWKkhxirtJb6DVoGluNoT/NbEfetJnPqKl6WA40m5d7jebeVcZHt7cu8gOdeOxzgOuRdhtV6HIbluo7PPSS2o2zL3PitNQDK9rse8/JgKeQR78hYZdLqzLX9VxpJ3lC24HDHpSppJcnyzy+tPEjP9aw1OfDj9yDc5MxPytqQ1+Yz/8PpRqaSvO/3H8PEkC7oEpzkJoJp8aUCvCfYgNLWSBlqNKl6c6ugt8DfHkZehBx5zkDVvu0BKT77vyzeOZ0vSEVDdHKAPoTnqbTHFKU95HWa7Z7xtLb3VxMjZhuHh5YboRsqoHWuedy+Pjzz7NlIjNXYBYhEszPwbQcmKy1KtDDE1MD7jzH3yPFYnGPJkhxfEkefx3eTckKfYERYk2zxDGLp81uMWaSS+429hTtmafDLbjW+7CGy1W0ibPLvWrXAEg33kte+bWogK1qrhIXMv4oDjXR+ASPX/VqUplvMM2bdNdn6Feqw7r1evIxQjhdGDFn5zALHHyesdIzVk+AbXeyvrzpD08S6gQ2qO47DrAgbbe7NJyPTbMNiheEOKm4ufsWwg5UjA0Qo3JLmEGZfBV4/CCbv6VbQeaTqI2B1UKJYJt40DZkf9Sy0YO59tbtpDL6WR3pSdD9tayhbVkVvgb1ZFhpOBddTfjixDXqZcppsglvRuOJKxqDDv4xkRUv2yHdwW30Z7U94fmdo5wDrv23cD1jXV7Zlyf36+IWW14INW6sTdDmfL+uT3W5Fnk88s8W0tlF7n2/C/mJrKv97YMaZFZLuLequex54mx5a/vEDoN9D2YCrRgKq23/p+qkZPQQHSalUfIjpK1UwHzoVbnfGwprO24YZyBMTRV3cc9x6eqKqmct3dR7x2OE7f2ytL0O4ZKricqbhSQM1V7hqhG+THjhXZYraCvF3RZ19y5Qj80gixJv/eUMFnHEpyinXP3jkYRWUF04IpdcUfKOj+O0yJX39jP1Mxps0n7za7CYfXjUWV+8ARpjff9Q/dEmHKTnBHe5/8hHxc1570jefAMcfv4PjmaZgVSZvJ7qDtcPCOCP3ExNrW7iJzDFddp1xuY+c9i7XSrbcfQ8wf3o5sea9XTuLj1PKizjuHaA8r3Mo3eu5bNLVSmTSRbaTcOm4/SE1t3DXJZEFNymh/D7AO5fSJITdaJNzmHtSEu9IZo0WjU3lDejAN6ILO09mUG9DJn6dt0EnTH7dBh1OfQbDAtQWJqlV648TBT3aaO0VvoWEnVSa1RuWXOEYt4ZbM/YjLonr1Ivz3SUDhRfiPkNcUc/tTATqenRfIecDouSemHzxHj2tv1NqAnDIMRHMmFZcz0Hok7jqk+yh09RX/G1kfdc8eAcm2L/Gstw2RK4VhbZX1SkWWONrxO/Nxe3fsPmIGse7/6e8wTNAaH/jJ6wXo4/gjnM4eMp6enuDox2fkBNePowbaHqlZygifT0CH4Z+wlYW5pzkvZA0d9xjZ23C36BPT6xS9d6f5H4d6Je/eGiW+2+SS/xH31vCrTDLl/O9nRMJcWe43sF5QMzIByrBjtxXqbaVffHy4oNvqbBOgBgkuO2esbZze1t/EE1IMnx+jomK7v1E39fDj6KBlJ024MU1ypRMhY7JUPm/d/WIoiCFondUHOtiUvvQ8c4uTSwxO75NOR8mQ6DqDhyjy00tM7dz/GPWk52FI3l167sFxXIQaI4plzhd9N6QaHNlRZMrCHT3aJG/TaHIB5lcQLOpMzQ2+2Ywr6T9IKFt/IgbjdUqT88s3f393QS7cO0V+kyPTVzbYZqqkPgTbjysVxxbFEFsAuzIHOZFvJ4Tz9iCLDZ3r+nV2LcIwDTSMINxIwT1aLmg+aAr5AEqux6PrCjJqNCDOltrmaBM++1guqeClP4gRJHYF4dG6Wu8ThMixK1ibXbGd6OS3CaSJYS+srU3BcQZtFtC4lTkYwugjuE18LtvKF6W5Xd9wo5iqqqx94m6Jt8cjOITiJfgrrkHsWpqpXSwrQWVhzEMNvHUrexn+e6C2rdGKYutLjYta8WOkVccQ9hgQxACRilsDyFa2oFIOGmfkbjcVVkVERmK2R2rb3D0sYebh72/fvA/v3oud5bsHxSq96/tP3rONm6tiqUSTiwFv2jnOMsy56SZjt+N8G8mtIU89EuYZduvAwt52ou4OeIJIR6kRTSZp9jbg+klyG9IFJttFB0vQmCkwawRhSjKorTOUL/0ejrRXWK1ySl/PeGewtyO0HaK10pYox99f/+1NLAU3yvbU507p+fETLHcLDLZcrFPqm51EG8X87ey3i/ML8o5eV1yW3Vjv+LY62o6ehrk1RHGErEDGgLp9ZHXqU7xkMXl6tq9yLGbHK9h86CL8luTsaseWsyxI5fPT0KU3YLEXQ3G8TXngXgEtxdV/+brhrjBHlkNNMvXtRn+JM6EfKLsxjKtGK74L6la+uPc5MU0kRZ0a8hdjtZLzv04FZVeCGwvlX16Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/af/FwAA//+GYLkS" +} diff --git a/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml b/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml new file mode 100644 index 00000000000..05e5f5c886e --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Zscaler" + product: "Internet" + type: "Configuration" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/zscaler/zia/config/liblogparser.js + - ${path.home}/module/zscaler/zia/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} ZSCALERNSS: time=%{hfld2->} %{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hyear}^^timezone=%{timezone}^^%{payload}", processor_chain([ + setc("header_id","0001"), + setc("messageid","ZSCALERNSS_1"), +])); + +var select1 = linear_select([ + hdr1, +]); + +var part1 = match("MESSAGE#0:ZSCALERNSS_1", "nwparser.payload", "action=%{action}^^reason=%{result}^^hostname=%{hostname}^^protocol=%{protocol}^^serverip=%{daddr}^^url=%{url}^^urlcategory=%{filter}^^urlclass=%{info}^^dlpdictionaries=%{fld3}^^dlpengine=%{fld4}^^filetype=%{filetype}^^threatcategory=%{category}^^threatclass=%{vendor_event_cat}^^pagerisk=%{fld8}^^threatname=%{threat_name}^^clientpublicIP=%{fld9}^^ClientIP=%{saddr}^^location=%{fld11}^^refererURL=%{web_referer}^^useragent=%{user_agent}^^department=%{user_dept}^^user=%{username}^^event_id=%{id}^^clienttranstime=%{fld17}^^requestmethod=%{web_method}^^requestsize=%{sbytes}^^requestversion=%{fld20}^^status=%{resultcode}^^responsesize=%{rbytes}^^responseversion=%{fld23}^^transactionsize=%{bytes}", processor_chain([ + setc("eventcategory","1605000000"), + setf("fqdn","hostname"), + setf("msg","$MSG"), + date_time({ + dest: "event_time", + args: ["hmonth","hday","hyear","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dW,dN,dU,dO], + ], + }), + lookup({ + dest: "nwparser.ec_activity", + map: map_getEventCategoryActivity, + key: field("action"), + }), + setc("ec_theme","Communication"), + setc("ec_subject","User"), +])); + +var msg1 = msg("ZSCALERNSS_1", part1); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "ZSCALERNSS_1": msg1, + }), +]); diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml new file mode 100644 index 00000000000..3354fb0674a --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml @@ -0,0 +1,55 @@ +--- +description: Pipeline for Zscaler NSS + +processors: + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/zscaler/zia/manifest.yml b/x-pack/filebeat/module/zscaler/zia/manifest.yml new file mode 100644 index 00000000000..471000ba66f --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["zscaler.zia", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9521 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log b/x-pack/filebeat/module/zscaler/zia/test/generated.log new file mode 100644 index 00000000000..328281d72ba --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log @@ -0,0 +1,100 @@ +iusm ZSCALERNSS: time=modtempo Jan 29 6:09:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=rci737.www5.example^^protocol=tcp^^serverip=10.206.191.17^^url=https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap^^urlcategory=oremi^^urlclass=ntsunti^^dlpdictionaries=nseq^^dlpengine=itinvol^^filetype=psa^^threatcategory=umq^^threatclass=ntium^^pagerisk=psaq^^threatname=cer^^clientpublicIP=reveri^^ClientIP=10.176.10.114^^location=lupt^^refererURL=https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=sperna^^user=sumdo^^event_id=litesse^^clienttranstime=orev^^requestmethod=pisciv^^requestsize=1884^^requestversion=deF^^status=sist^^responsesize=1803^^responseversion=doeiu^^transactionsize=3942 +olupt ZSCALERNSS: time=volup Feb 12 1:12:33 2016^^timezone=CT^^action=Allowed^^reason=failure^^hostname=eosquir5191.www.example^^protocol=rdp^^serverip=10.173.22.152^^url=https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia^^urlcategory=ameaqu^^urlclass=aqu^^dlpdictionaries=utper^^dlpengine=squame^^filetype=ntex^^threatcategory=eius^^threatclass=luptat^^pagerisk=emape^^threatname=aer^^clientpublicIP=lupt^^ClientIP=10.26.46.95^^location=uame^^refererURL=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=com^^user=eataevi^^event_id=byC^^clienttranstime=tinculp^^requestmethod=tur^^requestsize=2977^^requestversion=equat^^status=atemsequ^^responsesize=2004^^responseversion=minim^^transactionsize=7868 +amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905 +uian ZSCALERNSS: time=tempo Mar 12 3:17:42 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=tempor4496.www.localdomain^^protocol=ipv6^^serverip=10.103.246.190^^url=https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid^^urlcategory=atatnonp^^urlclass=uiano^^dlpdictionaries=mrema^^dlpengine=autfu^^filetype=natura^^threatcategory=aboris^^threatclass=ima^^pagerisk=tanimi^^threatname=nimadmin^^clientpublicIP=erep^^ClientIP=10.252.125.53^^location=ugiatqu^^refererURL=https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ari^^user=equun^^event_id=suntinc^^clienttranstime=elits^^requestmethod=llam^^requestsize=3077^^requestversion=gelits^^status=tatevel^^responsesize=3856^^responseversion=uptatev^^transactionsize=4292 +dmi ZSCALERNSS: time=olab Mar 26 10:20:16 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=ore2933.www.test^^protocol=ipv6-icmp^^serverip=10.61.78.108^^url=https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea^^urlcategory=ipit^^urlclass=idexea^^dlpdictionaries=riat^^dlpengine=luptatem^^filetype=umdolor^^threatcategory=osquir^^threatclass=inim^^pagerisk=ema^^threatname=roinBCSe^^clientpublicIP=onse^^ClientIP=10.136.153.149^^location=animi^^refererURL=https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ciati^^user=ercit^^event_id=umdolore^^clienttranstime=eniam^^requestmethod=reetdolo^^requestsize=2451^^requestversion=onse^^status=rumet^^responsesize=5772^^responseversion=tatno^^transactionsize=6787 +llam ZSCALERNSS: time=aspern Apr 9 5:22:51 2016^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=ollit4105.mail.localdomain^^protocol=ipv6-icmp^^serverip=10.183.16.166^^url=https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd^^urlcategory=sun^^urlclass=essecill^^dlpdictionaries=Duisau^^dlpengine=psum^^filetype=eriame^^threatcategory=lorema^^threatclass=avol^^pagerisk=labor^^threatname=atuse^^clientpublicIP=ddoeiu^^ClientIP=10.66.250.92^^location=onse^^refererURL=https://example.com/metcon/smo.jpg?upta=omn#ipsumq^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=ons^^user=tessec^^event_id=remipsum^^clienttranstime=liq^^requestmethod=ist^^requestsize=571^^requestversion=caecatc^^status=onsequat^^responsesize=2984^^responseversion=edquiano^^transactionsize=6061 +ema ZSCALERNSS: time=par Apr 24 12:25:25 2016^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=cup1793.local^^protocol=ipv6^^serverip=10.243.224.205^^url=https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura^^urlcategory=usmod^^urlclass=edqui^^dlpdictionaries=mquidol^^dlpengine=ita^^filetype=ipi^^threatcategory=rsitamet^^threatclass=lupt^^pagerisk=xea^^threatname=qua^^clientpublicIP=luptatev^^ClientIP=10.123.104.59^^location=uisquam^^refererURL=https://api.example.com/loremq/lores.txt?iqui=etc#etM^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=eprehen^^user=xercitat^^event_id=lpa^^clienttranstime=entsu^^requestmethod=dun^^requestsize=941^^requestversion=aliq^^status=rsitam^^responsesize=2053^^responseversion=imaven^^transactionsize=152 +tema ZSCALERNSS: time=ritatis May 8 7:27:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=icab4668.local^^protocol=udp^^serverip=10.119.185.63^^url=https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des^^urlcategory=rehe^^urlclass=ume^^dlpdictionaries=incidi^^dlpengine=picia^^filetype=mUtenima^^threatcategory=emaperi^^threatclass=tame^^pagerisk=tinvol^^threatname=tectobe^^clientpublicIP=colabor^^ClientIP=10.74.17.5^^location=untut^^refererURL=https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=itecto^^user=erc^^event_id=amqu^^clienttranstime=uines^^requestmethod=nsec^^requestsize=6907^^requestversion=estqu^^status=inibusBo^^responsesize=6888^^responseversion=ostrume^^transactionsize=6051 +upt ZSCALERNSS: time=uiineavo May 22 2:30:33 2016^^timezone=CET^^action=Allowed^^reason=unknown^^hostname=aperia4409.www5.invalid^^protocol=rdp^^serverip=10.78.151.178^^url=https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn^^urlcategory=deFinibu^^urlclass=iadese^^dlpdictionaries=imidest^^dlpengine=emagnama^^filetype=eprehend^^threatcategory=hil^^threatclass=atquovo^^pagerisk=suntinc^^threatname=xeac^^clientpublicIP=nidolo^^ClientIP=10.25.192.202^^location=intoccae^^refererURL=https://www.example.net/pida/nse.html?emeumfu=CSed#lupt^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ecillu^^user=quip^^event_id=mporain^^clienttranstime=icons^^requestmethod=amvolup^^requestsize=7700^^requestversion=temveleu^^status=colabo^^responsesize=6354^^responseversion=orinrepr^^transactionsize=6578 +rumetM ZSCALERNSS: time=equi Jun 5 9:33:08 2016^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=sitvolup368.internal.host^^protocol=igmp^^serverip=10.71.170.37^^url=https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe^^urlcategory=inesci^^urlclass=serror^^dlpdictionaries=aliqu^^dlpengine=olupta^^filetype=mipsumd^^threatcategory=eFinib^^threatclass=ihilm^^pagerisk=atDu^^threatname=eav^^clientpublicIP=ionevo^^ClientIP=10.135.225.244^^location=orev^^refererURL=https://api.example.net/quirat/llu.jpg?isc=aturve#emulla^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atiset^^user=atu^^event_id=umexerci^^clienttranstime=ern^^requestmethod=psaquae^^requestsize=7355^^requestversion=nsectet^^status=utla^^responsesize=5269^^responseversion=sci^^transactionsize=2526 +tlabori ZSCALERNSS: time=oin Jun 20 4:35:42 2016^^timezone=ET^^action=Allowed^^reason=success^^hostname=ite2026.www.invalid^^protocol=udp^^serverip=10.223.247.86^^url=https://example.org/bor/occa.htm?dol=leumiu#namali^^urlcategory=taevit^^urlclass=rinrepre^^dlpdictionaries=etconse^^dlpengine=tincu^^filetype=ari^^threatcategory=exercit^^threatclass=sci^^pagerisk=quamnih^^threatname=oluptate^^clientpublicIP=onseq^^ClientIP=10.19.145.131^^location=texp^^refererURL=https://internal.example.net/acc/amc.txt?amest=corp#modtemp^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=oluptas^^user=tNequepo^^event_id=lup^^clienttranstime=nula^^requestmethod=emseq^^requestsize=821^^requestversion=ento^^status=pic^^responsesize=752^^responseversion=eriamea^^transactionsize=7741 +rsita ZSCALERNSS: time=niamqui Jul 4 11:38:16 2016^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=radipisc7020.home^^protocol=ipv6^^serverip=10.2.53.125^^url=https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos^^urlcategory=pariatu^^urlclass=tin^^dlpdictionaries=tenima^^dlpengine=tsedqu^^filetype=agnid^^threatcategory=proide^^threatclass=dolorem^^pagerisk=tlab^^threatname=volupt^^clientpublicIP=osqui^^ClientIP=10.181.80.139^^location=hitecto^^refererURL=https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=aboN^^user=ihilmo^^event_id=radi^^clienttranstime=gel^^requestmethod=lorsitam^^requestsize=6408^^requestversion=veniam^^status=ris^^responsesize=3314^^responseversion=ulapa^^transactionsize=7298 +quioffi ZSCALERNSS: time=uptate Jul 18 6:40:50 2016^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=uamei2493.www.test^^protocol=tcp^^serverip=10.31.240.6^^url=https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn^^urlcategory=isnisiu^^urlclass=bore^^dlpdictionaries=tsu^^dlpengine=tcons^^filetype=sciun^^threatcategory=sBono^^threatclass=catc^^pagerisk=nsect^^threatname=idata^^clientpublicIP=rumwritt^^ClientIP=10.167.98.76^^location=dol^^refererURL=https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=gnido^^user=ratvolu^^event_id=olup^^clienttranstime=numqua^^requestmethod=veni^^requestsize=3140^^requestversion=abo^^status=veniamqu^^responsesize=2742^^responseversion=aliquide^^transactionsize=3073 +equat ZSCALERNSS: time=derit Aug 2 1:43:25 2016^^timezone=PT^^action=Allowed^^reason=success^^hostname=piscin6866.internal.host^^protocol=udp^^serverip=10.0.55.9^^url=https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau^^urlcategory=idex^^urlclass=mfugiat^^dlpdictionaries=nisiuta^^dlpengine=tvolu^^filetype=ecte^^threatcategory=tinvolu^^threatclass=iurer^^pagerisk=iciadese^^threatname=quidolor^^clientpublicIP=tessec^^ClientIP=10.135.160.125^^location=mve^^refererURL=https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=Utenima^^user=volupta^^event_id=rcitati^^clienttranstime=eni^^requestmethod=ionevo^^requestsize=3616^^requestversion=Ute^^status=sperna^^responsesize=5368^^responseversion=mnisi^^transactionsize=509 +tDuisaut ZSCALERNSS: time=oinBC Aug 16 8:45:59 2016^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=spi3544.www.host^^protocol=ggp^^serverip=10.63.250.128^^url=https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc^^urlcategory=uteirure^^urlclass=nevo^^dlpdictionaries=ide^^dlpengine=aali^^filetype=adip^^threatcategory=tium^^threatclass=nnum^^pagerisk=tenbyCi^^threatname=ate^^clientpublicIP=uiac^^ClientIP=10.111.187.12^^location=itam^^refererURL=https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tev^^user=saute^^event_id=ntocca^^clienttranstime=ostru^^requestmethod=ntoccae^^requestsize=1705^^requestversion=rrorsi^^status=temquiav^^responsesize=6027^^responseversion=sec^^transactionsize=1927 +sBon ZSCALERNSS: time=orro Aug 30 3:48:33 2016^^timezone=PST^^action=Allowed^^reason=unknown^^hostname=tlab5981.www.host^^protocol=igmp^^serverip=10.5.126.127^^url=https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd^^urlcategory=antiu^^urlclass=uirati^^dlpdictionaries=oin^^dlpengine=exe^^filetype=imadmini^^threatcategory=sauteiru^^threatclass=mod^^pagerisk=hilm^^threatname=ataevi^^clientpublicIP=com^^ClientIP=10.252.124.150^^location=trud^^refererURL=https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=roid^^user=inibusB^^event_id=eprehen^^clienttranstime=entor^^requestmethod=xeacomm^^requestsize=1940^^requestversion=utp^^status=ema^^responsesize=1394^^responseversion=itessequ^^transactionsize=7688 +ine ZSCALERNSS: time=lup Sep 13 10:51:07 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=upida508.example^^protocol=tcp^^serverip=10.201.171.120^^url=https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta^^urlcategory=itam^^urlclass=str^^dlpdictionaries=idolore^^dlpengine=pid^^filetype=illoin^^threatcategory=tanimid^^threatclass=umdo^^pagerisk=natuse^^threatname=gnamal^^clientpublicIP=metMalo^^ClientIP=10.91.126.231^^location=reprehen^^refererURL=https://example.net/psumquia/ven.html?siutali=amnih#ium^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=tau^^user=exercita^^event_id=ris^^clienttranstime=eumiu^^requestmethod=orumSe^^requestsize=728^^requestversion=isnost^^status=queips^^responsesize=248^^responseversion=itess^^transactionsize=52 +ofdeFini ZSCALERNSS: time=irat Sep 28 5:53:42 2016^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=oditem5255.api.localdomain^^protocol=tcp^^serverip=10.135.82.97^^url=https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol^^urlcategory=adeser^^urlclass=oin^^dlpdictionaries=mvenia^^dlpengine=madminim^^filetype=fugitsed^^threatcategory=quam^^threatclass=quid^^pagerisk=fugiat^^threatname=atisun^^clientpublicIP=esci^^ClientIP=10.107.251.87^^location=fugi^^refererURL=https://www.example.net/iduntu/idestlab.htm?avol=icero#xer^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=nturma^^user=str^^event_id=iat^^clienttranstime=etur^^requestmethod=itecto^^requestsize=1300^^requestversion=borios^^status=tut^^responsesize=2703^^responseversion=umqu^^transactionsize=301 +adipisc ZSCALERNSS: time=uscipitl Oct 12 12:56:16 2016^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=uamei2389.internal.example^^protocol=ipv6-icmp^^serverip=10.31.198.58^^url=https://www.example.com/its/ender.gif?oles=edic#seq^^urlcategory=tutlab^^urlclass=sau^^dlpdictionaries=atevelit^^dlpengine=meius^^filetype=billo^^threatcategory=labo^^threatclass=oNemoeni^^pagerisk=ttenby^^threatname=boris^^clientpublicIP=stenatu^^ClientIP=10.215.205.216^^location=ratv^^refererURL=https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano^^useragent=Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=boreetdo^^user=aturve^^event_id=ditemp^^clienttranstime=edqui^^requestmethod=nre^^requestsize=7231^^requestversion=sit^^status=olab^^responsesize=100^^responseversion=elitse^^transactionsize=6672 +quasia ZSCALERNSS: time=adi Oct 26 7:58:50 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=eacommod1930.internal.lan^^protocol=igmp^^serverip=10.29.155.171^^url=https://www5.example.org/oeni/tdol.gif?llamco=nea#psum^^urlcategory=tasnulap^^urlclass=orsit^^dlpdictionaries=asiar^^dlpengine=ise^^filetype=itau^^threatcategory=apariat^^threatclass=vitaedi^^pagerisk=lorsita^^threatname=dolore^^clientpublicIP=uptate^^ClientIP=10.229.83.165^^location=ugiat^^refererURL=https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=labo^^user=ulapar^^event_id=aboreetd^^clienttranstime=hilm^^requestmethod=llitanim^^requestsize=5047^^requestversion=pitl^^status=por^^responsesize=7205^^responseversion=ama^^transactionsize=332 +adminimv ZSCALERNSS: time=odi Nov 10 3:01:24 2016^^timezone=GMT-07:00^^action=Blocked^^reason=success^^hostname=tem6984.www5.domain^^protocol=ipv6^^serverip=10.129.192.145^^url=https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor^^urlcategory=velillu^^urlclass=cteturad^^dlpdictionaries=bor^^dlpengine=rauto^^filetype=ationev^^threatcategory=umdolor^^threatclass=uaUten^^pagerisk=nby^^threatname=mve^^clientpublicIP=osqui^^ClientIP=10.161.148.64^^location=ibusBon^^refererURL=https://example.com/rQu/mco.jpg?dun=reprehe#tincu^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=dex^^user=lor^^event_id=oraincid^^clienttranstime=intocc^^requestmethod=amcorp^^requestsize=1275^^requestversion=ssecillu^^status=liqua^^responsesize=6498^^responseversion=utodita^^transactionsize=4014 +fdeF ZSCALERNSS: time=iquidexe Nov 24 10:03:59 2016^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=lapariat7287.internal.host^^protocol=ggp^^serverip=10.7.200.140^^url=https://api.example.org/icabo/gna.html?urerepr=eseru#quamest^^urlcategory=mac^^urlclass=qui^^dlpdictionaries=ritin^^dlpengine=temporin^^filetype=equatur^^threatcategory=adeseru^^threatclass=tdol^^pagerisk=upt^^threatname=mex^^clientpublicIP=tatem^^ClientIP=10.203.65.161^^location=eveli^^refererURL=https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=siu^^user=snost^^event_id=tpersp^^clienttranstime=llamc^^requestmethod=nte^^requestsize=3571^^requestversion=utali^^status=porinc^^responsesize=6392^^responseversion=mvolu^^transactionsize=1664 +ipi ZSCALERNSS: time=imveniam Dec 8 5:06:33 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=licabo1493.api.corp^^protocol=icmp^^serverip=10.86.22.67^^url=https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ^^urlcategory=equinesc^^urlclass=cab^^dlpdictionaries=atisund^^dlpengine=xea^^filetype=ites^^threatcategory=isetq^^threatclass=iutali^^pagerisk=velite^^threatname=teturad^^clientpublicIP=perspici^^ClientIP=10.218.98.29^^location=iconseq^^refererURL=https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=quunt^^user=olori^^event_id=mquae^^clienttranstime=eriti^^requestmethod=atcupi^^requestsize=2332^^requestversion=plica^^status=ore^^responsesize=7595^^responseversion=emqu^^transactionsize=2846 +acommod ZSCALERNSS: time=itsedd Dec 23 12:09:07 2016^^timezone=CT^^action=Allowed^^reason=success^^hostname=stenatu4844.www.invalid^^protocol=rdp^^serverip=10.39.31.115^^url=https://example.com/luptatem/uaeratv.gif?dat=periam#dqu^^urlcategory=pid^^urlclass=rExc^^dlpdictionaries=iusmo^^dlpengine=tame^^filetype=naaliq^^threatcategory=nte^^threatclass=ulpa^^pagerisk=sitam^^threatname=rad^^clientpublicIP=loi^^ClientIP=10.24.111.229^^location=volupt^^refererURL=https://example.net/idid/tesse.txt?boru=ptateve#enderi^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=toccaec^^user=fugi^^event_id=labo^^clienttranstime=nostrud^^requestmethod=gnaal^^requestsize=7224^^requestversion=proident^^status=maliquam^^responsesize=2147^^responseversion=atione^^transactionsize=5702 +ritati ZSCALERNSS: time=orisni Jan 6 7:11:41 2017^^timezone=PST^^action=Blocked^^reason=failure^^hostname=sitam5077.internal.host^^protocol=igmp^^serverip=10.179.210.218^^url=https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo^^urlcategory=oluptas^^urlclass=emvele^^dlpdictionaries=isnost^^dlpengine=olorem^^filetype=ido^^threatcategory=emqu^^threatclass=riss^^pagerisk=iquamqua^^threatname=sit^^clientpublicIP=rumSect^^ClientIP=10.32.39.220^^location=aliq^^refererURL=https://example.net/mven/olorsit.gif?oremag=illu#ruredo^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=tatevel^^user=boreetdo^^event_id=undeom^^clienttranstime=uamnihi^^requestmethod=risnis^^requestsize=1140^^requestversion=scingeli^^status=isn^^responsesize=4814^^responseversion=omm^^transactionsize=696 +quunt ZSCALERNSS: time=numquam Jan 20 2:14:16 2017^^timezone=CT^^action=Blocked^^reason=failure^^hostname=dquia107.www.test^^protocol=ipv6^^serverip=10.128.173.19^^url=https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla^^urlcategory=iqu^^urlclass=oin^^dlpdictionaries=hil^^dlpengine=cingel^^filetype=modocon^^threatcategory=ipsu^^threatclass=ntNeq^^pagerisk=tate^^threatname=urExce^^clientpublicIP=asi^^ClientIP=10.88.172.34^^location=atv^^refererURL=https://example.org/liquaUte/alorum.txt?ria=atDu#nsec^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=maperi^^user=agnaaliq^^event_id=tlaboree^^clienttranstime=norumet^^requestmethod=dtempo^^requestsize=7680^^requestversion=col^^status=mve^^responsesize=3916^^responseversion=tinvolup^^transactionsize=2365 +inv ZSCALERNSS: time=rroq Feb 3 9:16:50 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=lloin4019.www.localhost^^protocol=igmp^^serverip=10.130.241.232^^url=https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug^^urlcategory=aturQu^^urlclass=aaliq^^dlpdictionaries=mipsamvo^^dlpengine=eiusmod^^filetype=emoe^^threatcategory=uiinea^^threatclass=mnisiut^^pagerisk=avolu^^threatname=Except^^clientpublicIP=olup^^ClientIP=10.238.224.49^^location=asper^^refererURL=https://example.net/naal/equun.gif?mve=uia#iciad^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mad^^user=onse^^event_id=redol^^clienttranstime=gnaa^^requestmethod=mod^^requestsize=5107^^requestversion=dtempori^^status=toditaut^^responsesize=7889^^responseversion=dexerc^^transactionsize=2302 +eprehend ZSCALERNSS: time=asnu Feb 18 4:19:24 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=tamet6317.www.host^^protocol=igmp^^serverip=10.115.53.31^^url=https://example.com/emUte/molestia.htm?orroqu=elitsed#labore^^urlcategory=uela^^urlclass=ntexplic^^dlpdictionaries=uto^^dlpengine=iuntNequ^^filetype=esseq^^threatcategory=aincidun^^threatclass=quatD^^pagerisk=isqua^^threatname=uta^^clientpublicIP=emo^^ClientIP=10.2.67.127^^location=licaboN^^refererURL=https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mdolore^^user=Cic^^event_id=olorema^^clienttranstime=mollita^^requestmethod=tatem^^requestsize=6156^^requestversion=aeab^^status=teur^^responsesize=609^^responseversion=inBC^^transactionsize=2622 +tur ZSCALERNSS: time=ictas Mar 4 11:21:59 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=saquaea6344.www.invalid^^protocol=igmp^^serverip=10.204.214.251^^url=https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula^^urlcategory=ritqu^^urlclass=ecatcupi^^dlpdictionaries=uamei^^dlpengine=undeomni^^filetype=tas^^threatcategory=autfugi^^threatclass=tasun^^pagerisk=duntutla^^threatname=ntium^^clientpublicIP=iration^^ClientIP=10.101.38.213^^location=orisni^^refererURL=https://example.org/modoc/boNem.gif?ssusci=animid#mpo^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atuse^^user=ueipsa^^event_id=scipitl^^clienttranstime=eumi^^requestmethod=quasiarc^^requestsize=3487^^requestversion=leumiur^^status=tetura^^responsesize=5328^^responseversion=offici^^transactionsize=501 +roquisqu ZSCALERNSS: time=edolorin Mar 18 6:24:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=utaliqu4248.www.localhost^^protocol=igmp^^serverip=10.18.226.72^^url=https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema^^urlcategory=suntex^^urlclass=iacons^^dlpdictionaries=occaec^^dlpengine=acommodi^^filetype=essecill^^threatcategory=billoi^^threatclass=moles^^pagerisk=dipiscin^^threatname=olup^^clientpublicIP=aco^^ClientIP=10.101.85.169^^location=natu^^refererURL=https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=billo^^user=rroqu^^event_id=dquiaco^^clienttranstime=nibus^^requestmethod=vitaed^^requestsize=2352^^requestversion=ptasnula^^status=oru^^responsesize=2118^^responseversion=upt^^transactionsize=7879 +eprehend ZSCALERNSS: time=rem Apr 2 1:27:07 2017^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=mdolore473.internal.test^^protocol=igmp^^serverip=10.87.100.240^^url=https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta^^urlcategory=npr^^urlclass=etconsec^^dlpdictionaries=caboNem^^dlpengine=urExcept^^filetype=rumetMal^^threatcategory=oconse^^threatclass=mag^^pagerisk=tob^^threatname=dolores^^clientpublicIP=equamnih^^ClientIP=10.242.182.193^^location=itempo^^refererURL=https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=nder^^user=stenatus^^event_id=equep^^clienttranstime=ever^^requestmethod=tali^^requestsize=2124^^requestversion=erspi^^status=iqu^^responsesize=7509^^responseversion=incidid^^transactionsize=2617 +autemv ZSCALERNSS: time=emq Apr 16 8:29:41 2017^^timezone=GMT-07:00^^action=Blocked^^reason=failure^^hostname=tatio6513.www.invalid^^protocol=rdp^^serverip=10.229.242.223^^url=https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq^^urlcategory=niam^^urlclass=pernat^^dlpdictionaries=rerepre^^dlpengine=nculpaq^^filetype=culpaqui^^threatcategory=tvolup^^threatclass=tdolore^^pagerisk=ventore^^threatname=red^^clientpublicIP=sinto^^ClientIP=10.80.57.247^^location=est^^refererURL=https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=ptatem^^user=itasp^^event_id=dexe^^clienttranstime=tat^^requestmethod=onproide^^requestsize=2737^^requestversion=cillumd^^status=riosa^^responsesize=204^^responseversion=aspernat^^transactionsize=2460 +caecat ZSCALERNSS: time=rautod Apr 30 3:32:16 2017^^timezone=PT^^action=Allowed^^reason=failure^^hostname=lapar1599.www.lan^^protocol=ipv6^^serverip=10.193.66.155^^url=https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta^^urlcategory=Utenima^^urlclass=iqua^^dlpdictionaries=luptat^^dlpengine=deriti^^filetype=sintocc^^threatcategory=cididu^^threatclass=uteir^^pagerisk=boree^^threatname=isn^^clientpublicIP=ulla^^ClientIP=10.106.77.138^^location=aconse^^refererURL=https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=henderi^^user=iusmodt^^event_id=enim^^clienttranstime=emaperia^^requestmethod=Section^^requestsize=4329^^requestversion=iame^^status=orroquis^^responsesize=6146^^responseversion=tiumd^^transactionsize=6099 +mexer ZSCALERNSS: time=estla May 14 10:34:50 2017^^timezone=ET^^action=Allowed^^reason=success^^hostname=aquioff3853.www.localdomain^^protocol=udp^^serverip=10.236.230.136^^url=https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi^^urlcategory=emveleum^^urlclass=olup^^dlpdictionaries=nde^^dlpengine=abillo^^filetype=undeom^^threatcategory=emullamc^^threatclass=tec^^pagerisk=Nemo^^threatname=tutlabo^^clientpublicIP=mveleum^^ClientIP=10.54.159.1^^location=sBonorum^^refererURL=https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=asnulapa^^user=mUteni^^event_id=quira^^clienttranstime=rror^^requestmethod=tatema^^requestsize=2446^^requestversion=loinve^^status=tatevel^^responsesize=3862^^responseversion=equu^^transactionsize=5373 +atae ZSCALERNSS: time=tetura May 29 5:37:24 2017^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ura675.mail.localdomain^^protocol=ggp^^serverip=10.49.242.174^^url=https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon^^urlcategory=dol^^urlclass=sumquiad^^dlpdictionaries=setquas^^dlpengine=minim^^filetype=oeni^^threatcategory=untutlab^^threatclass=tvolup^^pagerisk=consecte^^threatname=pteurs^^clientpublicIP=catcupi^^ClientIP=10.131.246.134^^location=tiaecon^^refererURL=https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=aconsequ^^user=umdolo^^event_id=rroqui^^clienttranstime=ursin^^requestmethod=utemvel^^requestsize=5325^^requestversion=atu^^status=iusm^^responsesize=4968^^responseversion=laudanti^^transactionsize=16 +rere ZSCALERNSS: time=cta Jun 12 12:39:58 2017^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=iamea478.www5.host^^protocol=ipv6-icmp^^serverip=10.142.120.198^^url=https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto^^urlcategory=litesse^^urlclass=fugiatn^^dlpdictionaries=uaeabi^^dlpengine=aaliq^^filetype=nat^^threatcategory=uovolupt^^threatclass=ende^^pagerisk=orumSe^^threatname=dolor^^clientpublicIP=isiut^^ClientIP=10.166.10.42^^location=emulla^^refererURL=https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=uamqu^^user=olori^^event_id=ido^^clienttranstime=mcorpor^^requestmethod=doconse^^requestsize=2522^^requestversion=emUte^^status=iusmodi^^responsesize=1046^^responseversion=tura^^transactionsize=6695 +equat ZSCALERNSS: time=aliquid Jun 26 7:42:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=eaque6543.api.domain^^protocol=udp^^serverip=10.138.188.201^^url=https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS^^urlcategory=iciadese^^urlclass=riatur^^dlpdictionaries=oeni^^dlpengine=dol^^filetype=dol^^threatcategory=atur^^threatclass=issu^^pagerisk=identsu^^threatname=piscivel^^clientpublicIP=hend^^ClientIP=10.128.184.241^^location=aer^^refererURL=https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=urau^^user=etur^^event_id=rsitvol^^clienttranstime=utali^^requestmethod=sed^^requestsize=6793^^requestversion=sec^^status=uid^^responsesize=3520^^responseversion=acom^^transactionsize=1142 +ectob ZSCALERNSS: time=mrema Jul 11 2:45:07 2017^^timezone=CET^^action=Allowed^^reason=failure^^hostname=eufug1756.mail.corp^^protocol=ggp^^serverip=10.53.101.131^^url=https://example.net/snulap/enimadm.html?writte=sitvo#ine^^urlcategory=urerepre^^urlclass=asnulap^^dlpdictionaries=ipi^^dlpengine=idolorem^^filetype=exerci^^threatcategory=idata^^threatclass=ese^^pagerisk=mmodoco^^threatname=amni^^clientpublicIP=atnul^^ClientIP=10.213.57.165^^location=illumq^^refererURL=https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ectetura^^user=isau^^event_id=itinvol^^clienttranstime=ten^^requestmethod=litanim^^requestsize=2135^^requestversion=orsitam^^status=modico^^responsesize=2990^^responseversion=itatio^^transactionsize=6735 +riame ZSCALERNSS: time=riat Jul 25 9:47:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=orp5697.www.invalid^^protocol=ggp^^serverip=10.243.6.41^^url=https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents^^urlcategory=emacc^^urlclass=emp^^dlpdictionaries=lamcola^^dlpengine=veli^^filetype=venia^^threatcategory=risni^^threatclass=idolores^^pagerisk=paria^^threatname=mmod^^clientpublicIP=iti^^ClientIP=10.55.81.14^^location=lorsitam^^refererURL=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenim^^user=eiusmo^^event_id=ainc^^clienttranstime=miurerep^^requestmethod=lestia^^requestsize=3606^^requestversion=iduntu^^status=pisci^^responsesize=3601^^responseversion=nostrud^^transactionsize=203 +ore ZSCALERNSS: time=esse Aug 8 4:50:15 2017^^timezone=PST^^action=Blocked^^reason=success^^hostname=pariatur7238.www5.invalid^^protocol=tcp^^serverip=10.33.144.10^^url=https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos^^urlcategory=exercita^^urlclass=edolori^^dlpdictionaries=eve^^dlpengine=tco^^filetype=tvol^^threatcategory=oluptate^^threatclass=lit^^pagerisk=santi^^threatname=ritati^^clientpublicIP=iciade^^ClientIP=10.202.224.79^^location=idolo^^refererURL=https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=seos^^user=rios^^event_id=labo^^clienttranstime=lpaquiof^^requestmethod=quu^^requestsize=2203^^requestversion=ntexpl^^status=abor^^responsesize=4241^^responseversion=enbyCi^^transactionsize=3813 +tat ZSCALERNSS: time=eufugia Aug 22 11:52:50 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=fficia2304.www5.home^^protocol=icmp^^serverip=10.158.18.51^^url=https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex^^urlcategory=uisnos^^urlclass=quamqua^^dlpdictionaries=ntut^^dlpengine=mag^^filetype=meum^^threatcategory=mini^^threatclass=Loremip^^pagerisk=oreeu^^threatname=nvo^^clientpublicIP=iamqui^^ClientIP=10.20.124.138^^location=aqui^^refererURL=https://www.example.net/lpa/isn.htm?iat=ffic#siuta^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aparia^^user=CSe^^event_id=exerci^^clienttranstime=inesciu^^requestmethod=quid^^requestsize=5452^^requestversion=emu^^status=orem^^responsesize=6317^^responseversion=ate^^transactionsize=4386 +tqu ZSCALERNSS: time=eirur Sep 6 6:55:24 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=mquisnos7453.home^^protocol=igmp^^serverip=10.134.128.27^^url=https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo^^urlcategory=nderi^^urlclass=liqua^^dlpdictionaries=ariatur^^dlpengine=labo^^filetype=sautei^^threatcategory=ataevita^^threatclass=voluptas^^pagerisk=velill^^threatname=rspic^^clientpublicIP=orinrepr^^ClientIP=10.118.177.136^^location=borumSec^^refererURL=https://www5.example.org/snisiut/siar.txt?inB=orp#ender^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=rumSecti^^user=Utenima^^event_id=olore^^clienttranstime=orumS^^requestmethod=olor^^requestsize=6908^^requestversion=eursint^^status=orio^^responsesize=1044^^responseversion=iameaqu^^transactionsize=2429 +olu ZSCALERNSS: time=iameaque Sep 20 1:57:58 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=aquio748.www.localhost^^protocol=igmp^^serverip=10.68.8.143^^url=https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore^^urlcategory=dmi^^urlclass=tam^^dlpdictionaries=oremip^^dlpengine=eufugi^^filetype=dunt^^threatcategory=ames^^threatclass=amni^^pagerisk=tatio^^threatname=amquisno^^clientpublicIP=modoc^^ClientIP=10.125.120.97^^location=uid^^refererURL=https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=idolo^^user=reet^^event_id=lorem^^clienttranstime=texplic^^requestmethod=edutp^^requestsize=911^^requestversion=assi^^status=eserun^^responsesize=3034^^responseversion=eniamqu^^transactionsize=1185 +tatevel ZSCALERNSS: time=midestl Oct 4 9:00:32 2017^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=remagnam796.mail.corp^^protocol=rdp^^serverip=10.143.0.78^^url=https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip^^urlcategory=aturQu^^urlclass=itesse^^dlpdictionaries=iamqui^^dlpengine=quide^^filetype=aria^^threatcategory=inim^^threatclass=etdol^^pagerisk=Sed^^threatname=oremeumf^^clientpublicIP=lesti^^ClientIP=10.137.164.122^^location=enima^^refererURL=https://www5.example.net/ico/giatquo.htm?evi=tionula#accus^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=amnihil^^user=orissus^^event_id=atems^^clienttranstime=nimaveni^^requestmethod=mwrit^^requestsize=2923^^requestversion=itse^^status=officiad^^responsesize=4982^^responseversion=nimadmin^^transactionsize=5577 +quiavolu ZSCALERNSS: time=upta Oct 19 4:03:07 2017^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=etdolore4227.internal.corp^^protocol=icmp^^serverip=10.30.87.51^^url=https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur^^urlcategory=ptatemse^^urlclass=siarc^^dlpdictionaries=fdeFin^^dlpengine=eleumi^^filetype=edic^^threatcategory=udexerc^^threatclass=tatno^^pagerisk=isnisiut^^threatname=atatnon^^clientpublicIP=lica^^ClientIP=10.156.177.53^^location=Nequ^^refererURL=https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=rmagnido^^user=psaquaea^^event_id=rchit^^clienttranstime=psumq^^requestmethod=ptatev^^requestsize=6552^^requestversion=xerc^^status=ctetura^^responsesize=7556^^responseversion=tDuis^^transactionsize=3281 +tat ZSCALERNSS: time=equ Nov 2 11:05:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=rors1935.api.domain^^protocol=udp^^serverip=10.83.138.34^^url=https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul^^urlcategory=aliqui^^urlclass=datatnon^^dlpdictionaries=aedict^^dlpengine=niamqui^^filetype=usmodite^^threatcategory=tlabo^^threatclass=tatemse^^pagerisk=ntoccaec^^threatname=uamestqu^^clientpublicIP=mpor^^ClientIP=10.111.249.184^^location=ptatemU^^refererURL=https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=onsectet^^user=dentsunt^^event_id=inea^^clienttranstime=animid^^requestmethod=upta^^requestsize=313^^requestversion=onnumqua^^status=quioff^^responsesize=470^^responseversion=upt^^transactionsize=6017 +nvol ZSCALERNSS: time=dtemp Nov 16 6:08:15 2017^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=idexeac1655.internal.test^^protocol=ipv6^^serverip=10.141.195.13^^url=https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem^^urlcategory=roquisqu^^urlclass=ariat^^dlpdictionaries=midestl^^dlpengine=quatu^^filetype=avolu^^threatcategory=teturad^^threatclass=itesse^^pagerisk=expl^^threatname=essecill^^clientpublicIP=totamre^^ClientIP=10.180.150.47^^location=orsitv^^refererURL=https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=ncul^^user=taliq^^event_id=tautfugi^^clienttranstime=fdeFinib^^requestmethod=uip^^requestsize=3940^^requestversion=sectetur^^status=edquian^^responsesize=7810^^responseversion=turQuis^^transactionsize=4046 +uames ZSCALERNSS: time=tconsec Dec 1 1:10:49 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=laboree3880.api.invalid^^protocol=rdp^^serverip=10.166.195.20^^url=https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna^^urlcategory=Nem^^urlclass=tdolorem^^dlpdictionaries=eacomm^^dlpengine=upidata^^filetype=ici^^threatcategory=usant^^threatclass=mipsumq^^pagerisk=ident^^threatname=nimide^^clientpublicIP=quelaud^^ClientIP=10.255.40.12^^location=rro^^refererURL=https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=remagnaa^^user=lamcolab^^event_id=ceroinB^^clienttranstime=umqui^^requestmethod=citation^^requestsize=7073^^requestversion=mcorpori^^status=orisn^^responsesize=2266^^responseversion=etMalor^^transactionsize=7800 +cta ZSCALERNSS: time=ercitat Dec 15 8:13:24 2017^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=tecto708.www5.example^^protocol=rdp^^serverip=10.22.122.43^^url=https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu^^urlcategory=quamni^^urlclass=turveli^^dlpdictionaries=isciv^^dlpengine=natus^^filetype=boreet^^threatcategory=luptasnu^^threatclass=ento^^pagerisk=snostr^^threatname=udexerc^^clientpublicIP=ovolupta^^ClientIP=10.100.143.226^^location=ametcon^^refererURL=https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=ueporroq^^user=ute^^event_id=mexer^^clienttranstime=iam^^requestmethod=Bonoru^^requestsize=1396^^requestversion=ntutlab^^status=rumSecti^^responsesize=5091^^responseversion=gnama^^transactionsize=7815 +tesse ZSCALERNSS: time=olupta Dec 29 3:15:58 2017^^timezone=GMT+02:00^^action=Blocked^^reason=success^^hostname=ine3181.www.invalid^^protocol=ipv6-icmp^^serverip=10.119.53.68^^url=https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul^^urlcategory=onse^^urlclass=sitam^^dlpdictionaries=inibusBo^^dlpengine=illoin^^filetype=emUtenim^^threatcategory=ende^^threatclass=dexea^^pagerisk=aco^^threatname=sse^^clientpublicIP=ihilm^^ClientIP=10.121.9.5^^location=uptas^^refererURL=https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=mea^^user=ssec^^event_id=illum^^clienttranstime=eprehe^^requestmethod=tinvolup^^requestsize=497^^requestversion=tvol^^status=ptat^^responsesize=7456^^responseversion=tdolo^^transactionsize=1882 +eleumi ZSCALERNSS: time=equ Jan 12 10:18:32 2018^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=tsunt3403.www5.test^^protocol=udp^^serverip=10.237.0.173^^url=https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt^^urlcategory=oremipsu^^urlclass=tMalor^^dlpdictionaries=oreetd^^dlpengine=lor^^filetype=oreeu^^threatcategory=taspe^^threatclass=eritqui^^pagerisk=atquovol^^threatname=evel^^clientpublicIP=edol^^ClientIP=10.31.153.177^^location=maccus^^refererURL=https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tiset^^user=sci^^event_id=periam^^clienttranstime=fugiatnu^^requestmethod=dolor^^requestsize=4350^^requestversion=eumfu^^status=docons^^responsesize=1428^^responseversion=eumf^^transactionsize=6826 +uasi ZSCALERNSS: time=maveniam Jan 27 5:21:06 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=pitl6126.www.localdomain^^protocol=ipv6-icmp^^serverip=10.243.182.229^^url=https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com^^urlcategory=rep^^urlclass=mveni^^dlpdictionaries=aquae^^dlpengine=olo^^filetype=edolori^^threatcategory=iaturE^^threatclass=epor^^pagerisk=umexer^^threatname=amnih^^clientpublicIP=tper^^ClientIP=10.229.102.140^^location=nulamc^^refererURL=https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca^^useragent=mobmail android 2.1.3.3150^^department=nimve^^user=duntut^^event_id=emporin^^clienttranstime=oreseosq^^requestmethod=etquasia^^requestsize=1800^^requestversion=tium^^status=nimip^^responsesize=7612^^responseversion=squamest^^transactionsize=3914 +pteu ZSCALERNSS: time=uatD Feb 10 12:23:41 2018^^timezone=CEST^^action=Blocked^^reason=unknown^^hostname=remaper3297.internal.test^^protocol=ipv6-icmp^^serverip=10.39.46.155^^url=https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi^^urlcategory=emvel^^urlclass=pta^^dlpdictionaries=dolo^^dlpengine=itaedi^^filetype=hend^^threatcategory=remagna^^threatclass=adipisc^^pagerisk=aparia^^threatname=maliq^^clientpublicIP=ccusant^^ClientIP=10.120.138.109^^location=oidentsu^^refererURL=https://internal.example.org/onsec/dit.gif?lup=aeca#isau^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=sciveli^^user=picia^^event_id=BCSe^^clienttranstime=rem^^requestmethod=exer^^requestsize=447^^requestversion=remips^^status=lapari^^responsesize=5763^^responseversion=radipis^^transactionsize=3991 +luptate ZSCALERNSS: time=eritqu Feb 24 7:26:15 2018^^timezone=ET^^action=Blocked^^reason=failure^^hostname=tamr1693.api.home^^protocol=ipv6^^serverip=10.53.191.49^^url=https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd^^urlcategory=elit^^urlclass=sam^^dlpdictionaries=tMal^^dlpengine=porin^^filetype=metMal^^threatcategory=ciati^^threatclass=ecillum^^pagerisk=olor^^threatname=amei^^clientpublicIP=doconseq^^ClientIP=10.133.102.57^^location=CSed^^refererURL=https://example.net/wri/itame.html?dictasun=psa#lorese^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=ctobeat^^user=onsec^^event_id=idestl^^clienttranstime=litani^^requestmethod=emp^^requestsize=6397^^requestversion=onoru^^status=data^^responsesize=6740^^responseversion=eosqui^^transactionsize=5993 +uam ZSCALERNSS: time=quis Mar 11 2:28:49 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=cia5990.api.localdomain^^protocol=icmp^^serverip=10.91.2.225^^url=https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum^^urlcategory=autodita^^urlclass=ntut^^dlpdictionaries=temveleu^^dlpengine=itametco^^filetype=etcons^^threatcategory=etco^^threatclass=iuntN^^pagerisk=utfugi^^threatname=ursintoc^^clientpublicIP=tio^^ClientIP=10.89.41.97^^location=trudex^^refererURL=https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=nderi^^user=tem^^event_id=tcu^^clienttranstime=eumiu^^requestmethod=nim^^requestsize=141^^requestversion=rehen^^status=uaeab^^responsesize=5521^^responseversion=serro^^transactionsize=1078 +eturadip ZSCALERNSS: time=amquaera Mar 25 9:31:24 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=riatu2467.lan^^protocol=tcp^^serverip=10.221.20.165^^url=https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla^^urlcategory=atquo^^urlclass=borio^^dlpdictionaries=equatD^^dlpengine=uidol^^filetype=inculpa^^threatcategory=ruredol^^threatclass=iadeseru^^pagerisk=loremagn^^threatname=acons^^clientpublicIP=nimadmi^^ClientIP=10.7.18.226^^location=umiurer^^refererURL=https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=tionev^^user=uasiarch^^event_id=velites^^clienttranstime=uredolor^^requestmethod=epreh^^requestsize=5810^^requestversion=edquiaco^^status=sequatD^^responsesize=4211^^responseversion=naaliq^^transactionsize=4508 +asiarc ZSCALERNSS: time=lor Apr 8 4:33:58 2018^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=pici1525.www5.corp^^protocol=ipv6^^serverip=10.178.148.188^^url=https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt^^urlcategory=uipe^^urlclass=ipsa^^dlpdictionaries=con^^dlpengine=eirured^^filetype=sequamn^^threatcategory=perspici^^threatclass=inimve^^pagerisk=aea^^threatname=emipsumd^^clientpublicIP=didun^^ClientIP=10.155.252.123^^location=asiarch^^refererURL=https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ssequ^^user=inrepreh^^event_id=rit^^clienttranstime=velitess^^requestmethod=niam^^requestsize=6665^^requestversion=vel^^status=ionevo^^responsesize=4580^^responseversion=ptate^^transactionsize=52 +umfu ZSCALERNSS: time=utla Apr 22 11:36:32 2018^^timezone=CET^^action=Blocked^^reason=failure^^hostname=dolo6418.internal.host^^protocol=ipv6-icmp^^serverip=10.190.42.245^^url=https://mail.example.org/caecat/uel.html?enim=umq#sistena^^urlcategory=qui^^urlclass=caboN^^dlpdictionaries=imipsam^^dlpengine=eumiu^^filetype=tatevel^^threatcategory=quela^^threatclass=uamquaer^^pagerisk=texplica^^threatname=enimi^^clientpublicIP=illum^^ClientIP=10.220.1.249^^location=iqu^^refererURL=https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=quuntur^^user=olup^^event_id=aeab^^clienttranstime=uradipis^^requestmethod=aerat^^requestsize=2910^^requestversion=uira^^status=eosqui^^responsesize=3723^^responseversion=quinesc^^transactionsize=4724 +aliqu ZSCALERNSS: time=sequine May 7 6:39:06 2018^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=imveni193.www5.host^^protocol=udp^^serverip=10.112.190.154^^url=https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna^^urlcategory=cons^^urlclass=Except^^dlpdictionaries=lestiae^^dlpengine=iav^^filetype=umiure^^threatcategory=isiut^^threatclass=tin^^pagerisk=rporiss^^threatname=billoinv^^clientpublicIP=etconse^^ClientIP=10.55.38.153^^location=quido^^refererURL=https://example.org/uames/tla.gif?rch=psa#nreprehe^^useragent=Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g^^department=tvolup^^user=oremeu^^event_id=lab^^clienttranstime=lla^^requestmethod=urau^^requestsize=6127^^requestversion=upt^^status=equamni^^responsesize=363^^responseversion=eroi^^transactionsize=916 +mdo ZSCALERNSS: time=labore May 21 1:41:41 2018^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ionu3320.api.localhost^^protocol=igmp^^serverip=10.195.153.42^^url=https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam^^urlcategory=deriti^^urlclass=edictasu^^dlpdictionaries=eturadi^^dlpengine=umS^^filetype=noru^^threatcategory=aliquide^^threatclass=tDuisaut^^pagerisk=uel^^threatname=dexerc^^clientpublicIP=vol^^ClientIP=10.250.48.82^^location=iqu^^refererURL=https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serrorsi^^user=tsedquia^^event_id=rsit^^clienttranstime=quis^^requestmethod=upidatat^^requestsize=2982^^requestversion=nihilmo^^status=reetdo^^responsesize=6578^^responseversion=nidol^^transactionsize=4345 +hite ZSCALERNSS: time=umfugi Jun 4 8:44:15 2018^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=remips1499.www.local^^protocol=ipv6^^serverip=10.252.164.230^^url=https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder^^urlcategory=ano^^urlclass=rumexer^^dlpdictionaries=eab^^dlpengine=iaconseq^^filetype=tseddo^^threatcategory=diduntut^^threatclass=rroq^^pagerisk=olore^^threatname=eratvolu^^clientpublicIP=oconsequ^^ClientIP=10.60.52.219^^location=untNeq^^refererURL=https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo^^useragent=mobmail android 2.1.3.3150^^department=usan^^user=gnamali^^event_id=iumtota^^clienttranstime=issusci^^requestmethod=fdeFin^^requestsize=2871^^requestversion=psu^^status=strud^^responsesize=501^^responseversion=saute^^transactionsize=7421 +iumto ZSCALERNSS: time=sequatu Jun 19 3:46:49 2018^^timezone=CT^^action=Allowed^^reason=success^^hostname=mdoloree96.domain^^protocol=ggp^^serverip=10.187.16.73^^url=https://api.example.com/nge/psum.gif?exerci=isnostru#iad^^urlcategory=ngelits^^urlclass=volupt^^dlpdictionaries=billoi^^dlpengine=reseo^^filetype=quam^^threatcategory=ulpaquio^^threatclass=dipisc^^pagerisk=litsed^^threatname=lumd^^clientpublicIP=tiaec^^ClientIP=10.122.102.156^^location=totamr^^refererURL=https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=metMa^^user=emoen^^event_id=ptate^^clienttranstime=mipsumqu^^requestmethod=turad^^requestsize=1704^^requestversion=billo^^status=doloremi^^responsesize=3365^^responseversion=iciatis^^transactionsize=2052 +cul ZSCALERNSS: time=tate Jul 3 10:49:23 2018^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=iatnulap7662.internal.local^^protocol=igmp^^serverip=10.120.215.174^^url=https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet^^urlcategory=iscivel^^urlclass=rinci^^dlpdictionaries=eacomm^^dlpengine=aboNem^^filetype=mull^^threatcategory=ent^^threatclass=rema^^pagerisk=mcol^^threatname=tion^^clientpublicIP=umquia^^ClientIP=10.248.108.55^^location=itation^^refererURL=https://internal.example.org/tat/uredo.html?essequam=imav#mtot^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tionemu^^user=prehend^^event_id=ntexplic^^clienttranstime=rvelillu^^requestmethod=uatDu^^requestsize=4620^^requestversion=isu^^status=moll^^responsesize=2104^^responseversion=ota^^transactionsize=4562 +eniamq ZSCALERNSS: time=aloru Jul 17 5:51:58 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=sBonoru1929.example^^protocol=ggp^^serverip=10.51.161.245^^url=https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam^^urlcategory=saute^^urlclass=umdol^^dlpdictionaries=rerepr^^dlpengine=ipiscin^^filetype=trudexe^^threatcategory=qua^^threatclass=modit^^pagerisk=tatione^^threatname=aedicta^^clientpublicIP=squamest^^ClientIP=10.15.254.181^^location=emipsum^^refererURL=https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=adipis^^user=abo^^event_id=suntex^^clienttranstime=uptatema^^requestmethod=uteiru^^requestsize=4600^^requestversion=Cicero^^status=ven^^responsesize=5410^^responseversion=ficia^^transactionsize=7526 +deFinibu ZSCALERNSS: time=iaecons Aug 1 12:54:32 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=onorumet4871.lan^^protocol=ipv6^^serverip=10.7.152.238^^url=https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse^^urlcategory=umq^^urlclass=enim^^dlpdictionaries=oreve^^dlpengine=metco^^filetype=xercita^^threatcategory=atev^^threatclass=vento^^pagerisk=litsed^^threatname=ciun^^clientpublicIP=rehender^^ClientIP=10.129.66.196^^location=mmodicon^^refererURL=https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=dol^^user=equamn^^event_id=scipi^^clienttranstime=rem^^requestmethod=reh^^requestsize=3604^^requestversion=gnama^^status=ursintoc^^responsesize=6628^^responseversion=ction^^transactionsize=491 +siuta ZSCALERNSS: time=atcu Aug 15 7:57:06 2018^^timezone=PST^^action=Blocked^^reason=success^^hostname=onproi4354.www5.invalid^^protocol=ggp^^serverip=10.29.162.157^^url=https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf^^urlcategory=orainci^^urlclass=orese^^dlpdictionaries=aev^^dlpengine=uelaudan^^filetype=lab^^threatcategory=sequa^^threatclass=orinrep^^pagerisk=pta^^threatname=uradi^^clientpublicIP=sequu^^ClientIP=10.185.107.27^^location=susc^^refererURL=https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=orese^^user=evelite^^event_id=remquela^^clienttranstime=toreve^^requestmethod=squirat^^requestsize=2977^^requestversion=equunt^^status=mto^^responsesize=4116^^responseversion=atio^^transactionsize=6258 +rem ZSCALERNSS: time=consecte Aug 29 2:59:40 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=beataevi7552.api.test^^protocol=ipv6^^serverip=10.215.63.248^^url=https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod^^urlcategory=ine^^urlclass=qui^^dlpdictionaries=itse^^dlpengine=lapari^^filetype=Bonor^^threatcategory=ipex^^threatclass=odita^^pagerisk=metc^^threatname=aincidu^^clientpublicIP=reprehe^^ClientIP=10.138.0.214^^location=uisaut^^refererURL=https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=uianonn^^user=eavolupt^^event_id=dantium^^clienttranstime=ors^^requestmethod=dqu^^requestsize=6682^^requestversion=edi^^status=eumiure^^responsesize=1926^^responseversion=eacomm^^transactionsize=2676 +pre ZSCALERNSS: time=aute Sep 12 10:02:15 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=rvelill1981.www.invalid^^protocol=udp^^serverip=10.26.115.88^^url=https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice^^urlcategory=deritq^^urlclass=boreetdo^^dlpdictionaries=teni^^dlpengine=iin^^filetype=nostr^^threatcategory=luptatem^^threatclass=tNequepo^^pagerisk=liq^^threatname=eleumiu^^clientpublicIP=etdol^^ClientIP=10.12.130.224^^location=magnido^^refererURL=https://www.example.org/dolor/ing.jpg?umdo=aer#quela^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=itatis^^user=Nequepo^^event_id=edictas^^clienttranstime=emac^^requestmethod=rmagnido^^requestsize=6135^^requestversion=elitsedd^^status=hitecto^^responsesize=6315^^responseversion=repreh^^transactionsize=1238 +usan ZSCALERNSS: time=ugiatn Sep 27 5:04:49 2018^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=quia7214.example^^protocol=igmp^^serverip=10.193.152.42^^url=https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc^^urlcategory=labore^^urlclass=iqua^^dlpdictionaries=ciunt^^dlpengine=exea^^filetype=ostrumex^^threatcategory=eruntmol^^threatclass=plicab^^pagerisk=imide^^threatname=uiineav^^clientpublicIP=nder^^ClientIP=10.91.20.27^^location=asia^^refererURL=https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=modtempo^^user=edict^^event_id=nost^^clienttranstime=orisnis^^requestmethod=umq^^requestsize=2801^^requestversion=quatur^^status=isiutali^^responsesize=1508^^responseversion=emquel^^transactionsize=365 +iavol ZSCALERNSS: time=utemvel Oct 11 12:07:23 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=aturExc7343.invalid^^protocol=ipv6^^serverip=10.146.69.38^^url=https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq^^urlcategory=loremeum^^urlclass=luptatem^^dlpdictionaries=ing^^dlpengine=hen^^filetype=riameaqu^^threatcategory=etd^^threatclass=omnisi^^pagerisk=dolor^^threatname=rsp^^clientpublicIP=quir^^ClientIP=10.55.192.102^^location=tsuntinc^^refererURL=https://example.org/onproid/ciduntut.html?xer=iat#orain^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=uame^^user=quia^^event_id=Exce^^clienttranstime=nim^^requestmethod=userro^^requestsize=1008^^requestversion=uta^^status=tsun^^responsesize=7120^^responseversion=gni^^transactionsize=5280 +tione ZSCALERNSS: time=nibus Oct 25 7:09:57 2018^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=olo7317.www5.localhost^^protocol=udp^^serverip=10.249.1.143^^url=https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese^^urlcategory=ptasn^^urlclass=liqui^^dlpdictionaries=ectetur^^dlpengine=eacomm^^filetype=temqu^^threatcategory=tdolore^^threatclass=Utenim^^pagerisk=quisno^^threatname=quaUten^^clientpublicIP=eufugia^^ClientIP=10.124.177.226^^location=iarc^^refererURL=https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=tincul^^user=isciveli^^event_id=ntutlab^^clienttranstime=sitamet^^requestmethod=onevo^^requestsize=3736^^requestversion=nsequ^^status=ing^^responsesize=3291^^responseversion=vitaed^^transactionsize=7672 +modit ZSCALERNSS: time=quamnih Nov 9 2:12:32 2018^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=uiin1342.mail.invalid^^protocol=rdp^^serverip=10.167.176.220^^url=https://example.org/vel/preh.html?sequamni=edutpers#deo^^urlcategory=eni^^urlclass=quipe^^dlpdictionaries=oluptat^^dlpengine=stenatus^^filetype=eabillo^^threatcategory=iaecon^^threatclass=ect^^pagerisk=tquid^^threatname=seru^^clientpublicIP=oriss^^ClientIP=10.146.228.249^^location=psumdolo^^refererURL=https://example.net/bor/magnido.html?emagnaal=nih#ncididu^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=gitsed^^user=estla^^event_id=ione^^clienttranstime=ecillum^^requestmethod=maccu^^requestsize=5298^^requestversion=quisquam^^status=boreet^^responsesize=620^^responseversion=Malorumw^^transactionsize=5212 +issu ZSCALERNSS: time=tconsect Nov 23 9:15:06 2018^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=agna5654.www.corp^^protocol=tcp^^serverip=10.200.74.101^^url=https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim^^urlcategory=ntincul^^urlclass=nnumquam^^dlpdictionaries=etdol^^dlpengine=sed^^filetype=uep^^threatcategory=ametco^^threatclass=nde^^pagerisk=reprehe^^threatname=umdolo^^clientpublicIP=duntutl^^ClientIP=10.203.47.23^^location=empor^^refererURL=https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=sedquia^^user=litesse^^event_id=ntmo^^clienttranstime=aliqu^^requestmethod=iqu^^requestsize=4429^^requestversion=ationula^^status=doconse^^responsesize=4822^^responseversion=oreeufug^^transactionsize=5020 +tenima ZSCALERNSS: time=emagnam Dec 7 4:17:40 2018^^timezone=CT^^action=Blocked^^reason=success^^hostname=ites5711.internal.host^^protocol=ggp^^serverip=10.162.78.48^^url=https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor^^urlcategory=umSecti^^urlclass=eabil^^dlpdictionaries=ibusB^^dlpengine=rporis^^filetype=etco^^threatcategory=mip^^threatclass=ereprehe^^pagerisk=olu^^threatname=nofdeF^^clientpublicIP=riaturEx^^ClientIP=10.24.23.209^^location=itautfu^^refererURL=https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=iumd^^user=ntore^^event_id=tect^^clienttranstime=ion^^requestmethod=tutl^^requestsize=3811^^requestversion=bor^^status=ameaquei^^responsesize=4147^^responseversion=uelaud^^transactionsize=1306 +ngelit ZSCALERNSS: time=quiano Dec 21 11:20:14 2018^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=oluptat2848.api.home^^protocol=igmp^^serverip=10.55.151.53^^url=https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest^^urlcategory=oeiusmod^^urlclass=uidolore^^dlpdictionaries=iacon^^dlpengine=ncu^^filetype=quaturve^^threatcategory=ciad^^threatclass=diconseq^^pagerisk=utod^^threatname=ostr^^clientpublicIP=amcorp^^ClientIP=10.211.66.68^^location=uptatem^^refererURL=https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=maveni^^user=squir^^event_id=commod^^clienttranstime=umqu^^requestmethod=umet^^requestsize=5891^^requestversion=amestqu^^status=aliqua^^responsesize=1782^^responseversion=teirure^^transactionsize=1210 +dipisciv ZSCALERNSS: time=nsequun Jan 5 6:22:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=ngelitse7535.internal.lan^^protocol=rdp^^serverip=10.110.16.169^^url=https://example.org/eius/evo.jpg?iarchit=volupt#ipis^^urlcategory=usBonor^^urlclass=mide^^dlpdictionaries=sten^^dlpengine=enderi^^filetype=labore^^threatcategory=uasiarch^^threatclass=iamquisn^^pagerisk=magnama^^threatname=reprehe^^clientpublicIP=citatio^^ClientIP=10.209.203.156^^location=esciunt^^refererURL=https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=roinBCSe^^user=mes^^event_id=labori^^clienttranstime=ditau^^requestmethod=lupta^^requestsize=6650^^requestversion=tam^^status=olu^^responsesize=409^^responseversion=iut^^transactionsize=3808 +deser ZSCALERNSS: time=boris Jan 19 1:25:23 2019^^timezone=PST^^action=Allowed^^reason=success^^hostname=tiumtot3611.internal.localdomain^^protocol=udp^^serverip=10.84.9.150^^url=https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo^^urlcategory=enimadmi^^urlclass=qui^^dlpdictionaries=ita^^dlpengine=lamco^^filetype=natuser^^threatcategory=Excepteu^^threatclass=omnis^^pagerisk=tati^^threatname=orinc^^clientpublicIP=teursi^^ClientIP=10.107.68.114^^location=nofdeFin^^refererURL=https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ocons^^user=sequatDu^^event_id=nsecte^^clienttranstime=pta^^requestmethod=uianonnu^^requestsize=5724^^requestversion=veleumi^^status=volupt^^responsesize=6822^^responseversion=itatise^^transactionsize=3714 +userro ZSCALERNSS: time=oree Feb 2 8:27:57 2019^^timezone=CEST^^action=Blocked^^reason=failure^^hostname=gnaa4656.api.example^^protocol=igmp^^serverip=10.26.222.144^^url=https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese^^urlcategory=nonproi^^urlclass=doconse^^dlpdictionaries=henderi^^dlpengine=tisunde^^filetype=ende^^threatcategory=quidolor^^threatclass=lloin^^pagerisk=eomnis^^threatname=proiden^^clientpublicIP=moenimip^^ClientIP=10.124.119.48^^location=atquo^^refererURL=https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=amn^^user=nre^^event_id=sintoc^^clienttranstime=rinci^^requestmethod=ici^^requestsize=7328^^requestversion=Nequepor^^status=aUten^^responsesize=4127^^responseversion=tatnon^^transactionsize=977 +mnisis ZSCALERNSS: time=onsequa Feb 17 3:30:32 2019^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=psaqu6066.www5.localhost^^protocol=ipv6-icmp^^serverip=10.164.190.2^^url=https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol^^urlcategory=itvo^^urlclass=asi^^dlpdictionaries=tobe^^dlpengine=ssequa^^filetype=emp^^threatcategory=emoeni^^threatclass=officiad^^pagerisk=veniam^^threatname=labo^^clientpublicIP=ssecill^^ClientIP=10.223.11.164^^location=tate^^refererURL=https://internal.example.net/ali/ionu.txt?cte=ariatu#ess^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=risnisiu^^user=ten^^event_id=datatno^^clienttranstime=equepor^^requestmethod=antium^^requestsize=5241^^requestversion=texp^^status=mvolup^^responsesize=4382^^responseversion=ema^^transactionsize=6673 +nsec ZSCALERNSS: time=iaeco Mar 3 10:33:06 2019^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=iavol5202.api.example^^protocol=udp^^serverip=10.14.37.8^^url=https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis^^urlcategory=rume^^urlclass=samnisiu^^dlpdictionaries=yCiceroi^^dlpengine=evolupta^^filetype=citat^^threatcategory=prehende^^threatclass=vitaedic^^pagerisk=remip^^threatname=rsita^^clientpublicIP=rehe^^ClientIP=10.121.181.243^^location=midest^^refererURL=https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=errorsi^^user=umwr^^event_id=olor^^clienttranstime=cupida^^requestmethod=rinc^^requestsize=7719^^requestversion=roqu^^status=dquia^^responsesize=1460^^responseversion=strude^^transactionsize=6667 +ptate ZSCALERNSS: time=oloreeu Mar 17 5:35:40 2019^^timezone=ET^^action=Blocked^^reason=success^^hostname=uame1361.api.local^^protocol=udp^^serverip=10.90.20.202^^url=https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu^^urlcategory=nonp^^urlclass=abillo^^dlpdictionaries=tinv^^dlpengine=iar^^filetype=nse^^threatcategory=turQuis^^threatclass=tat^^pagerisk=pta^^threatname=henderi^^clientpublicIP=onsec^^ClientIP=10.10.93.133^^location=tau^^refererURL=https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=quipe^^user=evita^^event_id=ostrude^^clienttranstime=itsed^^requestmethod=nia^^requestsize=7548^^requestversion=rehe^^status=eseosqu^^responsesize=3488^^responseversion=sundeo^^transactionsize=3076 +laud ZSCALERNSS: time=uido Apr 1 12:38:14 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=rsitame4049.internal.corp^^protocol=tcp^^serverip=10.34.98.144^^url=https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu^^urlcategory=itsedqui^^urlclass=oreve^^dlpdictionaries=omn^^dlpengine=onevol^^filetype=ese^^threatcategory=reprehen^^threatclass=Exce^^pagerisk=tocca^^threatname=tinvolu^^clientpublicIP=ecatc^^ClientIP=10.77.102.206^^location=quin^^refererURL=https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=inBCSed^^user=tectobe^^event_id=pariatu^^clienttranstime=uiacons^^requestmethod=ulapa^^requestsize=4143^^requestversion=henderit^^status=ident^^responsesize=4610^^responseversion=mquae^^transactionsize=1789 +lit ZSCALERNSS: time=uiine Apr 15 7:40:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=elit912.www5.test^^protocol=udp^^serverip=10.176.233.249^^url=https://example.org/olu/mqua.txt?mdolore=ita#aeratvol^^urlcategory=odite^^urlclass=atn^^dlpdictionaries=sectet^^dlpengine=boreetd^^filetype=ueporro^^threatcategory=cto^^threatclass=essequa^^pagerisk=gnidolor^^threatname=itlabori^^clientpublicIP=amestqui^^ClientIP=10.75.144.118^^location=qua^^refererURL=https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aconseq^^user=isnos^^event_id=ntin^^clienttranstime=tenatus^^requestmethod=odic^^requestsize=3588^^requestversion=intocca^^status=equuntu^^responsesize=3976^^responseversion=ine^^transactionsize=3409 +rcit ZSCALERNSS: time=secte Apr 29 2:43:23 2019^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=tat6671.www.local^^protocol=udp^^serverip=10.149.6.107^^url=https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa^^urlcategory=ndeomni^^urlclass=chite^^dlpdictionaries=obeatae^^dlpengine=rehen^^filetype=uam^^threatcategory=vitaedi^^threatclass=uis^^pagerisk=emagnaal^^threatname=uunturm^^clientpublicIP=nonnumq^^ClientIP=10.236.55.236^^location=aerat^^refererURL=https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=eseosqu^^user=redolo^^event_id=mveleu^^clienttranstime=cillumdo^^requestmethod=mvele^^requestsize=4686^^requestversion=isnost^^status=lumdolor^^responsesize=559^^responseversion=aspe^^transactionsize=4318 +erita ZSCALERNSS: time=eursint May 13 9:45:57 2019^^timezone=CET^^action=Blocked^^reason=failure^^hostname=uis5050.www.local^^protocol=igmp^^serverip=10.97.202.149^^url=https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque^^urlcategory=magnidol^^urlclass=meumfug^^dlpdictionaries=irat^^dlpengine=uatu^^filetype=gel^^threatcategory=modt^^threatclass=atcupi^^pagerisk=xeacomm^^threatname=tla^^clientpublicIP=itaspe^^ClientIP=10.13.125.101^^location=uisautei^^refererURL=https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=velitess^^user=colab^^event_id=itte^^clienttranstime=niamquis^^requestmethod=uaUten^^requestsize=7772^^requestversion=exeacomm^^status=uptat^^responsesize=982^^responseversion=ore^^transactionsize=7330 +poriss ZSCALERNSS: time=enatus May 28 4:48:31 2019^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=ficiad1312.api.host^^protocol=igmp^^serverip=10.141.66.163^^url=https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido^^urlcategory=usmo^^urlclass=squirati^^dlpdictionaries=uasi^^dlpengine=quaeabi^^filetype=sequ^^threatcategory=gna^^threatclass=itautf^^pagerisk=aev^^threatname=uovolup^^clientpublicIP=tMaloru^^ClientIP=10.230.61.102^^location=rautod^^refererURL=https://example.net/minimav/uovo.html?orinrep=tNequ#eca^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serr^^user=umdolo^^event_id=iduntut^^clienttranstime=admini^^requestmethod=mini^^requestsize=3181^^requestversion=cididun^^status=iamqu^^responsesize=1324^^responseversion=iunt^^transactionsize=2218 +uisaut ZSCALERNSS: time=apar Jun 11 11:51:06 2019^^timezone=OMST^^action=Blocked^^reason=unknown^^hostname=itaspe921.mail.invalid^^protocol=tcp^^serverip=10.10.25.145^^url=https://www.example.org/iat/acom.html?umdolo=oluptass#umqu^^urlcategory=rsitam^^urlclass=aliqui^^dlpdictionaries=uipexea^^dlpengine=sauteiru^^filetype=nibusB^^threatcategory=eetdolo^^threatclass=issuscip^^pagerisk=iduntu^^threatname=nde^^clientpublicIP=naturau^^ClientIP=10.224.249.228^^location=odit^^refererURL=https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ugiatq^^user=mnisiuta^^event_id=nrepre^^clienttranstime=eumfu^^requestmethod=remap^^requestsize=1954^^requestversion=yCicero^^status=dqui^^responsesize=6666^^responseversion=oin^^transactionsize=3838 +eiusm ZSCALERNSS: time=assit Jun 25 6:53:40 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=archite4407.mail.invalid^^protocol=ipv6-icmp^^serverip=10.234.34.40^^url=https://www.example.com/onorum/umiure.gif?lites=admini#trumexer^^urlcategory=maveniam^^urlclass=ctobeat^^dlpdictionaries=emoenim^^dlpengine=oqui^^filetype=olab^^threatcategory=remagnam^^threatclass=neavolu^^pagerisk=adipi^^threatname=idid^^clientpublicIP=ela^^ClientIP=10.247.255.107^^location=lore^^refererURL=https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=elitsed^^user=aeabillo^^event_id=dolori^^clienttranstime=mco^^requestmethod=nofdeF^^requestsize=245^^requestversion=writt^^status=ent^^responsesize=3750^^responseversion=uaer^^transactionsize=2304 +tectobe ZSCALERNSS: time=ain Jul 10 1:56:14 2019^^timezone=OMST^^action=Blocked^^reason=success^^hostname=aria1424.mail.home^^protocol=igmp^^serverip=10.124.81.20^^url=https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac^^urlcategory=liquide^^urlclass=uatD^^dlpdictionaries=reh^^dlpengine=uel^^filetype=tmollit^^threatcategory=ametco^^threatclass=ilmoles^^pagerisk=xeaco^^threatname=texpl^^clientpublicIP=tqua^^ClientIP=10.250.102.42^^location=totamr^^refererURL=https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenby^^user=tNequ^^event_id=piciatis^^clienttranstime=ritten^^requestmethod=tatisetq^^requestsize=2753^^requestversion=madmi^^status=icia^^responsesize=412^^responseversion=eroi^^transactionsize=2077 +riatur ZSCALERNSS: time=amrema Jul 24 8:58:48 2019^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=Bonoru7444.www5.example^^protocol=rdp^^serverip=10.166.205.159^^url=https://www.example.com/tem/litsedq.htm?ium=utfugit#beat^^urlcategory=odita^^urlclass=borisn^^dlpdictionaries=itanimid^^dlpengine=ianonnum^^filetype=cte^^threatcategory=iratio^^threatclass=proid^^pagerisk=inculp^^threatname=atnu^^clientpublicIP=ntmo^^ClientIP=10.154.188.132^^location=atevelit^^refererURL=https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=uisa^^user=uptat^^event_id=siutal^^clienttranstime=umetMalo^^requestmethod=onevolu^^requestsize=4181^^requestversion=sedquian^^status=involu^^responsesize=5294^^responseversion=nsequatD^^transactionsize=7089 +liquid ZSCALERNSS: time=uamq Aug 7 4:01:23 2019^^timezone=CEST^^action=Allowed^^reason=success^^hostname=icero1297.internal.domain^^protocol=ipv6-icmp^^serverip=10.46.71.46^^url=https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn^^urlcategory=atisetq^^urlclass=mSectio^^dlpdictionaries=rsinto^^dlpengine=nonnumqu^^filetype=atis^^threatcategory=todit^^threatclass=upta^^pagerisk=fug^^threatname=ulpaq^^clientpublicIP=rured^^ClientIP=10.138.193.38^^location=udex^^refererURL=https://api.example.com/uin/isci.htm?nsectetu=spici#untutl^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=tate^^user=sintocca^^event_id=ugiat^^clienttranstime=asuntex^^requestmethod=uovolup^^requestsize=745^^requestversion=amali^^status=uiav^^responsesize=274^^responseversion=mullamco^^transactionsize=7843 +ons ZSCALERNSS: time=radip Aug 21 11:03:57 2019^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=oloremeu5047.www5.invalid^^protocol=tcp^^serverip=10.254.119.31^^url=https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum^^urlcategory=eturad^^urlclass=tor^^dlpdictionaries=hender^^dlpengine=moditemp^^filetype=pitlab^^threatcategory=tutlabor^^threatclass=imadmi^^pagerisk=nculp^^threatname=quamnihi^^clientpublicIP=nimadmi^^ClientIP=10.172.159.251^^location=nima^^refererURL=https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=tconsect^^user=usm^^event_id=uunturma^^clienttranstime=namaliqu^^requestmethod=tatemacc^^requestsize=2324^^requestversion=nor^^status=saut^^responsesize=2804^^responseversion=stiaeco^^transactionsize=1508 +osam ZSCALERNSS: time=ncid Sep 5 6:06:31 2019^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=edutpe1255.internal.lan^^protocol=ipv6-icmp^^serverip=10.195.62.230^^url=https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr^^urlcategory=nemul^^urlclass=amqua^^dlpdictionaries=isnost^^dlpengine=eaco^^filetype=oremeu^^threatcategory=uis^^threatclass=isnost^^pagerisk=itvolu^^threatname=citation^^clientpublicIP=spernatu^^ClientIP=10.98.126.206^^location=tion^^refererURL=https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=atatnonp^^user=ptassit^^event_id=sequat^^clienttranstime=Uteni^^requestmethod=oriosa^^requestsize=7244^^requestversion=temporai^^status=totamrem^^responsesize=4957^^responseversion=dminimve^^transactionsize=1182 +idolo ZSCALERNSS: time=citat Sep 19 1:09:05 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=nderit1171.www5.domain^^protocol=rdp^^serverip=10.144.93.186^^url=https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi^^urlcategory=umquia^^urlclass=evolu^^dlpdictionaries=quidolo^^dlpengine=utlabore^^filetype=texplica^^threatcategory=boru^^threatclass=ntut^^pagerisk=elaud^^threatname=acomm^^clientpublicIP=edquia^^ClientIP=10.84.140.5^^location=laboris^^refererURL=https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=mull^^user=eroi^^event_id=adminim^^clienttranstime=naturau^^requestmethod=nima^^requestsize=4943^^requestversion=sed^^status=mUten^^responsesize=6658^^responseversion=tfugitse^^transactionsize=6480 +uianon ZSCALERNSS: time=iutal Oct 3 8:11:40 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=nos4114.api.lan^^protocol=rdp^^serverip=10.31.58.6^^url=https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame^^urlcategory=lites^^urlclass=sec^^dlpdictionaries=aqua^^dlpengine=meumf^^filetype=olu^^threatcategory=ectet^^threatclass=tquovo^^pagerisk=orev^^threatname=lapa^^clientpublicIP=xeacom^^ClientIP=10.198.84.190^^location=henderi^^refererURL=https://mail.example.com/dminim/sse.gif?equ=turvelil#lor^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ern^^user=unt^^event_id=volu^^clienttranstime=iineavo^^requestmethod=qua^^requestsize=6831^^requestversion=tenbyC^^status=xeacomm^^responsesize=6855^^responseversion=psu^^transactionsize=5856 +ept ZSCALERNSS: time=nem Oct 18 3:14:14 2019^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=oremeum4231.internal.host^^protocol=ipv6^^serverip=10.139.90.218^^url=https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin^^urlcategory=consequa^^urlclass=tionu^^dlpdictionaries=umqua^^dlpengine=ommod^^filetype=ione^^threatcategory=mnihi^^threatclass=rrorsi^^pagerisk=icons^^threatname=voluptat^^clientpublicIP=volu^^ClientIP=10.131.81.172^^location=llamcor^^refererURL=https://mail.example.com/veri/run.txt?enimadm=empo#apa^^useragent=Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30^^department=icons^^user=hende^^event_id=umdol^^clienttranstime=Sedutper^^requestmethod=exe^^requestsize=6188^^requestversion=preh^^status=dol^^responsesize=3128^^responseversion=gnamal^^transactionsize=6119 +utodit ZSCALERNSS: time=cer Nov 1 10:16:48 2019^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=ueip6097.api.host^^protocol=tcp^^serverip=10.128.43.71^^url=https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta^^urlcategory=amnihil^^urlclass=nderit^^dlpdictionaries=ficia^^dlpengine=tru^^filetype=tionu^^threatcategory=natuser^^threatclass=olupt^^pagerisk=eprehe^^threatname=eetd^^clientpublicIP=tiumdo^^ClientIP=10.152.217.174^^location=litse^^refererURL=https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=nderitin^^user=mquiado^^event_id=ssequa^^clienttranstime=nisist^^requestmethod=temvele^^requestsize=7350^^requestversion=xeaco^^status=urm^^responsesize=114^^responseversion=porincid^^transactionsize=1150 +pici ZSCALERNSS: time=erit Nov 15 5:19:22 2019^^timezone=PT^^action=Blocked^^reason=success^^hostname=fugiatqu7793.www.localdomain^^protocol=ipv6-icmp^^serverip=10.26.149.221^^url=https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci^^urlcategory=aturve^^urlclass=tiumdol^^dlpdictionaries=mporain^^dlpengine=secte^^filetype=dut^^threatcategory=aecons^^threatclass=tionemu^^pagerisk=edictasu^^threatname=quipexea^^clientpublicIP=orsit^^ClientIP=10.217.193.148^^location=tametco^^refererURL=https://api.example.com/lit/laborio.gif?mfug=acommod#mid^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=oloremag^^user=uisa^^event_id=umquidol^^clienttranstime=isiutali^^requestmethod=rehe^^requestsize=3382^^requestversion=adminima^^status=ipex^^responsesize=1046^^responseversion=sitvolup^^transactionsize=387 +agnamali ZSCALERNSS: time=ali Nov 30 12:21:57 2019^^timezone=CET^^action=Blocked^^reason=unknown^^hostname=onsequ3168.www.corp^^protocol=icmp^^serverip=10.109.192.53^^url=https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe^^urlcategory=scive^^urlclass=tcupi^^dlpdictionaries=essequam^^dlpengine=destla^^filetype=oluptat^^threatcategory=ita^^threatclass=temUte^^pagerisk=idest^^threatname=ostru^^clientpublicIP=ptassit^^ClientIP=10.172.17.6^^location=samvolup^^refererURL=https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=boriosa^^user=eprehen^^event_id=rehen^^clienttranstime=sitasp^^requestmethod=tassit^^requestsize=212^^requestversion=teir^^status=suntin^^responsesize=4053^^responseversion=upta^^transactionsize=1487 +onevol ZSCALERNSS: time=llamco Dec 14 7:24:31 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=oremquel3120.internal.localhost^^protocol=ggp^^serverip=10.119.106.108^^url=https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota^^urlcategory=ssecil^^urlclass=xplic^^dlpdictionaries=isn^^dlpengine=quepor^^filetype=Lor^^threatcategory=ten^^threatclass=exeacomm^^pagerisk=cusan^^threatname=oquisq^^clientpublicIP=olli^^ClientIP=10.135.38.213^^location=tiset^^refererURL=https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=ser^^user=ore^^event_id=iatisund^^clienttranstime=ritquii^^requestmethod=volup^^requestsize=1902^^requestversion=orsi^^status=ull^^responsesize=391^^responseversion=dolorsi^^transactionsize=7745 diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json new file mode 100644 index 00000000000..2df5f4bcff8 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -0,0 +1,7276 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "destination.bytes": 1803, + "destination.ip": [ + "10.206.191.17" + ], + "event.action": "Blocked", + "event.code": "litesse", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "iusm ZSCALERNSS: time=modtempo Jan 29 6:09:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=rci737.www5.example^^protocol=tcp^^serverip=10.206.191.17^^url=https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap^^urlcategory=oremi^^urlclass=ntsunti^^dlpdictionaries=nseq^^dlpengine=itinvol^^filetype=psa^^threatcategory=umq^^threatclass=ntium^^pagerisk=psaq^^threatname=cer^^clientpublicIP=reveri^^ClientIP=10.176.10.114^^location=lupt^^refererURL=https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=sperna^^user=sumdo^^event_id=litesse^^clienttranstime=orev^^requestmethod=pisciv^^requestsize=1884^^requestversion=deF^^status=sist^^responsesize=1803^^responseversion=doeiu^^transactionsize=3942", + "event.timezone": "GMT+02:00", + "file.type": "psa", + "fileset.name": "zia", + "host.name": "rci737.www5.example", + "http.request.referrer": "https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo", + "input.type": "log", + "log.offset": 0, + "network.bytes": 3942, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.176.10.114", + "10.206.191.17" + ], + "related.user": [ + "sumdo" + ], + "rsa.db.index": "ntsunti", + "rsa.identity.user_dept": "sperna", + "rsa.internal.data": "iusm", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ntium", + "rsa.misc.action": [ + "Blocked", + "pisciv" + ], + "rsa.misc.category": "umq", + "rsa.misc.filter": "oremi", + "rsa.misc.reference_id": "litesse", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "sist", + "rsa.network.alias_host": [ + "rci737.www5.example" + ], + "rsa.threat.threat_category": "cer", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "rci737.www5.example", + "service.type": "zscaler", + "source.bytes": 1884, + "source.ip": [ + "10.176.10.114" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap", + "user.name": "sumdo", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "destination.bytes": 2004, + "destination.ip": [ + "10.173.22.152" + ], + "event.action": "Allowed", + "event.code": "byC", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "olupt ZSCALERNSS: time=volup Feb 12 1:12:33 2016^^timezone=CT^^action=Allowed^^reason=failure^^hostname=eosquir5191.www.example^^protocol=rdp^^serverip=10.173.22.152^^url=https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia^^urlcategory=ameaqu^^urlclass=aqu^^dlpdictionaries=utper^^dlpengine=squame^^filetype=ntex^^threatcategory=eius^^threatclass=luptat^^pagerisk=emape^^threatname=aer^^clientpublicIP=lupt^^ClientIP=10.26.46.95^^location=uame^^refererURL=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=com^^user=eataevi^^event_id=byC^^clienttranstime=tinculp^^requestmethod=tur^^requestsize=2977^^requestversion=equat^^status=atemsequ^^responsesize=2004^^responseversion=minim^^transactionsize=7868", + "event.timezone": "CT", + "file.type": "ntex", + "fileset.name": "zia", + "host.name": "eosquir5191.www.example", + "http.request.referrer": "https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS", + "input.type": "log", + "log.offset": 844, + "network.bytes": 7868, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.173.22.152", + "10.26.46.95" + ], + "related.user": [ + "eataevi" + ], + "rsa.db.index": "aqu", + "rsa.identity.user_dept": "com", + "rsa.internal.data": "olupt", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "luptat", + "rsa.misc.action": [ + "Allowed", + "tur" + ], + "rsa.misc.category": "eius", + "rsa.misc.filter": "ameaqu", + "rsa.misc.reference_id": "byC", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "atemsequ", + "rsa.network.alias_host": [ + "eosquir5191.www.example" + ], + "rsa.threat.threat_category": "aer", + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "eosquir5191.www.example", + "service.type": "zscaler", + "source.bytes": 2977, + "source.ip": [ + "10.26.46.95" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia", + "user.name": "eataevi", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "destination.bytes": 1837, + "destination.ip": [ + "10.204.86.149" + ], + "event.action": "Blocked", + "event.code": "laboreet", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905", + "event.timezone": "CT", + "file.type": "oluptas", + "fileset.name": "zia", + "host.name": "orsitame3262.domain", + "http.request.referrer": "https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit", + "input.type": "log", + "log.offset": 1742, + "network.bytes": 6905, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.254.146.57", + "10.204.86.149" + ], + "related.user": [ + "tenima" + ], + "rsa.db.index": "nsequat", + "rsa.identity.user_dept": "onev", + "rsa.internal.data": "amco", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uptassi", + "rsa.misc.action": [ + "Blocked", + "giatq" + ], + "rsa.misc.category": "llu", + "rsa.misc.filter": "tconsec", + "rsa.misc.reference_id": "laboreet", + "rsa.misc.result": "success", + "rsa.misc.result_code": "tia", + "rsa.network.alias_host": [ + "orsitame3262.domain" + ], + "rsa.threat.threat_category": "tur", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "orsitame3262.domain", + "service.type": "zscaler", + "source.bytes": 2935, + "source.ip": [ + "10.254.146.57" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte", + "user.name": "tenima", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "destination.bytes": 3856, + "destination.ip": [ + "10.103.246.190" + ], + "event.action": "Allowed", + "event.code": "suntinc", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uian ZSCALERNSS: time=tempo Mar 12 3:17:42 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=tempor4496.www.localdomain^^protocol=ipv6^^serverip=10.103.246.190^^url=https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid^^urlcategory=atatnonp^^urlclass=uiano^^dlpdictionaries=mrema^^dlpengine=autfu^^filetype=natura^^threatcategory=aboris^^threatclass=ima^^pagerisk=tanimi^^threatname=nimadmin^^clientpublicIP=erep^^ClientIP=10.252.125.53^^location=ugiatqu^^refererURL=https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ari^^user=equun^^event_id=suntinc^^clienttranstime=elits^^requestmethod=llam^^requestsize=3077^^requestversion=gelits^^status=tatevel^^responsesize=3856^^responseversion=uptatev^^transactionsize=4292", + "event.timezone": "PST", + "file.type": "natura", + "fileset.name": "zia", + "host.name": "tempor4496.www.localdomain", + "http.request.referrer": "https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi", + "input.type": "log", + "log.offset": 2617, + "network.bytes": 4292, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.103.246.190", + "10.252.125.53" + ], + "related.user": [ + "equun" + ], + "rsa.db.index": "uiano", + "rsa.identity.user_dept": "ari", + "rsa.internal.data": "uian", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ima", + "rsa.misc.action": [ + "Allowed", + "llam" + ], + "rsa.misc.category": "aboris", + "rsa.misc.filter": "atatnonp", + "rsa.misc.reference_id": "suntinc", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "tatevel", + "rsa.network.alias_host": [ + "tempor4496.www.localdomain" + ], + "rsa.threat.threat_category": "nimadmin", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "tempor4496.www.localdomain", + "service.type": "zscaler", + "source.bytes": 3077, + "source.ip": [ + "10.252.125.53" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid", + "user.name": "equun", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "destination.bytes": 5772, + "destination.ip": [ + "10.61.78.108" + ], + "event.action": "Blocked", + "event.code": "umdolore", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "dmi ZSCALERNSS: time=olab Mar 26 10:20:16 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=ore2933.www.test^^protocol=ipv6-icmp^^serverip=10.61.78.108^^url=https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea^^urlcategory=ipit^^urlclass=idexea^^dlpdictionaries=riat^^dlpengine=luptatem^^filetype=umdolor^^threatcategory=osquir^^threatclass=inim^^pagerisk=ema^^threatname=roinBCSe^^clientpublicIP=onse^^ClientIP=10.136.153.149^^location=animi^^refererURL=https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ciati^^user=ercit^^event_id=umdolore^^clienttranstime=eniam^^requestmethod=reetdolo^^requestsize=2451^^requestversion=onse^^status=rumet^^responsesize=5772^^responseversion=tatno^^transactionsize=6787", + "event.timezone": "GMT-07:00", + "file.type": "umdolor", + "fileset.name": "zia", + "host.name": "ore2933.www.test", + "http.request.referrer": "https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam", + "input.type": "log", + "log.offset": 3507, + "network.bytes": 6787, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.61.78.108", + "10.136.153.149" + ], + "related.user": [ + "ercit" + ], + "rsa.db.index": "idexea", + "rsa.identity.user_dept": "ciati", + "rsa.internal.data": "dmi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "inim", + "rsa.misc.action": [ + "reetdolo", + "Blocked" + ], + "rsa.misc.category": "osquir", + "rsa.misc.filter": "ipit", + "rsa.misc.reference_id": "umdolore", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "rumet", + "rsa.network.alias_host": [ + "ore2933.www.test" + ], + "rsa.threat.threat_category": "roinBCSe", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "ore2933.www.test", + "service.type": "zscaler", + "source.bytes": 2451, + "source.ip": [ + "10.136.153.149" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea", + "user.name": "ercit", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "destination.bytes": 2984, + "destination.ip": [ + "10.183.16.166" + ], + "event.action": "Allowed", + "event.code": "remipsum", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "llam ZSCALERNSS: time=aspern Apr 9 5:22:51 2016^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=ollit4105.mail.localdomain^^protocol=ipv6-icmp^^serverip=10.183.16.166^^url=https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd^^urlcategory=sun^^urlclass=essecill^^dlpdictionaries=Duisau^^dlpengine=psum^^filetype=eriame^^threatcategory=lorema^^threatclass=avol^^pagerisk=labor^^threatname=atuse^^clientpublicIP=ddoeiu^^ClientIP=10.66.250.92^^location=onse^^refererURL=https://example.com/metcon/smo.jpg?upta=omn#ipsumq^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=ons^^user=tessec^^event_id=remipsum^^clienttranstime=liq^^requestmethod=ist^^requestsize=571^^requestversion=caecatc^^status=onsequat^^responsesize=2984^^responseversion=edquiano^^transactionsize=6061", + "event.timezone": "GMT-07:00", + "file.type": "eriame", + "fileset.name": "zia", + "host.name": "ollit4105.mail.localdomain", + "http.request.referrer": "https://example.com/metcon/smo.jpg?upta=omn#ipsumq", + "input.type": "log", + "log.offset": 4394, + "network.bytes": 6061, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.183.16.166", + "10.66.250.92" + ], + "related.user": [ + "tessec" + ], + "rsa.db.index": "essecill", + "rsa.identity.user_dept": "ons", + "rsa.internal.data": "llam", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "avol", + "rsa.misc.action": [ + "ist", + "Allowed" + ], + "rsa.misc.category": "lorema", + "rsa.misc.filter": "sun", + "rsa.misc.reference_id": "remipsum", + "rsa.misc.result": "success", + "rsa.misc.result_code": "onsequat", + "rsa.network.alias_host": [ + "ollit4105.mail.localdomain" + ], + "rsa.threat.threat_category": "atuse", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "ollit4105.mail.localdomain", + "service.type": "zscaler", + "source.bytes": 571, + "source.ip": [ + "10.66.250.92" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd", + "user.name": "tessec", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-04-24T14:25:25.000Z", + "destination.bytes": 2053, + "destination.ip": [ + "10.243.224.205" + ], + "event.action": "Blocked", + "event.code": "lpa", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ema ZSCALERNSS: time=par Apr 24 12:25:25 2016^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=cup1793.local^^protocol=ipv6^^serverip=10.243.224.205^^url=https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura^^urlcategory=usmod^^urlclass=edqui^^dlpdictionaries=mquidol^^dlpengine=ita^^filetype=ipi^^threatcategory=rsitamet^^threatclass=lupt^^pagerisk=xea^^threatname=qua^^clientpublicIP=luptatev^^ClientIP=10.123.104.59^^location=uisquam^^refererURL=https://api.example.com/loremq/lores.txt?iqui=etc#etM^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=eprehen^^user=xercitat^^event_id=lpa^^clienttranstime=entsu^^requestmethod=dun^^requestsize=941^^requestversion=aliq^^status=rsitam^^responsesize=2053^^responseversion=imaven^^transactionsize=152", + "event.timezone": "PT", + "file.type": "ipi", + "fileset.name": "zia", + "host.name": "cup1793.local", + "http.request.referrer": "https://api.example.com/loremq/lores.txt?iqui=etc#etM", + "input.type": "log", + "log.offset": 5306, + "network.bytes": 152, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.123.104.59", + "10.243.224.205" + ], + "related.user": [ + "xercitat" + ], + "rsa.db.index": "edqui", + "rsa.identity.user_dept": "eprehen", + "rsa.internal.data": "ema", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "lupt", + "rsa.misc.action": [ + "dun", + "Blocked" + ], + "rsa.misc.category": "rsitamet", + "rsa.misc.filter": "usmod", + "rsa.misc.reference_id": "lpa", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "rsitam", + "rsa.network.alias_host": [ + "cup1793.local" + ], + "rsa.threat.threat_category": "qua", + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "cup1793.local", + "service.type": "zscaler", + "source.bytes": 941, + "source.ip": [ + "10.123.104.59" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura", + "user.name": "xercitat", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "destination.bytes": 6888, + "destination.ip": [ + "10.119.185.63" + ], + "event.action": "Blocked", + "event.code": "amqu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tema ZSCALERNSS: time=ritatis May 8 7:27:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=icab4668.local^^protocol=udp^^serverip=10.119.185.63^^url=https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des^^urlcategory=rehe^^urlclass=ume^^dlpdictionaries=incidi^^dlpengine=picia^^filetype=mUtenima^^threatcategory=emaperi^^threatclass=tame^^pagerisk=tinvol^^threatname=tectobe^^clientpublicIP=colabor^^ClientIP=10.74.17.5^^location=untut^^refererURL=https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=itecto^^user=erc^^event_id=amqu^^clienttranstime=uines^^requestmethod=nsec^^requestsize=6907^^requestversion=estqu^^status=inibusBo^^responsesize=6888^^responseversion=ostrume^^transactionsize=6051", + "event.timezone": "GMT+02:00", + "file.type": "mUtenima", + "fileset.name": "zia", + "host.name": "icab4668.local", + "http.request.referrer": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", + "input.type": "log", + "log.offset": 6194, + "network.bytes": 6051, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.74.17.5", + "10.119.185.63" + ], + "related.user": [ + "erc" + ], + "rsa.db.index": "ume", + "rsa.identity.user_dept": "itecto", + "rsa.internal.data": "tema", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tame", + "rsa.misc.action": [ + "nsec", + "Blocked" + ], + "rsa.misc.category": "emaperi", + "rsa.misc.filter": "rehe", + "rsa.misc.reference_id": "amqu", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "inibusBo", + "rsa.network.alias_host": [ + "icab4668.local" + ], + "rsa.threat.threat_category": "tectobe", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "icab4668.local", + "service.type": "zscaler", + "source.bytes": 6907, + "source.ip": [ + "10.74.17.5" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des", + "user.name": "erc", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "destination.bytes": 6354, + "destination.ip": [ + "10.78.151.178" + ], + "event.action": "Allowed", + "event.code": "mporain", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "upt ZSCALERNSS: time=uiineavo May 22 2:30:33 2016^^timezone=CET^^action=Allowed^^reason=unknown^^hostname=aperia4409.www5.invalid^^protocol=rdp^^serverip=10.78.151.178^^url=https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn^^urlcategory=deFinibu^^urlclass=iadese^^dlpdictionaries=imidest^^dlpengine=emagnama^^filetype=eprehend^^threatcategory=hil^^threatclass=atquovo^^pagerisk=suntinc^^threatname=xeac^^clientpublicIP=nidolo^^ClientIP=10.25.192.202^^location=intoccae^^refererURL=https://www.example.net/pida/nse.html?emeumfu=CSed#lupt^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ecillu^^user=quip^^event_id=mporain^^clienttranstime=icons^^requestmethod=amvolup^^requestsize=7700^^requestversion=temveleu^^status=colabo^^responsesize=6354^^responseversion=orinrepr^^transactionsize=6578", + "event.timezone": "CET", + "file.type": "eprehend", + "fileset.name": "zia", + "host.name": "aperia4409.www5.invalid", + "http.request.referrer": "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt", + "input.type": "log", + "log.offset": 7136, + "network.bytes": 6578, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.78.151.178", + "10.25.192.202" + ], + "related.user": [ + "quip" + ], + "rsa.db.index": "iadese", + "rsa.identity.user_dept": "ecillu", + "rsa.internal.data": "upt", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "atquovo", + "rsa.misc.action": [ + "amvolup", + "Allowed" + ], + "rsa.misc.category": "hil", + "rsa.misc.filter": "deFinibu", + "rsa.misc.reference_id": "mporain", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "colabo", + "rsa.network.alias_host": [ + "aperia4409.www5.invalid" + ], + "rsa.threat.threat_category": "xeac", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "aperia4409.www5.invalid", + "service.type": "zscaler", + "source.bytes": 7700, + "source.ip": [ + "10.25.192.202" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn", + "user.name": "quip", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "destination.bytes": 5269, + "destination.ip": [ + "10.71.170.37" + ], + "event.action": "Allowed", + "event.code": "umexerci", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rumetM ZSCALERNSS: time=equi Jun 5 9:33:08 2016^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=sitvolup368.internal.host^^protocol=igmp^^serverip=10.71.170.37^^url=https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe^^urlcategory=inesci^^urlclass=serror^^dlpdictionaries=aliqu^^dlpengine=olupta^^filetype=mipsumd^^threatcategory=eFinib^^threatclass=ihilm^^pagerisk=atDu^^threatname=eav^^clientpublicIP=ionevo^^ClientIP=10.135.225.244^^location=orev^^refererURL=https://api.example.net/quirat/llu.jpg?isc=aturve#emulla^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atiset^^user=atu^^event_id=umexerci^^clienttranstime=ern^^requestmethod=psaquae^^requestsize=7355^^requestversion=nsectet^^status=utla^^responsesize=5269^^responseversion=sci^^transactionsize=2526", + "event.timezone": "GMT+02:00", + "file.type": "mipsumd", + "fileset.name": "zia", + "host.name": "sitvolup368.internal.host", + "http.request.referrer": "https://api.example.net/quirat/llu.jpg?isc=aturve#emulla", + "input.type": "log", + "log.offset": 8036, + "network.bytes": 2526, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.71.170.37", + "10.135.225.244" + ], + "related.user": [ + "atu" + ], + "rsa.db.index": "serror", + "rsa.identity.user_dept": "atiset", + "rsa.internal.data": "rumetM", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ihilm", + "rsa.misc.action": [ + "psaquae", + "Allowed" + ], + "rsa.misc.category": "eFinib", + "rsa.misc.filter": "inesci", + "rsa.misc.reference_id": "umexerci", + "rsa.misc.result": "success", + "rsa.misc.result_code": "utla", + "rsa.network.alias_host": [ + "sitvolup368.internal.host" + ], + "rsa.threat.threat_category": "eav", + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "sitvolup368.internal.host", + "service.type": "zscaler", + "source.bytes": 7355, + "source.ip": [ + "10.135.225.244" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe", + "user.name": "atu", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "destination.bytes": 752, + "destination.ip": [ + "10.223.247.86" + ], + "event.action": "Allowed", + "event.code": "lup", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tlabori ZSCALERNSS: time=oin Jun 20 4:35:42 2016^^timezone=ET^^action=Allowed^^reason=success^^hostname=ite2026.www.invalid^^protocol=udp^^serverip=10.223.247.86^^url=https://example.org/bor/occa.htm?dol=leumiu#namali^^urlcategory=taevit^^urlclass=rinrepre^^dlpdictionaries=etconse^^dlpengine=tincu^^filetype=ari^^threatcategory=exercit^^threatclass=sci^^pagerisk=quamnih^^threatname=oluptate^^clientpublicIP=onseq^^ClientIP=10.19.145.131^^location=texp^^refererURL=https://internal.example.net/acc/amc.txt?amest=corp#modtemp^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=oluptas^^user=tNequepo^^event_id=lup^^clienttranstime=nula^^requestmethod=emseq^^requestsize=821^^requestversion=ento^^status=pic^^responsesize=752^^responseversion=eriamea^^transactionsize=7741", + "event.timezone": "ET", + "file.type": "ari", + "fileset.name": "zia", + "host.name": "ite2026.www.invalid", + "http.request.referrer": "https://internal.example.net/acc/amc.txt?amest=corp#modtemp", + "input.type": "log", + "log.offset": 8916, + "network.bytes": 7741, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.19.145.131", + "10.223.247.86" + ], + "related.user": [ + "tNequepo" + ], + "rsa.db.index": "rinrepre", + "rsa.identity.user_dept": "oluptas", + "rsa.internal.data": "tlabori", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "sci", + "rsa.misc.action": [ + "emseq", + "Allowed" + ], + "rsa.misc.category": "exercit", + "rsa.misc.filter": "taevit", + "rsa.misc.reference_id": "lup", + "rsa.misc.result": "success", + "rsa.misc.result_code": "pic", + "rsa.network.alias_host": [ + "ite2026.www.invalid" + ], + "rsa.threat.threat_category": "oluptate", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "ite2026.www.invalid", + "service.type": "zscaler", + "source.bytes": 821, + "source.ip": [ + "10.19.145.131" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/bor/occa.htm?dol=leumiu#namali", + "user.name": "tNequepo", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "destination.bytes": 3314, + "destination.ip": [ + "10.2.53.125" + ], + "event.action": "Allowed", + "event.code": "radi", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rsita ZSCALERNSS: time=niamqui Jul 4 11:38:16 2016^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=radipisc7020.home^^protocol=ipv6^^serverip=10.2.53.125^^url=https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos^^urlcategory=pariatu^^urlclass=tin^^dlpdictionaries=tenima^^dlpengine=tsedqu^^filetype=agnid^^threatcategory=proide^^threatclass=dolorem^^pagerisk=tlab^^threatname=volupt^^clientpublicIP=osqui^^ClientIP=10.181.80.139^^location=hitecto^^refererURL=https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=aboN^^user=ihilmo^^event_id=radi^^clienttranstime=gel^^requestmethod=lorsitam^^requestsize=6408^^requestversion=veniam^^status=ris^^responsesize=3314^^responseversion=ulapa^^transactionsize=7298", + "event.timezone": "GMT-07:00", + "file.type": "agnid", + "fileset.name": "zia", + "host.name": "radipisc7020.home", + "http.request.referrer": "https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio", + "input.type": "log", + "log.offset": 9805, + "network.bytes": 7298, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.2.53.125", + "10.181.80.139" + ], + "related.user": [ + "ihilmo" + ], + "rsa.db.index": "tin", + "rsa.identity.user_dept": "aboN", + "rsa.internal.data": "rsita", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "dolorem", + "rsa.misc.action": [ + "Allowed", + "lorsitam" + ], + "rsa.misc.category": "proide", + "rsa.misc.filter": "pariatu", + "rsa.misc.reference_id": "radi", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "ris", + "rsa.network.alias_host": [ + "radipisc7020.home" + ], + "rsa.threat.threat_category": "volupt", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "radipisc7020.home", + "service.type": "zscaler", + "source.bytes": 6408, + "source.ip": [ + "10.181.80.139" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", + "user.name": "ihilmo", + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "destination.bytes": 2742, + "destination.ip": [ + "10.31.240.6" + ], + "event.action": "Allowed", + "event.code": "olup", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quioffi ZSCALERNSS: time=uptate Jul 18 6:40:50 2016^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=uamei2493.www.test^^protocol=tcp^^serverip=10.31.240.6^^url=https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn^^urlcategory=isnisiu^^urlclass=bore^^dlpdictionaries=tsu^^dlpengine=tcons^^filetype=sciun^^threatcategory=sBono^^threatclass=catc^^pagerisk=nsect^^threatname=idata^^clientpublicIP=rumwritt^^ClientIP=10.167.98.76^^location=dol^^refererURL=https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=gnido^^user=ratvolu^^event_id=olup^^clienttranstime=numqua^^requestmethod=veni^^requestsize=3140^^requestversion=abo^^status=veniamqu^^responsesize=2742^^responseversion=aliquide^^transactionsize=3073", + "event.timezone": "ET", + "file.type": "sciun", + "fileset.name": "zia", + "host.name": "uamei2493.www.test", + "http.request.referrer": "https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo", + "input.type": "log", + "log.offset": 10682, + "network.bytes": 3073, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.31.240.6", + "10.167.98.76" + ], + "related.user": [ + "ratvolu" + ], + "rsa.db.index": "bore", + "rsa.identity.user_dept": "gnido", + "rsa.internal.data": "quioffi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "catc", + "rsa.misc.action": [ + "Allowed", + "veni" + ], + "rsa.misc.category": "sBono", + "rsa.misc.filter": "isnisiu", + "rsa.misc.reference_id": "olup", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "veniamqu", + "rsa.network.alias_host": [ + "uamei2493.www.test" + ], + "rsa.threat.threat_category": "idata", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "uamei2493.www.test", + "service.type": "zscaler", + "source.bytes": 3140, + "source.ip": [ + "10.167.98.76" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "user.name": "ratvolu", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "destination.bytes": 5368, + "destination.ip": [ + "10.0.55.9" + ], + "event.action": "Allowed", + "event.code": "rcitati", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "equat ZSCALERNSS: time=derit Aug 2 1:43:25 2016^^timezone=PT^^action=Allowed^^reason=success^^hostname=piscin6866.internal.host^^protocol=udp^^serverip=10.0.55.9^^url=https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau^^urlcategory=idex^^urlclass=mfugiat^^dlpdictionaries=nisiuta^^dlpengine=tvolu^^filetype=ecte^^threatcategory=tinvolu^^threatclass=iurer^^pagerisk=iciadese^^threatname=quidolor^^clientpublicIP=tessec^^ClientIP=10.135.160.125^^location=mve^^refererURL=https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=Utenima^^user=volupta^^event_id=rcitati^^clienttranstime=eni^^requestmethod=ionevo^^requestsize=3616^^requestversion=Ute^^status=sperna^^responsesize=5368^^responseversion=mnisi^^transactionsize=509", + "event.timezone": "PT", + "file.type": "ecte", + "fileset.name": "zia", + "host.name": "piscin6866.internal.host", + "http.request.referrer": "https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim", + "input.type": "log", + "log.offset": 11586, + "network.bytes": 509, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.135.160.125", + "10.0.55.9" + ], + "related.user": [ + "volupta" + ], + "rsa.db.index": "mfugiat", + "rsa.identity.user_dept": "Utenima", + "rsa.internal.data": "equat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iurer", + "rsa.misc.action": [ + "Allowed", + "ionevo" + ], + "rsa.misc.category": "tinvolu", + "rsa.misc.filter": "idex", + "rsa.misc.reference_id": "rcitati", + "rsa.misc.result": "success", + "rsa.misc.result_code": "sperna", + "rsa.network.alias_host": [ + "piscin6866.internal.host" + ], + "rsa.threat.threat_category": "quidolor", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "piscin6866.internal.host", + "service.type": "zscaler", + "source.bytes": 3616, + "source.ip": [ + "10.135.160.125" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau", + "user.name": "volupta", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "destination.bytes": 6027, + "destination.ip": [ + "10.63.250.128" + ], + "event.action": "Allowed", + "event.code": "ntocca", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tDuisaut ZSCALERNSS: time=oinBC Aug 16 8:45:59 2016^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=spi3544.www.host^^protocol=ggp^^serverip=10.63.250.128^^url=https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc^^urlcategory=uteirure^^urlclass=nevo^^dlpdictionaries=ide^^dlpengine=aali^^filetype=adip^^threatcategory=tium^^threatclass=nnum^^pagerisk=tenbyCi^^threatname=ate^^clientpublicIP=uiac^^ClientIP=10.111.187.12^^location=itam^^refererURL=https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tev^^user=saute^^event_id=ntocca^^clienttranstime=ostru^^requestmethod=ntoccae^^requestsize=1705^^requestversion=rrorsi^^status=temquiav^^responsesize=6027^^responseversion=sec^^transactionsize=1927", + "event.timezone": "OMST", + "file.type": "adip", + "fileset.name": "zia", + "host.name": "spi3544.www.host", + "http.request.referrer": "https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno", + "input.type": "log", + "log.offset": 12524, + "network.bytes": 1927, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.63.250.128", + "10.111.187.12" + ], + "related.user": [ + "saute" + ], + "rsa.db.index": "nevo", + "rsa.identity.user_dept": "tev", + "rsa.internal.data": "tDuisaut", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "nnum", + "rsa.misc.action": [ + "ntoccae", + "Allowed" + ], + "rsa.misc.category": "tium", + "rsa.misc.filter": "uteirure", + "rsa.misc.reference_id": "ntocca", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "temquiav", + "rsa.network.alias_host": [ + "spi3544.www.host" + ], + "rsa.threat.threat_category": "ate", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "spi3544.www.host", + "service.type": "zscaler", + "source.bytes": 1705, + "source.ip": [ + "10.111.187.12" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc", + "user.name": "saute", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "destination.bytes": 1394, + "destination.ip": [ + "10.5.126.127" + ], + "event.action": "Allowed", + "event.code": "eprehen", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "sBon ZSCALERNSS: time=orro Aug 30 3:48:33 2016^^timezone=PST^^action=Allowed^^reason=unknown^^hostname=tlab5981.www.host^^protocol=igmp^^serverip=10.5.126.127^^url=https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd^^urlcategory=antiu^^urlclass=uirati^^dlpdictionaries=oin^^dlpengine=exe^^filetype=imadmini^^threatcategory=sauteiru^^threatclass=mod^^pagerisk=hilm^^threatname=ataevi^^clientpublicIP=com^^ClientIP=10.252.124.150^^location=trud^^refererURL=https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=roid^^user=inibusB^^event_id=eprehen^^clienttranstime=entor^^requestmethod=xeacomm^^requestsize=1940^^requestversion=utp^^status=ema^^responsesize=1394^^responseversion=itessequ^^transactionsize=7688", + "event.timezone": "PST", + "file.type": "imadmini", + "fileset.name": "zia", + "host.name": "tlab5981.www.host", + "http.request.referrer": "https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit", + "input.type": "log", + "log.offset": 13426, + "network.bytes": 7688, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.5.126.127", + "10.252.124.150" + ], + "related.user": [ + "inibusB" + ], + "rsa.db.index": "uirati", + "rsa.identity.user_dept": "roid", + "rsa.internal.data": "sBon", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mod", + "rsa.misc.action": [ + "xeacomm", + "Allowed" + ], + "rsa.misc.category": "sauteiru", + "rsa.misc.filter": "antiu", + "rsa.misc.reference_id": "eprehen", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ema", + "rsa.network.alias_host": [ + "tlab5981.www.host" + ], + "rsa.threat.threat_category": "ataevi", + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "tlab5981.www.host", + "service.type": "zscaler", + "source.bytes": 1940, + "source.ip": [ + "10.252.124.150" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd", + "user.name": "inibusB", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-09-13T12:51:07.000Z", + "destination.bytes": 248, + "destination.ip": [ + "10.201.171.120" + ], + "event.action": "Blocked", + "event.code": "ris", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ine ZSCALERNSS: time=lup Sep 13 10:51:07 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=upida508.example^^protocol=tcp^^serverip=10.201.171.120^^url=https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta^^urlcategory=itam^^urlclass=str^^dlpdictionaries=idolore^^dlpengine=pid^^filetype=illoin^^threatcategory=tanimid^^threatclass=umdo^^pagerisk=natuse^^threatname=gnamal^^clientpublicIP=metMalo^^ClientIP=10.91.126.231^^location=reprehen^^refererURL=https://example.net/psumquia/ven.html?siutali=amnih#ium^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=tau^^user=exercita^^event_id=ris^^clienttranstime=eumiu^^requestmethod=orumSe^^requestsize=728^^requestversion=isnost^^status=queips^^responsesize=248^^responseversion=itess^^transactionsize=52", + "event.timezone": "CT", + "file.type": "illoin", + "fileset.name": "zia", + "host.name": "upida508.example", + "http.request.referrer": "https://example.net/psumquia/ven.html?siutali=amnih#ium", + "input.type": "log", + "log.offset": 14325, + "network.bytes": 52, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.201.171.120", + "10.91.126.231" + ], + "related.user": [ + "exercita" + ], + "rsa.db.index": "str", + "rsa.identity.user_dept": "tau", + "rsa.internal.data": "ine", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "umdo", + "rsa.misc.action": [ + "Blocked", + "orumSe" + ], + "rsa.misc.category": "tanimid", + "rsa.misc.filter": "itam", + "rsa.misc.reference_id": "ris", + "rsa.misc.result": "success", + "rsa.misc.result_code": "queips", + "rsa.network.alias_host": [ + "upida508.example" + ], + "rsa.threat.threat_category": "gnamal", + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "upida508.example", + "service.type": "zscaler", + "source.bytes": 728, + "source.ip": [ + "10.91.126.231" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta", + "user.name": "exercita", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "destination.bytes": 2703, + "destination.ip": [ + "10.135.82.97" + ], + "event.action": "Allowed", + "event.code": "iat", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ofdeFini ZSCALERNSS: time=irat Sep 28 5:53:42 2016^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=oditem5255.api.localdomain^^protocol=tcp^^serverip=10.135.82.97^^url=https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol^^urlcategory=adeser^^urlclass=oin^^dlpdictionaries=mvenia^^dlpengine=madminim^^filetype=fugitsed^^threatcategory=quam^^threatclass=quid^^pagerisk=fugiat^^threatname=atisun^^clientpublicIP=esci^^ClientIP=10.107.251.87^^location=fugi^^refererURL=https://www.example.net/iduntu/idestlab.htm?avol=icero#xer^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=nturma^^user=str^^event_id=iat^^clienttranstime=etur^^requestmethod=itecto^^requestsize=1300^^requestversion=borios^^status=tut^^responsesize=2703^^responseversion=umqu^^transactionsize=301", + "event.timezone": "GMT+02:00", + "file.type": "fugitsed", + "fileset.name": "zia", + "host.name": "oditem5255.api.localdomain", + "http.request.referrer": "https://www.example.net/iduntu/idestlab.htm?avol=icero#xer", + "input.type": "log", + "log.offset": 15210, + "network.bytes": 301, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.107.251.87", + "10.135.82.97" + ], + "related.user": [ + "str" + ], + "rsa.db.index": "oin", + "rsa.identity.user_dept": "nturma", + "rsa.internal.data": "ofdeFini", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "quid", + "rsa.misc.action": [ + "itecto", + "Allowed" + ], + "rsa.misc.category": "quam", + "rsa.misc.filter": "adeser", + "rsa.misc.reference_id": "iat", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "tut", + "rsa.network.alias_host": [ + "oditem5255.api.localdomain" + ], + "rsa.threat.threat_category": "atisun", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "oditem5255.api.localdomain", + "service.type": "zscaler", + "source.bytes": 1300, + "source.ip": [ + "10.107.251.87" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol", + "user.name": "str", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "destination.bytes": 100, + "destination.ip": [ + "10.31.198.58" + ], + "event.action": "Blocked", + "event.code": "ditemp", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "adipisc ZSCALERNSS: time=uscipitl Oct 12 12:56:16 2016^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=uamei2389.internal.example^^protocol=ipv6-icmp^^serverip=10.31.198.58^^url=https://www.example.com/its/ender.gif?oles=edic#seq^^urlcategory=tutlab^^urlclass=sau^^dlpdictionaries=atevelit^^dlpengine=meius^^filetype=billo^^threatcategory=labo^^threatclass=oNemoeni^^pagerisk=ttenby^^threatname=boris^^clientpublicIP=stenatu^^ClientIP=10.215.205.216^^location=ratv^^refererURL=https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano^^useragent=Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=boreetdo^^user=aturve^^event_id=ditemp^^clienttranstime=edqui^^requestmethod=nre^^requestsize=7231^^requestversion=sit^^status=olab^^responsesize=100^^responseversion=elitse^^transactionsize=6672", + "event.timezone": "PST", + "file.type": "billo", + "fileset.name": "zia", + "host.name": "uamei2389.internal.example", + "http.request.referrer": "https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano", + "input.type": "log", + "log.offset": 16116, + "network.bytes": 6672, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.215.205.216", + "10.31.198.58" + ], + "related.user": [ + "aturve" + ], + "rsa.db.index": "sau", + "rsa.identity.user_dept": "boreetdo", + "rsa.internal.data": "adipisc", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "oNemoeni", + "rsa.misc.action": [ + "nre", + "Blocked" + ], + "rsa.misc.category": "labo", + "rsa.misc.filter": "tutlab", + "rsa.misc.reference_id": "ditemp", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "olab", + "rsa.network.alias_host": [ + "uamei2389.internal.example" + ], + "rsa.threat.threat_category": "boris", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "uamei2389.internal.example", + "service.type": "zscaler", + "source.bytes": 7231, + "source.ip": [ + "10.215.205.216" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/its/ender.gif?oles=edic#seq", + "user.name": "aturve", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "destination.bytes": 7205, + "destination.ip": [ + "10.29.155.171" + ], + "event.action": "Allowed", + "event.code": "aboreetd", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quasia ZSCALERNSS: time=adi Oct 26 7:58:50 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=eacommod1930.internal.lan^^protocol=igmp^^serverip=10.29.155.171^^url=https://www5.example.org/oeni/tdol.gif?llamco=nea#psum^^urlcategory=tasnulap^^urlclass=orsit^^dlpdictionaries=asiar^^dlpengine=ise^^filetype=itau^^threatcategory=apariat^^threatclass=vitaedi^^pagerisk=lorsita^^threatname=dolore^^clientpublicIP=uptate^^ClientIP=10.229.83.165^^location=ugiat^^refererURL=https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=labo^^user=ulapar^^event_id=aboreetd^^clienttranstime=hilm^^requestmethod=llitanim^^requestsize=5047^^requestversion=pitl^^status=por^^responsesize=7205^^responseversion=ama^^transactionsize=332", + "event.timezone": "PST", + "file.type": "itau", + "fileset.name": "zia", + "host.name": "eacommod1930.internal.lan", + "http.request.referrer": "https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim", + "input.type": "log", + "log.offset": 17002, + "network.bytes": 332, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.29.155.171", + "10.229.83.165" + ], + "related.user": [ + "ulapar" + ], + "rsa.db.index": "orsit", + "rsa.identity.user_dept": "labo", + "rsa.internal.data": "quasia", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "vitaedi", + "rsa.misc.action": [ + "llitanim", + "Allowed" + ], + "rsa.misc.category": "apariat", + "rsa.misc.filter": "tasnulap", + "rsa.misc.reference_id": "aboreetd", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "por", + "rsa.network.alias_host": [ + "eacommod1930.internal.lan" + ], + "rsa.threat.threat_category": "dolore", + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "eacommod1930.internal.lan", + "service.type": "zscaler", + "source.bytes": 5047, + "source.ip": [ + "10.229.83.165" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/oeni/tdol.gif?llamco=nea#psum", + "user.name": "ulapar", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "destination.bytes": 6498, + "destination.ip": [ + "10.129.192.145" + ], + "event.action": "Blocked", + "event.code": "oraincid", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "adminimv ZSCALERNSS: time=odi Nov 10 3:01:24 2016^^timezone=GMT-07:00^^action=Blocked^^reason=success^^hostname=tem6984.www5.domain^^protocol=ipv6^^serverip=10.129.192.145^^url=https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor^^urlcategory=velillu^^urlclass=cteturad^^dlpdictionaries=bor^^dlpengine=rauto^^filetype=ationev^^threatcategory=umdolor^^threatclass=uaUten^^pagerisk=nby^^threatname=mve^^clientpublicIP=osqui^^ClientIP=10.161.148.64^^location=ibusBon^^refererURL=https://example.com/rQu/mco.jpg?dun=reprehe#tincu^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=dex^^user=lor^^event_id=oraincid^^clienttranstime=intocc^^requestmethod=amcorp^^requestsize=1275^^requestversion=ssecillu^^status=liqua^^responsesize=6498^^responseversion=utodita^^transactionsize=4014", + "event.timezone": "GMT-07:00", + "file.type": "ationev", + "fileset.name": "zia", + "host.name": "tem6984.www5.domain", + "http.request.referrer": "https://example.com/rQu/mco.jpg?dun=reprehe#tincu", + "input.type": "log", + "log.offset": 18036, + "network.bytes": 4014, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.129.192.145", + "10.161.148.64" + ], + "related.user": [ + "lor" + ], + "rsa.db.index": "cteturad", + "rsa.identity.user_dept": "dex", + "rsa.internal.data": "adminimv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uaUten", + "rsa.misc.action": [ + "Blocked", + "amcorp" + ], + "rsa.misc.category": "umdolor", + "rsa.misc.filter": "velillu", + "rsa.misc.reference_id": "oraincid", + "rsa.misc.result": "success", + "rsa.misc.result_code": "liqua", + "rsa.network.alias_host": [ + "tem6984.www5.domain" + ], + "rsa.threat.threat_category": "mve", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tem6984.www5.domain", + "service.type": "zscaler", + "source.bytes": 1275, + "source.ip": [ + "10.161.148.64" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor", + "user.name": "lor", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "destination.bytes": 6392, + "destination.ip": [ + "10.7.200.140" + ], + "event.action": "Allowed", + "event.code": "tpersp", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "fdeF ZSCALERNSS: time=iquidexe Nov 24 10:03:59 2016^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=lapariat7287.internal.host^^protocol=ggp^^serverip=10.7.200.140^^url=https://api.example.org/icabo/gna.html?urerepr=eseru#quamest^^urlcategory=mac^^urlclass=qui^^dlpdictionaries=ritin^^dlpengine=temporin^^filetype=equatur^^threatcategory=adeseru^^threatclass=tdol^^pagerisk=upt^^threatname=mex^^clientpublicIP=tatem^^ClientIP=10.203.65.161^^location=eveli^^refererURL=https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=siu^^user=snost^^event_id=tpersp^^clienttranstime=llamc^^requestmethod=nte^^requestsize=3571^^requestversion=utali^^status=porinc^^responsesize=6392^^responseversion=mvolu^^transactionsize=1664", + "event.timezone": "CEST", + "file.type": "equatur", + "fileset.name": "zia", + "host.name": "lapariat7287.internal.host", + "http.request.referrer": "https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup", + "input.type": "log", + "log.offset": 18921, + "network.bytes": 1664, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.7.200.140", + "10.203.65.161" + ], + "related.user": [ + "snost" + ], + "rsa.db.index": "qui", + "rsa.identity.user_dept": "siu", + "rsa.internal.data": "fdeF", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tdol", + "rsa.misc.action": [ + "Allowed", + "nte" + ], + "rsa.misc.category": "adeseru", + "rsa.misc.filter": "mac", + "rsa.misc.reference_id": "tpersp", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "porinc", + "rsa.network.alias_host": [ + "lapariat7287.internal.host" + ], + "rsa.threat.threat_category": "mex", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "lapariat7287.internal.host", + "service.type": "zscaler", + "source.bytes": 3571, + "source.ip": [ + "10.203.65.161" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/icabo/gna.html?urerepr=eseru#quamest", + "user.name": "snost", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-12-08T07:06:33.000Z", + "destination.bytes": 7595, + "destination.ip": [ + "10.86.22.67" + ], + "event.action": "Blocked", + "event.code": "mquae", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ipi ZSCALERNSS: time=imveniam Dec 8 5:06:33 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=licabo1493.api.corp^^protocol=icmp^^serverip=10.86.22.67^^url=https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ^^urlcategory=equinesc^^urlclass=cab^^dlpdictionaries=atisund^^dlpengine=xea^^filetype=ites^^threatcategory=isetq^^threatclass=iutali^^pagerisk=velite^^threatname=teturad^^clientpublicIP=perspici^^ClientIP=10.218.98.29^^location=iconseq^^refererURL=https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=quunt^^user=olori^^event_id=mquae^^clienttranstime=eriti^^requestmethod=atcupi^^requestsize=2332^^requestversion=plica^^status=ore^^responsesize=7595^^responseversion=emqu^^transactionsize=2846", + "event.timezone": "GMT-07:00", + "file.type": "ites", + "fileset.name": "zia", + "host.name": "licabo1493.api.corp", + "http.request.referrer": "https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi", + "input.type": "log", + "log.offset": 19875, + "network.bytes": 2846, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.218.98.29", + "10.86.22.67" + ], + "related.user": [ + "olori" + ], + "rsa.db.index": "cab", + "rsa.identity.user_dept": "quunt", + "rsa.internal.data": "ipi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iutali", + "rsa.misc.action": [ + "Blocked", + "atcupi" + ], + "rsa.misc.category": "isetq", + "rsa.misc.filter": "equinesc", + "rsa.misc.reference_id": "mquae", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ore", + "rsa.network.alias_host": [ + "licabo1493.api.corp" + ], + "rsa.threat.threat_category": "teturad", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "licabo1493.api.corp", + "service.type": "zscaler", + "source.bytes": 2332, + "source.ip": [ + "10.218.98.29" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ", + "user.name": "olori", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-12-23T14:09:07.000Z", + "destination.bytes": 2147, + "destination.ip": [ + "10.39.31.115" + ], + "event.action": "Allowed", + "event.code": "labo", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "acommod ZSCALERNSS: time=itsedd Dec 23 12:09:07 2016^^timezone=CT^^action=Allowed^^reason=success^^hostname=stenatu4844.www.invalid^^protocol=rdp^^serverip=10.39.31.115^^url=https://example.com/luptatem/uaeratv.gif?dat=periam#dqu^^urlcategory=pid^^urlclass=rExc^^dlpdictionaries=iusmo^^dlpengine=tame^^filetype=naaliq^^threatcategory=nte^^threatclass=ulpa^^pagerisk=sitam^^threatname=rad^^clientpublicIP=loi^^ClientIP=10.24.111.229^^location=volupt^^refererURL=https://example.net/idid/tesse.txt?boru=ptateve#enderi^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=toccaec^^user=fugi^^event_id=labo^^clienttranstime=nostrud^^requestmethod=gnaal^^requestsize=7224^^requestversion=proident^^status=maliquam^^responsesize=2147^^responseversion=atione^^transactionsize=5702", + "event.timezone": "CT", + "file.type": "naaliq", + "fileset.name": "zia", + "host.name": "stenatu4844.www.invalid", + "http.request.referrer": "https://example.net/idid/tesse.txt?boru=ptateve#enderi", + "input.type": "log", + "log.offset": 20787, + "network.bytes": 5702, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.24.111.229", + "10.39.31.115" + ], + "related.user": [ + "fugi" + ], + "rsa.db.index": "rExc", + "rsa.identity.user_dept": "toccaec", + "rsa.internal.data": "acommod", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ulpa", + "rsa.misc.action": [ + "gnaal", + "Allowed" + ], + "rsa.misc.category": "nte", + "rsa.misc.filter": "pid", + "rsa.misc.reference_id": "labo", + "rsa.misc.result": "success", + "rsa.misc.result_code": "maliquam", + "rsa.network.alias_host": [ + "stenatu4844.www.invalid" + ], + "rsa.threat.threat_category": "rad", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "stenatu4844.www.invalid", + "service.type": "zscaler", + "source.bytes": 7224, + "source.ip": [ + "10.24.111.229" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/luptatem/uaeratv.gif?dat=periam#dqu", + "user.name": "fugi", + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "destination.bytes": 4814, + "destination.ip": [ + "10.179.210.218" + ], + "event.action": "Blocked", + "event.code": "undeom", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ritati ZSCALERNSS: time=orisni Jan 6 7:11:41 2017^^timezone=PST^^action=Blocked^^reason=failure^^hostname=sitam5077.internal.host^^protocol=igmp^^serverip=10.179.210.218^^url=https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo^^urlcategory=oluptas^^urlclass=emvele^^dlpdictionaries=isnost^^dlpengine=olorem^^filetype=ido^^threatcategory=emqu^^threatclass=riss^^pagerisk=iquamqua^^threatname=sit^^clientpublicIP=rumSect^^ClientIP=10.32.39.220^^location=aliq^^refererURL=https://example.net/mven/olorsit.gif?oremag=illu#ruredo^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=tatevel^^user=boreetdo^^event_id=undeom^^clienttranstime=uamnihi^^requestmethod=risnis^^requestsize=1140^^requestversion=scingeli^^status=isn^^responsesize=4814^^responseversion=omm^^transactionsize=696", + "event.timezone": "PST", + "file.type": "ido", + "fileset.name": "zia", + "host.name": "sitam5077.internal.host", + "http.request.referrer": "https://example.net/mven/olorsit.gif?oremag=illu#ruredo", + "input.type": "log", + "log.offset": 21648, + "network.bytes": 696, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.32.39.220", + "10.179.210.218" + ], + "related.user": [ + "boreetdo" + ], + "rsa.db.index": "emvele", + "rsa.identity.user_dept": "tatevel", + "rsa.internal.data": "ritati", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "riss", + "rsa.misc.action": [ + "Blocked", + "risnis" + ], + "rsa.misc.category": "emqu", + "rsa.misc.filter": "oluptas", + "rsa.misc.reference_id": "undeom", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "isn", + "rsa.network.alias_host": [ + "sitam5077.internal.host" + ], + "rsa.threat.threat_category": "sit", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "sitam5077.internal.host", + "service.type": "zscaler", + "source.bytes": 1140, + "source.ip": [ + "10.32.39.220" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "user.name": "boreetdo", + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-01-20T04:14:16.000Z", + "destination.bytes": 3916, + "destination.ip": [ + "10.128.173.19" + ], + "event.action": "Blocked", + "event.code": "tlaboree", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quunt ZSCALERNSS: time=numquam Jan 20 2:14:16 2017^^timezone=CT^^action=Blocked^^reason=failure^^hostname=dquia107.www.test^^protocol=ipv6^^serverip=10.128.173.19^^url=https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla^^urlcategory=iqu^^urlclass=oin^^dlpdictionaries=hil^^dlpengine=cingel^^filetype=modocon^^threatcategory=ipsu^^threatclass=ntNeq^^pagerisk=tate^^threatname=urExce^^clientpublicIP=asi^^ClientIP=10.88.172.34^^location=atv^^refererURL=https://example.org/liquaUte/alorum.txt?ria=atDu#nsec^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=maperi^^user=agnaaliq^^event_id=tlaboree^^clienttranstime=norumet^^requestmethod=dtempo^^requestsize=7680^^requestversion=col^^status=mve^^responsesize=3916^^responseversion=tinvolup^^transactionsize=2365", + "event.timezone": "CT", + "file.type": "modocon", + "fileset.name": "zia", + "host.name": "dquia107.www.test", + "http.request.referrer": "https://example.org/liquaUte/alorum.txt?ria=atDu#nsec", + "input.type": "log", + "log.offset": 22620, + "network.bytes": 2365, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.128.173.19", + "10.88.172.34" + ], + "related.user": [ + "agnaaliq" + ], + "rsa.db.index": "oin", + "rsa.identity.user_dept": "maperi", + "rsa.internal.data": "quunt", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ntNeq", + "rsa.misc.action": [ + "Blocked", + "dtempo" + ], + "rsa.misc.category": "ipsu", + "rsa.misc.filter": "iqu", + "rsa.misc.reference_id": "tlaboree", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "mve", + "rsa.network.alias_host": [ + "dquia107.www.test" + ], + "rsa.threat.threat_category": "urExce", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "dquia107.www.test", + "service.type": "zscaler", + "source.bytes": 7680, + "source.ip": [ + "10.88.172.34" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla", + "user.name": "agnaaliq", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "destination.bytes": 7889, + "destination.ip": [ + "10.130.241.232" + ], + "event.action": "Allowed", + "event.code": "redol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "inv ZSCALERNSS: time=rroq Feb 3 9:16:50 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=lloin4019.www.localhost^^protocol=igmp^^serverip=10.130.241.232^^url=https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug^^urlcategory=aturQu^^urlclass=aaliq^^dlpdictionaries=mipsamvo^^dlpengine=eiusmod^^filetype=emoe^^threatcategory=uiinea^^threatclass=mnisiut^^pagerisk=avolu^^threatname=Except^^clientpublicIP=olup^^ClientIP=10.238.224.49^^location=asper^^refererURL=https://example.net/naal/equun.gif?mve=uia#iciad^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mad^^user=onse^^event_id=redol^^clienttranstime=gnaa^^requestmethod=mod^^requestsize=5107^^requestversion=dtempori^^status=toditaut^^responsesize=7889^^responseversion=dexerc^^transactionsize=2302", + "event.timezone": "CT", + "file.type": "emoe", + "fileset.name": "zia", + "host.name": "lloin4019.www.localhost", + "http.request.referrer": "https://example.net/naal/equun.gif?mve=uia#iciad", + "input.type": "log", + "log.offset": 23507, + "network.bytes": 2302, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.130.241.232", + "10.238.224.49" + ], + "related.user": [ + "onse" + ], + "rsa.db.index": "aaliq", + "rsa.identity.user_dept": "mad", + "rsa.internal.data": "inv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mnisiut", + "rsa.misc.action": [ + "Allowed", + "mod" + ], + "rsa.misc.category": "uiinea", + "rsa.misc.filter": "aturQu", + "rsa.misc.reference_id": "redol", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "toditaut", + "rsa.network.alias_host": [ + "lloin4019.www.localhost" + ], + "rsa.threat.threat_category": "Except", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "lloin4019.www.localhost", + "service.type": "zscaler", + "source.bytes": 5107, + "source.ip": [ + "10.238.224.49" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug", + "user.name": "onse", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "destination.bytes": 609, + "destination.ip": [ + "10.115.53.31" + ], + "event.action": "Allowed", + "event.code": "olorema", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eprehend ZSCALERNSS: time=asnu Feb 18 4:19:24 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=tamet6317.www.host^^protocol=igmp^^serverip=10.115.53.31^^url=https://example.com/emUte/molestia.htm?orroqu=elitsed#labore^^urlcategory=uela^^urlclass=ntexplic^^dlpdictionaries=uto^^dlpengine=iuntNequ^^filetype=esseq^^threatcategory=aincidun^^threatclass=quatD^^pagerisk=isqua^^threatname=uta^^clientpublicIP=emo^^ClientIP=10.2.67.127^^location=licaboN^^refererURL=https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mdolore^^user=Cic^^event_id=olorema^^clienttranstime=mollita^^requestmethod=tatem^^requestsize=6156^^requestversion=aeab^^status=teur^^responsesize=609^^responseversion=inBC^^transactionsize=2622", + "event.timezone": "OMST", + "file.type": "esseq", + "fileset.name": "zia", + "host.name": "tamet6317.www.host", + "http.request.referrer": "https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti", + "input.type": "log", + "log.offset": 24381, + "network.bytes": 2622, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.115.53.31", + "10.2.67.127" + ], + "related.user": [ + "Cic" + ], + "rsa.db.index": "ntexplic", + "rsa.identity.user_dept": "mdolore", + "rsa.internal.data": "eprehend", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "quatD", + "rsa.misc.action": [ + "Allowed", + "tatem" + ], + "rsa.misc.category": "aincidun", + "rsa.misc.filter": "uela", + "rsa.misc.reference_id": "olorema", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "teur", + "rsa.network.alias_host": [ + "tamet6317.www.host" + ], + "rsa.threat.threat_category": "uta", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "tamet6317.www.host", + "service.type": "zscaler", + "source.bytes": 6156, + "source.ip": [ + "10.2.67.127" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/emUte/molestia.htm?orroqu=elitsed#labore", + "user.name": "Cic", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "destination.bytes": 5328, + "destination.ip": [ + "10.204.214.251" + ], + "event.action": "Allowed", + "event.code": "scipitl", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tur ZSCALERNSS: time=ictas Mar 4 11:21:59 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=saquaea6344.www.invalid^^protocol=igmp^^serverip=10.204.214.251^^url=https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula^^urlcategory=ritqu^^urlclass=ecatcupi^^dlpdictionaries=uamei^^dlpengine=undeomni^^filetype=tas^^threatcategory=autfugi^^threatclass=tasun^^pagerisk=duntutla^^threatname=ntium^^clientpublicIP=iration^^ClientIP=10.101.38.213^^location=orisni^^refererURL=https://example.org/modoc/boNem.gif?ssusci=animid#mpo^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atuse^^user=ueipsa^^event_id=scipitl^^clienttranstime=eumi^^requestmethod=quasiarc^^requestsize=3487^^requestversion=leumiur^^status=tetura^^responsesize=5328^^responseversion=offici^^transactionsize=501", + "event.timezone": "OMST", + "file.type": "tas", + "fileset.name": "zia", + "host.name": "saquaea6344.www.invalid", + "http.request.referrer": "https://example.org/modoc/boNem.gif?ssusci=animid#mpo", + "input.type": "log", + "log.offset": 25254, + "network.bytes": 501, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.204.214.251", + "10.101.38.213" + ], + "related.user": [ + "ueipsa" + ], + "rsa.db.index": "ecatcupi", + "rsa.identity.user_dept": "atuse", + "rsa.internal.data": "tur", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tasun", + "rsa.misc.action": [ + "quasiarc", + "Allowed" + ], + "rsa.misc.category": "autfugi", + "rsa.misc.filter": "ritqu", + "rsa.misc.reference_id": "scipitl", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "tetura", + "rsa.network.alias_host": [ + "saquaea6344.www.invalid" + ], + "rsa.threat.threat_category": "ntium", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "saquaea6344.www.invalid", + "service.type": "zscaler", + "source.bytes": 3487, + "source.ip": [ + "10.101.38.213" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula", + "user.name": "ueipsa", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "destination.bytes": 2118, + "destination.ip": [ + "10.18.226.72" + ], + "event.action": "Allowed", + "event.code": "dquiaco", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "roquisqu ZSCALERNSS: time=edolorin Mar 18 6:24:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=utaliqu4248.www.localhost^^protocol=igmp^^serverip=10.18.226.72^^url=https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema^^urlcategory=suntex^^urlclass=iacons^^dlpdictionaries=occaec^^dlpengine=acommodi^^filetype=essecill^^threatcategory=billoi^^threatclass=moles^^pagerisk=dipiscin^^threatname=olup^^clientpublicIP=aco^^ClientIP=10.101.85.169^^location=natu^^refererURL=https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=billo^^user=rroqu^^event_id=dquiaco^^clienttranstime=nibus^^requestmethod=vitaed^^requestsize=2352^^requestversion=ptasnula^^status=oru^^responsesize=2118^^responseversion=upt^^transactionsize=7879", + "event.timezone": "GMT+02:00", + "file.type": "essecill", + "fileset.name": "zia", + "host.name": "utaliqu4248.www.localhost", + "http.request.referrer": "https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed", + "input.type": "log", + "log.offset": 26141, + "network.bytes": 7879, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.18.226.72", + "10.101.85.169" + ], + "related.user": [ + "rroqu" + ], + "rsa.db.index": "iacons", + "rsa.identity.user_dept": "billo", + "rsa.internal.data": "roquisqu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "moles", + "rsa.misc.action": [ + "Allowed", + "vitaed" + ], + "rsa.misc.category": "billoi", + "rsa.misc.filter": "suntex", + "rsa.misc.reference_id": "dquiaco", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "oru", + "rsa.network.alias_host": [ + "utaliqu4248.www.localhost" + ], + "rsa.threat.threat_category": "olup", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "utaliqu4248.www.localhost", + "service.type": "zscaler", + "source.bytes": 2352, + "source.ip": [ + "10.101.85.169" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema", + "user.name": "rroqu", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "destination.bytes": 7509, + "destination.ip": [ + "10.87.100.240" + ], + "event.action": "Allowed", + "event.code": "equep", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eprehend ZSCALERNSS: time=rem Apr 2 1:27:07 2017^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=mdolore473.internal.test^^protocol=igmp^^serverip=10.87.100.240^^url=https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta^^urlcategory=npr^^urlclass=etconsec^^dlpdictionaries=caboNem^^dlpengine=urExcept^^filetype=rumetMal^^threatcategory=oconse^^threatclass=mag^^pagerisk=tob^^threatname=dolores^^clientpublicIP=equamnih^^ClientIP=10.242.182.193^^location=itempo^^refererURL=https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=nder^^user=stenatus^^event_id=equep^^clienttranstime=ever^^requestmethod=tali^^requestsize=2124^^requestversion=erspi^^status=iqu^^responsesize=7509^^responseversion=incidid^^transactionsize=2617", + "event.timezone": "GMT-07:00", + "file.type": "rumetMal", + "fileset.name": "zia", + "host.name": "mdolore473.internal.test", + "http.request.referrer": "https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep", + "input.type": "log", + "log.offset": 27035, + "network.bytes": 2617, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.87.100.240", + "10.242.182.193" + ], + "related.user": [ + "stenatus" + ], + "rsa.db.index": "etconsec", + "rsa.identity.user_dept": "nder", + "rsa.internal.data": "eprehend", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mag", + "rsa.misc.action": [ + "tali", + "Allowed" + ], + "rsa.misc.category": "oconse", + "rsa.misc.filter": "npr", + "rsa.misc.reference_id": "equep", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "iqu", + "rsa.network.alias_host": [ + "mdolore473.internal.test" + ], + "rsa.threat.threat_category": "dolores", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "mdolore473.internal.test", + "service.type": "zscaler", + "source.bytes": 2124, + "source.ip": [ + "10.242.182.193" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta", + "user.name": "stenatus", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "destination.bytes": 204, + "destination.ip": [ + "10.229.242.223" + ], + "event.action": "Blocked", + "event.code": "dexe", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "autemv ZSCALERNSS: time=emq Apr 16 8:29:41 2017^^timezone=GMT-07:00^^action=Blocked^^reason=failure^^hostname=tatio6513.www.invalid^^protocol=rdp^^serverip=10.229.242.223^^url=https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq^^urlcategory=niam^^urlclass=pernat^^dlpdictionaries=rerepre^^dlpengine=nculpaq^^filetype=culpaqui^^threatcategory=tvolup^^threatclass=tdolore^^pagerisk=ventore^^threatname=red^^clientpublicIP=sinto^^ClientIP=10.80.57.247^^location=est^^refererURL=https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=ptatem^^user=itasp^^event_id=dexe^^clienttranstime=tat^^requestmethod=onproide^^requestsize=2737^^requestversion=cillumd^^status=riosa^^responsesize=204^^responseversion=aspernat^^transactionsize=2460", + "event.timezone": "GMT-07:00", + "file.type": "culpaqui", + "fileset.name": "zia", + "host.name": "tatio6513.www.invalid", + "http.request.referrer": "https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad", + "input.type": "log", + "log.offset": 27937, + "network.bytes": 2460, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.80.57.247", + "10.229.242.223" + ], + "related.user": [ + "itasp" + ], + "rsa.db.index": "pernat", + "rsa.identity.user_dept": "ptatem", + "rsa.internal.data": "autemv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tdolore", + "rsa.misc.action": [ + "onproide", + "Blocked" + ], + "rsa.misc.category": "tvolup", + "rsa.misc.filter": "niam", + "rsa.misc.reference_id": "dexe", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "riosa", + "rsa.network.alias_host": [ + "tatio6513.www.invalid" + ], + "rsa.threat.threat_category": "red", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tatio6513.www.invalid", + "service.type": "zscaler", + "source.bytes": 2737, + "source.ip": [ + "10.80.57.247" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq", + "user.name": "itasp", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "destination.bytes": 6146, + "destination.ip": [ + "10.193.66.155" + ], + "event.action": "Allowed", + "event.code": "enim", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "caecat ZSCALERNSS: time=rautod Apr 30 3:32:16 2017^^timezone=PT^^action=Allowed^^reason=failure^^hostname=lapar1599.www.lan^^protocol=ipv6^^serverip=10.193.66.155^^url=https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta^^urlcategory=Utenima^^urlclass=iqua^^dlpdictionaries=luptat^^dlpengine=deriti^^filetype=sintocc^^threatcategory=cididu^^threatclass=uteir^^pagerisk=boree^^threatname=isn^^clientpublicIP=ulla^^ClientIP=10.106.77.138^^location=aconse^^refererURL=https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=henderi^^user=iusmodt^^event_id=enim^^clienttranstime=emaperia^^requestmethod=Section^^requestsize=4329^^requestversion=iame^^status=orroquis^^responsesize=6146^^responseversion=tiumd^^transactionsize=6099", + "event.timezone": "PT", + "file.type": "sintocc", + "fileset.name": "zia", + "host.name": "lapar1599.www.lan", + "http.request.referrer": "https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis", + "input.type": "log", + "log.offset": 28899, + "network.bytes": 6099, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.106.77.138", + "10.193.66.155" + ], + "related.user": [ + "iusmodt" + ], + "rsa.db.index": "iqua", + "rsa.identity.user_dept": "henderi", + "rsa.internal.data": "caecat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uteir", + "rsa.misc.action": [ + "Allowed", + "Section" + ], + "rsa.misc.category": "cididu", + "rsa.misc.filter": "Utenima", + "rsa.misc.reference_id": "enim", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "orroquis", + "rsa.network.alias_host": [ + "lapar1599.www.lan" + ], + "rsa.threat.threat_category": "isn", + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "lapar1599.www.lan", + "service.type": "zscaler", + "source.bytes": 4329, + "source.ip": [ + "10.106.77.138" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta", + "user.name": "iusmodt", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "destination.bytes": 3862, + "destination.ip": [ + "10.236.230.136" + ], + "event.action": "Allowed", + "event.code": "quira", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "mexer ZSCALERNSS: time=estla May 14 10:34:50 2017^^timezone=ET^^action=Allowed^^reason=success^^hostname=aquioff3853.www.localdomain^^protocol=udp^^serverip=10.236.230.136^^url=https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi^^urlcategory=emveleum^^urlclass=olup^^dlpdictionaries=nde^^dlpengine=abillo^^filetype=undeom^^threatcategory=emullamc^^threatclass=tec^^pagerisk=Nemo^^threatname=tutlabo^^clientpublicIP=mveleum^^ClientIP=10.54.159.1^^location=sBonorum^^refererURL=https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=asnulapa^^user=mUteni^^event_id=quira^^clienttranstime=rror^^requestmethod=tatema^^requestsize=2446^^requestversion=loinve^^status=tatevel^^responsesize=3862^^responseversion=equu^^transactionsize=5373", + "event.timezone": "ET", + "file.type": "undeom", + "fileset.name": "zia", + "host.name": "aquioff3853.www.localdomain", + "http.request.referrer": "https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag", + "input.type": "log", + "log.offset": 29854, + "network.bytes": 5373, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.236.230.136", + "10.54.159.1" + ], + "related.user": [ + "mUteni" + ], + "rsa.db.index": "olup", + "rsa.identity.user_dept": "asnulapa", + "rsa.internal.data": "mexer", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tec", + "rsa.misc.action": [ + "Allowed", + "tatema" + ], + "rsa.misc.category": "emullamc", + "rsa.misc.filter": "emveleum", + "rsa.misc.reference_id": "quira", + "rsa.misc.result": "success", + "rsa.misc.result_code": "tatevel", + "rsa.network.alias_host": [ + "aquioff3853.www.localdomain" + ], + "rsa.threat.threat_category": "tutlabo", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "aquioff3853.www.localdomain", + "service.type": "zscaler", + "source.bytes": 2446, + "source.ip": [ + "10.54.159.1" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi", + "user.name": "mUteni", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "destination.bytes": 4968, + "destination.ip": [ + "10.49.242.174" + ], + "event.action": "Allowed", + "event.code": "rroqui", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "atae ZSCALERNSS: time=tetura May 29 5:37:24 2017^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ura675.mail.localdomain^^protocol=ggp^^serverip=10.49.242.174^^url=https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon^^urlcategory=dol^^urlclass=sumquiad^^dlpdictionaries=setquas^^dlpengine=minim^^filetype=oeni^^threatcategory=untutlab^^threatclass=tvolup^^pagerisk=consecte^^threatname=pteurs^^clientpublicIP=catcupi^^ClientIP=10.131.246.134^^location=tiaecon^^refererURL=https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=aconsequ^^user=umdolo^^event_id=rroqui^^clienttranstime=ursin^^requestmethod=utemvel^^requestsize=5325^^requestversion=atu^^status=iusm^^responsesize=4968^^responseversion=laudanti^^transactionsize=16", + "event.timezone": "OMST", + "file.type": "oeni", + "fileset.name": "zia", + "host.name": "ura675.mail.localdomain", + "http.request.referrer": "https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum", + "input.type": "log", + "log.offset": 30815, + "network.bytes": 16, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.131.246.134", + "10.49.242.174" + ], + "related.user": [ + "umdolo" + ], + "rsa.db.index": "sumquiad", + "rsa.identity.user_dept": "aconsequ", + "rsa.internal.data": "atae", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tvolup", + "rsa.misc.action": [ + "utemvel", + "Allowed" + ], + "rsa.misc.category": "untutlab", + "rsa.misc.filter": "dol", + "rsa.misc.reference_id": "rroqui", + "rsa.misc.result": "success", + "rsa.misc.result_code": "iusm", + "rsa.network.alias_host": [ + "ura675.mail.localdomain" + ], + "rsa.threat.threat_category": "pteurs", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "ura675.mail.localdomain", + "service.type": "zscaler", + "source.bytes": 5325, + "source.ip": [ + "10.131.246.134" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon", + "user.name": "umdolo", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "destination.bytes": 1046, + "destination.ip": [ + "10.142.120.198" + ], + "event.action": "Blocked", + "event.code": "ido", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rere ZSCALERNSS: time=cta Jun 12 12:39:58 2017^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=iamea478.www5.host^^protocol=ipv6-icmp^^serverip=10.142.120.198^^url=https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto^^urlcategory=litesse^^urlclass=fugiatn^^dlpdictionaries=uaeabi^^dlpengine=aaliq^^filetype=nat^^threatcategory=uovolupt^^threatclass=ende^^pagerisk=orumSe^^threatname=dolor^^clientpublicIP=isiut^^ClientIP=10.166.10.42^^location=emulla^^refererURL=https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=uamqu^^user=olori^^event_id=ido^^clienttranstime=mcorpor^^requestmethod=doconse^^requestsize=2522^^requestversion=emUte^^status=iusmodi^^responsesize=1046^^responseversion=tura^^transactionsize=6695", + "event.timezone": "CT", + "file.type": "nat", + "fileset.name": "zia", + "host.name": "iamea478.www5.host", + "http.request.referrer": "https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex", + "input.type": "log", + "log.offset": 31783, + "network.bytes": 6695, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.142.120.198", + "10.166.10.42" + ], + "related.user": [ + "olori" + ], + "rsa.db.index": "fugiatn", + "rsa.identity.user_dept": "uamqu", + "rsa.internal.data": "rere", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ende", + "rsa.misc.action": [ + "doconse", + "Blocked" + ], + "rsa.misc.category": "uovolupt", + "rsa.misc.filter": "litesse", + "rsa.misc.reference_id": "ido", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "iusmodi", + "rsa.network.alias_host": [ + "iamea478.www5.host" + ], + "rsa.threat.threat_category": "dolor", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "iamea478.www5.host", + "service.type": "zscaler", + "source.bytes": 2522, + "source.ip": [ + "10.166.10.42" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", + "user.name": "olori", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "destination.bytes": 3520, + "destination.ip": [ + "10.138.188.201" + ], + "event.action": "Allowed", + "event.code": "rsitvol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "equat ZSCALERNSS: time=aliquid Jun 26 7:42:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=eaque6543.api.domain^^protocol=udp^^serverip=10.138.188.201^^url=https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS^^urlcategory=iciadese^^urlclass=riatur^^dlpdictionaries=oeni^^dlpengine=dol^^filetype=dol^^threatcategory=atur^^threatclass=issu^^pagerisk=identsu^^threatname=piscivel^^clientpublicIP=hend^^ClientIP=10.128.184.241^^location=aer^^refererURL=https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=urau^^user=etur^^event_id=rsitvol^^clienttranstime=utali^^requestmethod=sed^^requestsize=6793^^requestversion=sec^^status=uid^^responsesize=3520^^responseversion=acom^^transactionsize=1142", + "event.timezone": "GMT+02:00", + "file.type": "dol", + "fileset.name": "zia", + "host.name": "eaque6543.api.domain", + "http.request.referrer": "https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim", + "input.type": "log", + "log.offset": 32670, + "network.bytes": 1142, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.128.184.241", + "10.138.188.201" + ], + "related.user": [ + "etur" + ], + "rsa.db.index": "riatur", + "rsa.identity.user_dept": "urau", + "rsa.internal.data": "equat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "issu", + "rsa.misc.action": [ + "Allowed", + "sed" + ], + "rsa.misc.category": "atur", + "rsa.misc.filter": "iciadese", + "rsa.misc.reference_id": "rsitvol", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "uid", + "rsa.network.alias_host": [ + "eaque6543.api.domain" + ], + "rsa.threat.threat_category": "piscivel", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "eaque6543.api.domain", + "service.type": "zscaler", + "source.bytes": 6793, + "source.ip": [ + "10.128.184.241" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "user.name": "etur", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "destination.bytes": 2990, + "destination.ip": [ + "10.53.101.131" + ], + "event.action": "Allowed", + "event.code": "itinvol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ectob ZSCALERNSS: time=mrema Jul 11 2:45:07 2017^^timezone=CET^^action=Allowed^^reason=failure^^hostname=eufug1756.mail.corp^^protocol=ggp^^serverip=10.53.101.131^^url=https://example.net/snulap/enimadm.html?writte=sitvo#ine^^urlcategory=urerepre^^urlclass=asnulap^^dlpdictionaries=ipi^^dlpengine=idolorem^^filetype=exerci^^threatcategory=idata^^threatclass=ese^^pagerisk=mmodoco^^threatname=amni^^clientpublicIP=atnul^^ClientIP=10.213.57.165^^location=illumq^^refererURL=https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ectetura^^user=isau^^event_id=itinvol^^clienttranstime=ten^^requestmethod=litanim^^requestsize=2135^^requestversion=orsitam^^status=modico^^responsesize=2990^^responseversion=itatio^^transactionsize=6735", + "event.timezone": "CET", + "file.type": "exerci", + "fileset.name": "zia", + "host.name": "eufug1756.mail.corp", + "http.request.referrer": "https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul", + "input.type": "log", + "log.offset": 33551, + "network.bytes": 6735, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.53.101.131", + "10.213.57.165" + ], + "related.user": [ + "isau" + ], + "rsa.db.index": "asnulap", + "rsa.identity.user_dept": "ectetura", + "rsa.internal.data": "ectob", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ese", + "rsa.misc.action": [ + "litanim", + "Allowed" + ], + "rsa.misc.category": "idata", + "rsa.misc.filter": "urerepre", + "rsa.misc.reference_id": "itinvol", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "modico", + "rsa.network.alias_host": [ + "eufug1756.mail.corp" + ], + "rsa.threat.threat_category": "amni", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "eufug1756.mail.corp", + "service.type": "zscaler", + "source.bytes": 2135, + "source.ip": [ + "10.213.57.165" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.net/snulap/enimadm.html?writte=sitvo#ine", + "user.name": "isau", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "destination.bytes": 3601, + "destination.ip": [ + "10.243.6.41" + ], + "event.action": "Blocked", + "event.code": "ainc", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "riame ZSCALERNSS: time=riat Jul 25 9:47:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=orp5697.www.invalid^^protocol=ggp^^serverip=10.243.6.41^^url=https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents^^urlcategory=emacc^^urlclass=emp^^dlpdictionaries=lamcola^^dlpengine=veli^^filetype=venia^^threatcategory=risni^^threatclass=idolores^^pagerisk=paria^^threatname=mmod^^clientpublicIP=iti^^ClientIP=10.55.81.14^^location=lorsitam^^refererURL=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenim^^user=eiusmo^^event_id=ainc^^clienttranstime=miurerep^^requestmethod=lestia^^requestsize=3606^^requestversion=iduntu^^status=pisci^^responsesize=3601^^responseversion=nostrud^^transactionsize=203", + "event.timezone": "GMT+02:00", + "file.type": "venia", + "fileset.name": "zia", + "host.name": "orp5697.www.invalid", + "http.request.referrer": "https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip", + "input.type": "log", + "log.offset": 34428, + "network.bytes": 203, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.55.81.14", + "10.243.6.41" + ], + "related.user": [ + "eiusmo" + ], + "rsa.db.index": "emp", + "rsa.identity.user_dept": "tenim", + "rsa.internal.data": "riame", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "idolores", + "rsa.misc.action": [ + "lestia", + "Blocked" + ], + "rsa.misc.category": "risni", + "rsa.misc.filter": "emacc", + "rsa.misc.reference_id": "ainc", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "pisci", + "rsa.network.alias_host": [ + "orp5697.www.invalid" + ], + "rsa.threat.threat_category": "mmod", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "orp5697.www.invalid", + "service.type": "zscaler", + "source.bytes": 3606, + "source.ip": [ + "10.55.81.14" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents", + "user.name": "eiusmo", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "destination.bytes": 4241, + "destination.ip": [ + "10.33.144.10" + ], + "event.action": "Blocked", + "event.code": "labo", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ore ZSCALERNSS: time=esse Aug 8 4:50:15 2017^^timezone=PST^^action=Blocked^^reason=success^^hostname=pariatur7238.www5.invalid^^protocol=tcp^^serverip=10.33.144.10^^url=https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos^^urlcategory=exercita^^urlclass=edolori^^dlpdictionaries=eve^^dlpengine=tco^^filetype=tvol^^threatcategory=oluptate^^threatclass=lit^^pagerisk=santi^^threatname=ritati^^clientpublicIP=iciade^^ClientIP=10.202.224.79^^location=idolo^^refererURL=https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=seos^^user=rios^^event_id=labo^^clienttranstime=lpaquiof^^requestmethod=quu^^requestsize=2203^^requestversion=ntexpl^^status=abor^^responsesize=4241^^responseversion=enbyCi^^transactionsize=3813", + "event.timezone": "PST", + "file.type": "tvol", + "fileset.name": "zia", + "host.name": "pariatur7238.www5.invalid", + "http.request.referrer": "https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo", + "input.type": "log", + "log.offset": 35335, + "network.bytes": 3813, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.33.144.10", + "10.202.224.79" + ], + "related.user": [ + "rios" + ], + "rsa.db.index": "edolori", + "rsa.identity.user_dept": "seos", + "rsa.internal.data": "ore", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "lit", + "rsa.misc.action": [ + "Blocked", + "quu" + ], + "rsa.misc.category": "oluptate", + "rsa.misc.filter": "exercita", + "rsa.misc.reference_id": "labo", + "rsa.misc.result": "success", + "rsa.misc.result_code": "abor", + "rsa.network.alias_host": [ + "pariatur7238.www5.invalid" + ], + "rsa.threat.threat_category": "ritati", + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "pariatur7238.www5.invalid", + "service.type": "zscaler", + "source.bytes": 2203, + "source.ip": [ + "10.202.224.79" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos", + "user.name": "rios", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-08-22T13:52:50.000Z", + "destination.bytes": 6317, + "destination.ip": [ + "10.158.18.51" + ], + "event.action": "Allowed", + "event.code": "exerci", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tat ZSCALERNSS: time=eufugia Aug 22 11:52:50 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=fficia2304.www5.home^^protocol=icmp^^serverip=10.158.18.51^^url=https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex^^urlcategory=uisnos^^urlclass=quamqua^^dlpdictionaries=ntut^^dlpengine=mag^^filetype=meum^^threatcategory=mini^^threatclass=Loremip^^pagerisk=oreeu^^threatname=nvo^^clientpublicIP=iamqui^^ClientIP=10.20.124.138^^location=aqui^^refererURL=https://www.example.net/lpa/isn.htm?iat=ffic#siuta^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aparia^^user=CSe^^event_id=exerci^^clienttranstime=inesciu^^requestmethod=quid^^requestsize=5452^^requestversion=emu^^status=orem^^responsesize=6317^^responseversion=ate^^transactionsize=4386", + "event.timezone": "GMT-07:00", + "file.type": "meum", + "fileset.name": "zia", + "host.name": "fficia2304.www5.home", + "http.request.referrer": "https://www.example.net/lpa/isn.htm?iat=ffic#siuta", + "input.type": "log", + "log.offset": 36210, + "network.bytes": 4386, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.20.124.138", + "10.158.18.51" + ], + "related.user": [ + "CSe" + ], + "rsa.db.index": "quamqua", + "rsa.identity.user_dept": "aparia", + "rsa.internal.data": "tat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "Loremip", + "rsa.misc.action": [ + "Allowed", + "quid" + ], + "rsa.misc.category": "mini", + "rsa.misc.filter": "uisnos", + "rsa.misc.reference_id": "exerci", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "orem", + "rsa.network.alias_host": [ + "fficia2304.www5.home" + ], + "rsa.threat.threat_category": "nvo", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "fficia2304.www5.home", + "service.type": "zscaler", + "source.bytes": 5452, + "source.ip": [ + "10.20.124.138" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex", + "user.name": "CSe", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "destination.bytes": 1044, + "destination.ip": [ + "10.134.128.27" + ], + "event.action": "Allowed", + "event.code": "olore", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tqu ZSCALERNSS: time=eirur Sep 6 6:55:24 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=mquisnos7453.home^^protocol=igmp^^serverip=10.134.128.27^^url=https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo^^urlcategory=nderi^^urlclass=liqua^^dlpdictionaries=ariatur^^dlpengine=labo^^filetype=sautei^^threatcategory=ataevita^^threatclass=voluptas^^pagerisk=velill^^threatname=rspic^^clientpublicIP=orinrepr^^ClientIP=10.118.177.136^^location=borumSec^^refererURL=https://www5.example.org/snisiut/siar.txt?inB=orp#ender^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=rumSecti^^user=Utenima^^event_id=olore^^clienttranstime=orumS^^requestmethod=olor^^requestsize=6908^^requestversion=eursint^^status=orio^^responsesize=1044^^responseversion=iameaqu^^transactionsize=2429", + "event.timezone": "CT", + "file.type": "sautei", + "fileset.name": "zia", + "host.name": "mquisnos7453.home", + "http.request.referrer": "https://www5.example.org/snisiut/siar.txt?inB=orp#ender", + "input.type": "log", + "log.offset": 37074, + "network.bytes": 2429, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.134.128.27", + "10.118.177.136" + ], + "related.user": [ + "Utenima" + ], + "rsa.db.index": "liqua", + "rsa.identity.user_dept": "rumSecti", + "rsa.internal.data": "tqu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "voluptas", + "rsa.misc.action": [ + "olor", + "Allowed" + ], + "rsa.misc.category": "ataevita", + "rsa.misc.filter": "nderi", + "rsa.misc.reference_id": "olore", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "orio", + "rsa.network.alias_host": [ + "mquisnos7453.home" + ], + "rsa.threat.threat_category": "rspic", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "mquisnos7453.home", + "service.type": "zscaler", + "source.bytes": 6908, + "source.ip": [ + "10.118.177.136" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo", + "user.name": "Utenima", + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "destination.bytes": 3034, + "destination.ip": [ + "10.68.8.143" + ], + "event.action": "Allowed", + "event.code": "lorem", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "olu ZSCALERNSS: time=iameaque Sep 20 1:57:58 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=aquio748.www.localhost^^protocol=igmp^^serverip=10.68.8.143^^url=https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore^^urlcategory=dmi^^urlclass=tam^^dlpdictionaries=oremip^^dlpengine=eufugi^^filetype=dunt^^threatcategory=ames^^threatclass=amni^^pagerisk=tatio^^threatname=amquisno^^clientpublicIP=modoc^^ClientIP=10.125.120.97^^location=uid^^refererURL=https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=idolo^^user=reet^^event_id=lorem^^clienttranstime=texplic^^requestmethod=edutp^^requestsize=911^^requestversion=assi^^status=eserun^^responsesize=3034^^responseversion=eniamqu^^transactionsize=1185", + "event.timezone": "OMST", + "file.type": "dunt", + "fileset.name": "zia", + "host.name": "aquio748.www.localhost", + "http.request.referrer": "https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet", + "input.type": "log", + "log.offset": 38021, + "network.bytes": 1185, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.125.120.97", + "10.68.8.143" + ], + "related.user": [ + "reet" + ], + "rsa.db.index": "tam", + "rsa.identity.user_dept": "idolo", + "rsa.internal.data": "olu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "amni", + "rsa.misc.action": [ + "edutp", + "Allowed" + ], + "rsa.misc.category": "ames", + "rsa.misc.filter": "dmi", + "rsa.misc.reference_id": "lorem", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "eserun", + "rsa.network.alias_host": [ + "aquio748.www.localhost" + ], + "rsa.threat.threat_category": "amquisno", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "aquio748.www.localhost", + "service.type": "zscaler", + "source.bytes": 911, + "source.ip": [ + "10.125.120.97" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore", + "user.name": "reet", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "destination.bytes": 4982, + "destination.ip": [ + "10.143.0.78" + ], + "event.action": "Blocked", + "event.code": "atems", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tatevel ZSCALERNSS: time=midestl Oct 4 9:00:32 2017^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=remagnam796.mail.corp^^protocol=rdp^^serverip=10.143.0.78^^url=https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip^^urlcategory=aturQu^^urlclass=itesse^^dlpdictionaries=iamqui^^dlpengine=quide^^filetype=aria^^threatcategory=inim^^threatclass=etdol^^pagerisk=Sed^^threatname=oremeumf^^clientpublicIP=lesti^^ClientIP=10.137.164.122^^location=enima^^refererURL=https://www5.example.net/ico/giatquo.htm?evi=tionula#accus^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=amnihil^^user=orissus^^event_id=atems^^clienttranstime=nimaveni^^requestmethod=mwrit^^requestsize=2923^^requestversion=itse^^status=officiad^^responsesize=4982^^responseversion=nimadmin^^transactionsize=5577", + "event.timezone": "PST", + "file.type": "aria", + "fileset.name": "zia", + "host.name": "remagnam796.mail.corp", + "http.request.referrer": "https://www5.example.net/ico/giatquo.htm?evi=tionula#accus", + "input.type": "log", + "log.offset": 38924, + "network.bytes": 5577, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.137.164.122", + "10.143.0.78" + ], + "related.user": [ + "orissus" + ], + "rsa.db.index": "itesse", + "rsa.identity.user_dept": "amnihil", + "rsa.internal.data": "tatevel", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "etdol", + "rsa.misc.action": [ + "Blocked", + "mwrit" + ], + "rsa.misc.category": "inim", + "rsa.misc.filter": "aturQu", + "rsa.misc.reference_id": "atems", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "officiad", + "rsa.network.alias_host": [ + "remagnam796.mail.corp" + ], + "rsa.threat.threat_category": "oremeumf", + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "remagnam796.mail.corp", + "service.type": "zscaler", + "source.bytes": 2923, + "source.ip": [ + "10.137.164.122" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip", + "user.name": "orissus", + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "destination.bytes": 7556, + "destination.ip": [ + "10.30.87.51" + ], + "event.action": "Blocked", + "event.code": "rchit", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quiavolu ZSCALERNSS: time=upta Oct 19 4:03:07 2017^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=etdolore4227.internal.corp^^protocol=icmp^^serverip=10.30.87.51^^url=https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur^^urlcategory=ptatemse^^urlclass=siarc^^dlpdictionaries=fdeFin^^dlpengine=eleumi^^filetype=edic^^threatcategory=udexerc^^threatclass=tatno^^pagerisk=isnisiut^^threatname=atatnon^^clientpublicIP=lica^^ClientIP=10.156.177.53^^location=Nequ^^refererURL=https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=rmagnido^^user=psaquaea^^event_id=rchit^^clienttranstime=psumq^^requestmethod=ptatev^^requestsize=6552^^requestversion=xerc^^status=ctetura^^responsesize=7556^^responseversion=tDuis^^transactionsize=3281", + "event.timezone": "OMST", + "file.type": "edic", + "fileset.name": "zia", + "host.name": "etdolore4227.internal.corp", + "http.request.referrer": "https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup", + "input.type": "log", + "log.offset": 39868, + "network.bytes": 3281, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.30.87.51", + "10.156.177.53" + ], + "related.user": [ + "psaquaea" + ], + "rsa.db.index": "siarc", + "rsa.identity.user_dept": "rmagnido", + "rsa.internal.data": "quiavolu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tatno", + "rsa.misc.action": [ + "Blocked", + "ptatev" + ], + "rsa.misc.category": "udexerc", + "rsa.misc.filter": "ptatemse", + "rsa.misc.reference_id": "rchit", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "ctetura", + "rsa.network.alias_host": [ + "etdolore4227.internal.corp" + ], + "rsa.threat.threat_category": "atatnon", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "etdolore4227.internal.corp", + "service.type": "zscaler", + "source.bytes": 6552, + "source.ip": [ + "10.156.177.53" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur", + "user.name": "psaquaea", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "destination.bytes": 470, + "destination.ip": [ + "10.83.138.34" + ], + "event.action": "Blocked", + "event.code": "inea", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tat ZSCALERNSS: time=equ Nov 2 11:05:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=rors1935.api.domain^^protocol=udp^^serverip=10.83.138.34^^url=https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul^^urlcategory=aliqui^^urlclass=datatnon^^dlpdictionaries=aedict^^dlpengine=niamqui^^filetype=usmodite^^threatcategory=tlabo^^threatclass=tatemse^^pagerisk=ntoccaec^^threatname=uamestqu^^clientpublicIP=mpor^^ClientIP=10.111.249.184^^location=ptatemU^^refererURL=https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=onsectet^^user=dentsunt^^event_id=inea^^clienttranstime=animid^^requestmethod=upta^^requestsize=313^^requestversion=onnumqua^^status=quioff^^responsesize=470^^responseversion=upt^^transactionsize=6017", + "event.timezone": "GMT+02:00", + "file.type": "usmodite", + "fileset.name": "zia", + "host.name": "rors1935.api.domain", + "http.request.referrer": "https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl", + "input.type": "log", + "log.offset": 40778, + "network.bytes": 6017, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.111.249.184", + "10.83.138.34" + ], + "related.user": [ + "dentsunt" + ], + "rsa.db.index": "datatnon", + "rsa.identity.user_dept": "onsectet", + "rsa.internal.data": "tat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tatemse", + "rsa.misc.action": [ + "upta", + "Blocked" + ], + "rsa.misc.category": "tlabo", + "rsa.misc.filter": "aliqui", + "rsa.misc.reference_id": "inea", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "quioff", + "rsa.network.alias_host": [ + "rors1935.api.domain" + ], + "rsa.threat.threat_category": "uamestqu", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "rors1935.api.domain", + "service.type": "zscaler", + "source.bytes": 313, + "source.ip": [ + "10.111.249.184" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul", + "user.name": "dentsunt", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "destination.bytes": 7810, + "destination.ip": [ + "10.141.195.13" + ], + "event.action": "Allowed", + "event.code": "tautfugi", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "nvol ZSCALERNSS: time=dtemp Nov 16 6:08:15 2017^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=idexeac1655.internal.test^^protocol=ipv6^^serverip=10.141.195.13^^url=https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem^^urlcategory=roquisqu^^urlclass=ariat^^dlpdictionaries=midestl^^dlpengine=quatu^^filetype=avolu^^threatcategory=teturad^^threatclass=itesse^^pagerisk=expl^^threatname=essecill^^clientpublicIP=totamre^^ClientIP=10.180.150.47^^location=orsitv^^refererURL=https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=ncul^^user=taliq^^event_id=tautfugi^^clienttranstime=fdeFinib^^requestmethod=uip^^requestsize=3940^^requestversion=sectetur^^status=edquian^^responsesize=7810^^responseversion=turQuis^^transactionsize=4046", + "event.timezone": "PT", + "file.type": "avolu", + "fileset.name": "zia", + "host.name": "idexeac1655.internal.test", + "http.request.referrer": "https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp", + "input.type": "log", + "log.offset": 41820, + "network.bytes": 4046, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.141.195.13", + "10.180.150.47" + ], + "related.user": [ + "taliq" + ], + "rsa.db.index": "ariat", + "rsa.identity.user_dept": "ncul", + "rsa.internal.data": "nvol", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "itesse", + "rsa.misc.action": [ + "Allowed", + "uip" + ], + "rsa.misc.category": "teturad", + "rsa.misc.filter": "roquisqu", + "rsa.misc.reference_id": "tautfugi", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "edquian", + "rsa.network.alias_host": [ + "idexeac1655.internal.test" + ], + "rsa.threat.threat_category": "essecill", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "idexeac1655.internal.test", + "service.type": "zscaler", + "source.bytes": 3940, + "source.ip": [ + "10.180.150.47" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem", + "user.name": "taliq", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "destination.bytes": 2266, + "destination.ip": [ + "10.166.195.20" + ], + "event.action": "Allowed", + "event.code": "ceroinB", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uames ZSCALERNSS: time=tconsec Dec 1 1:10:49 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=laboree3880.api.invalid^^protocol=rdp^^serverip=10.166.195.20^^url=https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna^^urlcategory=Nem^^urlclass=tdolorem^^dlpdictionaries=eacomm^^dlpengine=upidata^^filetype=ici^^threatcategory=usant^^threatclass=mipsumq^^pagerisk=ident^^threatname=nimide^^clientpublicIP=quelaud^^ClientIP=10.255.40.12^^location=rro^^refererURL=https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=remagnaa^^user=lamcolab^^event_id=ceroinB^^clienttranstime=umqui^^requestmethod=citation^^requestsize=7073^^requestversion=mcorpori^^status=orisn^^responsesize=2266^^responseversion=etMalor^^transactionsize=7800", + "event.timezone": "GMT-07:00", + "file.type": "ici", + "fileset.name": "zia", + "host.name": "laboree3880.api.invalid", + "http.request.referrer": "https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint", + "input.type": "log", + "log.offset": 42776, + "network.bytes": 7800, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.255.40.12", + "10.166.195.20" + ], + "related.user": [ + "lamcolab" + ], + "rsa.db.index": "tdolorem", + "rsa.identity.user_dept": "remagnaa", + "rsa.internal.data": "uames", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mipsumq", + "rsa.misc.action": [ + "Allowed", + "citation" + ], + "rsa.misc.category": "usant", + "rsa.misc.filter": "Nem", + "rsa.misc.reference_id": "ceroinB", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "orisn", + "rsa.network.alias_host": [ + "laboree3880.api.invalid" + ], + "rsa.threat.threat_category": "nimide", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "laboree3880.api.invalid", + "service.type": "zscaler", + "source.bytes": 7073, + "source.ip": [ + "10.255.40.12" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna", + "user.name": "lamcolab", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "destination.bytes": 5091, + "destination.ip": [ + "10.22.122.43" + ], + "event.action": "Blocked", + "event.code": "mexer", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "cta ZSCALERNSS: time=ercitat Dec 15 8:13:24 2017^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=tecto708.www5.example^^protocol=rdp^^serverip=10.22.122.43^^url=https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu^^urlcategory=quamni^^urlclass=turveli^^dlpdictionaries=isciv^^dlpengine=natus^^filetype=boreet^^threatcategory=luptasnu^^threatclass=ento^^pagerisk=snostr^^threatname=udexerc^^clientpublicIP=ovolupta^^ClientIP=10.100.143.226^^location=ametcon^^refererURL=https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=ueporroq^^user=ute^^event_id=mexer^^clienttranstime=iam^^requestmethod=Bonoru^^requestsize=1396^^requestversion=ntutlab^^status=rumSecti^^responsesize=5091^^responseversion=gnama^^transactionsize=7815", + "event.timezone": "PT", + "file.type": "boreet", + "fileset.name": "zia", + "host.name": "tecto708.www5.example", + "http.request.referrer": "https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame", + "input.type": "log", + "log.offset": 43645, + "network.bytes": 7815, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.100.143.226", + "10.22.122.43" + ], + "related.user": [ + "ute" + ], + "rsa.db.index": "turveli", + "rsa.identity.user_dept": "ueporroq", + "rsa.internal.data": "cta", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ento", + "rsa.misc.action": [ + "Blocked", + "Bonoru" + ], + "rsa.misc.category": "luptasnu", + "rsa.misc.filter": "quamni", + "rsa.misc.reference_id": "mexer", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "rumSecti", + "rsa.network.alias_host": [ + "tecto708.www5.example" + ], + "rsa.threat.threat_category": "udexerc", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "tecto708.www5.example", + "service.type": "zscaler", + "source.bytes": 1396, + "source.ip": [ + "10.100.143.226" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu", + "user.name": "ute", + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "destination.bytes": 7456, + "destination.ip": [ + "10.119.53.68" + ], + "event.action": "Blocked", + "event.code": "illum", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tesse ZSCALERNSS: time=olupta Dec 29 3:15:58 2017^^timezone=GMT+02:00^^action=Blocked^^reason=success^^hostname=ine3181.www.invalid^^protocol=ipv6-icmp^^serverip=10.119.53.68^^url=https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul^^urlcategory=onse^^urlclass=sitam^^dlpdictionaries=inibusBo^^dlpengine=illoin^^filetype=emUtenim^^threatcategory=ende^^threatclass=dexea^^pagerisk=aco^^threatname=sse^^clientpublicIP=ihilm^^ClientIP=10.121.9.5^^location=uptas^^refererURL=https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=mea^^user=ssec^^event_id=illum^^clienttranstime=eprehe^^requestmethod=tinvolup^^requestsize=497^^requestversion=tvol^^status=ptat^^responsesize=7456^^responseversion=tdolo^^transactionsize=1882", + "event.timezone": "GMT+02:00", + "file.type": "emUtenim", + "fileset.name": "zia", + "host.name": "ine3181.www.invalid", + "http.request.referrer": "https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame", + "input.type": "log", + "log.offset": 44575, + "network.bytes": 1882, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.121.9.5", + "10.119.53.68" + ], + "related.user": [ + "ssec" + ], + "rsa.db.index": "sitam", + "rsa.identity.user_dept": "mea", + "rsa.internal.data": "tesse", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "dexea", + "rsa.misc.action": [ + "tinvolup", + "Blocked" + ], + "rsa.misc.category": "ende", + "rsa.misc.filter": "onse", + "rsa.misc.reference_id": "illum", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ptat", + "rsa.network.alias_host": [ + "ine3181.www.invalid" + ], + "rsa.threat.threat_category": "sse", + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "ine3181.www.invalid", + "service.type": "zscaler", + "source.bytes": 497, + "source.ip": [ + "10.121.9.5" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul", + "user.name": "ssec", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2018-01-12T12:18:32.000Z", + "destination.bytes": 1428, + "destination.ip": [ + "10.237.0.173" + ], + "event.action": "Blocked", + "event.code": "periam", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eleumi ZSCALERNSS: time=equ Jan 12 10:18:32 2018^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=tsunt3403.www5.test^^protocol=udp^^serverip=10.237.0.173^^url=https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt^^urlcategory=oremipsu^^urlclass=tMalor^^dlpdictionaries=oreetd^^dlpengine=lor^^filetype=oreeu^^threatcategory=taspe^^threatclass=eritqui^^pagerisk=atquovol^^threatname=evel^^clientpublicIP=edol^^ClientIP=10.31.153.177^^location=maccus^^refererURL=https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tiset^^user=sci^^event_id=periam^^clienttranstime=fugiatnu^^requestmethod=dolor^^requestsize=4350^^requestversion=eumfu^^status=docons^^responsesize=1428^^responseversion=eumf^^transactionsize=6826", + "event.timezone": "GMT-07:00", + "file.type": "oreeu", + "fileset.name": "zia", + "host.name": "tsunt3403.www5.test", + "http.request.referrer": "https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor", + "input.type": "log", + "log.offset": 45512, + "network.bytes": 6826, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.237.0.173", + "10.31.153.177" + ], + "related.user": [ + "sci" + ], + "rsa.db.index": "tMalor", + "rsa.identity.user_dept": "tiset", + "rsa.internal.data": "eleumi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "eritqui", + "rsa.misc.action": [ + "Blocked", + "dolor" + ], + "rsa.misc.category": "taspe", + "rsa.misc.filter": "oremipsu", + "rsa.misc.reference_id": "periam", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "docons", + "rsa.network.alias_host": [ + "tsunt3403.www5.test" + ], + "rsa.threat.threat_category": "evel", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tsunt3403.www5.test", + "service.type": "zscaler", + "source.bytes": 4350, + "source.ip": [ + "10.31.153.177" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt", + "user.name": "sci", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "destination.bytes": 7612, + "destination.ip": [ + "10.243.182.229" + ], + "event.action": "Allowed", + "event.code": "emporin", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uasi ZSCALERNSS: time=maveniam Jan 27 5:21:06 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=pitl6126.www.localdomain^^protocol=ipv6-icmp^^serverip=10.243.182.229^^url=https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com^^urlcategory=rep^^urlclass=mveni^^dlpdictionaries=aquae^^dlpengine=olo^^filetype=edolori^^threatcategory=iaturE^^threatclass=epor^^pagerisk=umexer^^threatname=amnih^^clientpublicIP=tper^^ClientIP=10.229.102.140^^location=nulamc^^refererURL=https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca^^useragent=mobmail android 2.1.3.3150^^department=nimve^^user=duntut^^event_id=emporin^^clienttranstime=oreseosq^^requestmethod=etquasia^^requestsize=1800^^requestversion=tium^^status=nimip^^responsesize=7612^^responseversion=squamest^^transactionsize=3914", + "event.timezone": "PST", + "file.type": "edolori", + "fileset.name": "zia", + "host.name": "pitl6126.www.localdomain", + "http.request.referrer": "https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca", + "input.type": "log", + "log.offset": 46366, + "network.bytes": 3914, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.243.182.229", + "10.229.102.140" + ], + "related.user": [ + "duntut" + ], + "rsa.db.index": "mveni", + "rsa.identity.user_dept": "nimve", + "rsa.internal.data": "uasi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "epor", + "rsa.misc.action": [ + "etquasia", + "Allowed" + ], + "rsa.misc.category": "iaturE", + "rsa.misc.filter": "rep", + "rsa.misc.reference_id": "emporin", + "rsa.misc.result": "success", + "rsa.misc.result_code": "nimip", + "rsa.network.alias_host": [ + "pitl6126.www.localdomain" + ], + "rsa.threat.threat_category": "amnih", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "pitl6126.www.localdomain", + "service.type": "zscaler", + "source.bytes": 1800, + "source.ip": [ + "10.229.102.140" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com", + "user.name": "duntut", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "destination.bytes": 5763, + "destination.ip": [ + "10.39.46.155" + ], + "event.action": "Blocked", + "event.code": "BCSe", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "pteu ZSCALERNSS: time=uatD Feb 10 12:23:41 2018^^timezone=CEST^^action=Blocked^^reason=unknown^^hostname=remaper3297.internal.test^^protocol=ipv6-icmp^^serverip=10.39.46.155^^url=https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi^^urlcategory=emvel^^urlclass=pta^^dlpdictionaries=dolo^^dlpengine=itaedi^^filetype=hend^^threatcategory=remagna^^threatclass=adipisc^^pagerisk=aparia^^threatname=maliq^^clientpublicIP=ccusant^^ClientIP=10.120.138.109^^location=oidentsu^^refererURL=https://internal.example.org/onsec/dit.gif?lup=aeca#isau^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=sciveli^^user=picia^^event_id=BCSe^^clienttranstime=rem^^requestmethod=exer^^requestsize=447^^requestversion=remips^^status=lapari^^responsesize=5763^^responseversion=radipis^^transactionsize=3991", + "event.timezone": "CEST", + "file.type": "hend", + "fileset.name": "zia", + "host.name": "remaper3297.internal.test", + "http.request.referrer": "https://internal.example.org/onsec/dit.gif?lup=aeca#isau", + "input.type": "log", + "log.offset": 47161, + "network.bytes": 3991, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.39.46.155", + "10.120.138.109" + ], + "related.user": [ + "picia" + ], + "rsa.db.index": "pta", + "rsa.identity.user_dept": "sciveli", + "rsa.internal.data": "pteu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "adipisc", + "rsa.misc.action": [ + "exer", + "Blocked" + ], + "rsa.misc.category": "remagna", + "rsa.misc.filter": "emvel", + "rsa.misc.reference_id": "BCSe", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "lapari", + "rsa.network.alias_host": [ + "remaper3297.internal.test" + ], + "rsa.threat.threat_category": "maliq", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "remaper3297.internal.test", + "service.type": "zscaler", + "source.bytes": 447, + "source.ip": [ + "10.120.138.109" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi", + "user.name": "picia", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-02-24T09:26:15.000Z", + "destination.bytes": 6740, + "destination.ip": [ + "10.53.191.49" + ], + "event.action": "Blocked", + "event.code": "idestl", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "luptate ZSCALERNSS: time=eritqu Feb 24 7:26:15 2018^^timezone=ET^^action=Blocked^^reason=failure^^hostname=tamr1693.api.home^^protocol=ipv6^^serverip=10.53.191.49^^url=https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd^^urlcategory=elit^^urlclass=sam^^dlpdictionaries=tMal^^dlpengine=porin^^filetype=metMal^^threatcategory=ciati^^threatclass=ecillum^^pagerisk=olor^^threatname=amei^^clientpublicIP=doconseq^^ClientIP=10.133.102.57^^location=CSed^^refererURL=https://example.net/wri/itame.html?dictasun=psa#lorese^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=ctobeat^^user=onsec^^event_id=idestl^^clienttranstime=litani^^requestmethod=emp^^requestsize=6397^^requestversion=onoru^^status=data^^responsesize=6740^^responseversion=eosqui^^transactionsize=5993", + "event.timezone": "ET", + "file.type": "metMal", + "fileset.name": "zia", + "host.name": "tamr1693.api.home", + "http.request.referrer": "https://example.net/wri/itame.html?dictasun=psa#lorese", + "input.type": "log", + "log.offset": 48041, + "network.bytes": 5993, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.53.191.49", + "10.133.102.57" + ], + "related.user": [ + "onsec" + ], + "rsa.db.index": "sam", + "rsa.identity.user_dept": "ctobeat", + "rsa.internal.data": "luptate", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ecillum", + "rsa.misc.action": [ + "emp", + "Blocked" + ], + "rsa.misc.category": "ciati", + "rsa.misc.filter": "elit", + "rsa.misc.reference_id": "idestl", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "data", + "rsa.network.alias_host": [ + "tamr1693.api.home" + ], + "rsa.threat.threat_category": "amei", + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "tamr1693.api.home", + "service.type": "zscaler", + "source.bytes": 6397, + "source.ip": [ + "10.133.102.57" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd", + "user.name": "onsec", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "destination.bytes": 5521, + "destination.ip": [ + "10.91.2.225" + ], + "event.action": "Allowed", + "event.code": "tcu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uam ZSCALERNSS: time=quis Mar 11 2:28:49 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=cia5990.api.localdomain^^protocol=icmp^^serverip=10.91.2.225^^url=https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum^^urlcategory=autodita^^urlclass=ntut^^dlpdictionaries=temveleu^^dlpengine=itametco^^filetype=etcons^^threatcategory=etco^^threatclass=iuntN^^pagerisk=utfugi^^threatname=ursintoc^^clientpublicIP=tio^^ClientIP=10.89.41.97^^location=trudex^^refererURL=https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=nderi^^user=tem^^event_id=tcu^^clienttranstime=eumiu^^requestmethod=nim^^requestsize=141^^requestversion=rehen^^status=uaeab^^responsesize=5521^^responseversion=serro^^transactionsize=1078", + "event.timezone": "PST", + "file.type": "etcons", + "fileset.name": "zia", + "host.name": "cia5990.api.localdomain", + "http.request.referrer": "https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco", + "input.type": "log", + "log.offset": 48912, + "network.bytes": 1078, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.89.41.97", + "10.91.2.225" + ], + "related.user": [ + "tem" + ], + "rsa.db.index": "ntut", + "rsa.identity.user_dept": "nderi", + "rsa.internal.data": "uam", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iuntN", + "rsa.misc.action": [ + "nim", + "Allowed" + ], + "rsa.misc.category": "etco", + "rsa.misc.filter": "autodita", + "rsa.misc.reference_id": "tcu", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "uaeab", + "rsa.network.alias_host": [ + "cia5990.api.localdomain" + ], + "rsa.threat.threat_category": "ursintoc", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "cia5990.api.localdomain", + "service.type": "zscaler", + "source.bytes": 141, + "source.ip": [ + "10.89.41.97" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum", + "user.name": "tem", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "destination.bytes": 4211, + "destination.ip": [ + "10.221.20.165" + ], + "event.action": "Allowed", + "event.code": "velites", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eturadip ZSCALERNSS: time=amquaera Mar 25 9:31:24 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=riatu2467.lan^^protocol=tcp^^serverip=10.221.20.165^^url=https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla^^urlcategory=atquo^^urlclass=borio^^dlpdictionaries=equatD^^dlpengine=uidol^^filetype=inculpa^^threatcategory=ruredol^^threatclass=iadeseru^^pagerisk=loremagn^^threatname=acons^^clientpublicIP=nimadmi^^ClientIP=10.7.18.226^^location=umiurer^^refererURL=https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=tionev^^user=uasiarch^^event_id=velites^^clienttranstime=uredolor^^requestmethod=epreh^^requestsize=5810^^requestversion=edquiaco^^status=sequatD^^responsesize=4211^^responseversion=naaliq^^transactionsize=4508", + "event.timezone": "PT", + "file.type": "inculpa", + "fileset.name": "zia", + "host.name": "riatu2467.lan", + "http.request.referrer": "https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu", + "input.type": "log", + "log.offset": 49836, + "network.bytes": 4508, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.221.20.165", + "10.7.18.226" + ], + "related.user": [ + "uasiarch" + ], + "rsa.db.index": "borio", + "rsa.identity.user_dept": "tionev", + "rsa.internal.data": "eturadip", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iadeseru", + "rsa.misc.action": [ + "epreh", + "Allowed" + ], + "rsa.misc.category": "ruredol", + "rsa.misc.filter": "atquo", + "rsa.misc.reference_id": "velites", + "rsa.misc.result": "success", + "rsa.misc.result_code": "sequatD", + "rsa.network.alias_host": [ + "riatu2467.lan" + ], + "rsa.threat.threat_category": "acons", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "riatu2467.lan", + "service.type": "zscaler", + "source.bytes": 5810, + "source.ip": [ + "10.7.18.226" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla", + "user.name": "uasiarch", + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "destination.bytes": 4580, + "destination.ip": [ + "10.178.148.188" + ], + "event.action": "Allowed", + "event.code": "rit", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "asiarc ZSCALERNSS: time=lor Apr 8 4:33:58 2018^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=pici1525.www5.corp^^protocol=ipv6^^serverip=10.178.148.188^^url=https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt^^urlcategory=uipe^^urlclass=ipsa^^dlpdictionaries=con^^dlpengine=eirured^^filetype=sequamn^^threatcategory=perspici^^threatclass=inimve^^pagerisk=aea^^threatname=emipsumd^^clientpublicIP=didun^^ClientIP=10.155.252.123^^location=asiarch^^refererURL=https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ssequ^^user=inrepreh^^event_id=rit^^clienttranstime=velitess^^requestmethod=niam^^requestsize=6665^^requestversion=vel^^status=ionevo^^responsesize=4580^^responseversion=ptate^^transactionsize=52", + "event.timezone": "GMT+02:00", + "file.type": "sequamn", + "fileset.name": "zia", + "host.name": "pici1525.www5.corp", + "http.request.referrer": "https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu", + "input.type": "log", + "log.offset": 50802, + "network.bytes": 52, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.178.148.188", + "10.155.252.123" + ], + "related.user": [ + "inrepreh" + ], + "rsa.db.index": "ipsa", + "rsa.identity.user_dept": "ssequ", + "rsa.internal.data": "asiarc", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "inimve", + "rsa.misc.action": [ + "Allowed", + "niam" + ], + "rsa.misc.category": "perspici", + "rsa.misc.filter": "uipe", + "rsa.misc.reference_id": "rit", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ionevo", + "rsa.network.alias_host": [ + "pici1525.www5.corp" + ], + "rsa.threat.threat_category": "emipsumd", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "pici1525.www5.corp", + "service.type": "zscaler", + "source.bytes": 6665, + "source.ip": [ + "10.155.252.123" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt", + "user.name": "inrepreh", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "destination.bytes": 3723, + "destination.ip": [ + "10.190.42.245" + ], + "event.action": "Blocked", + "event.code": "aeab", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "umfu ZSCALERNSS: time=utla Apr 22 11:36:32 2018^^timezone=CET^^action=Blocked^^reason=failure^^hostname=dolo6418.internal.host^^protocol=ipv6-icmp^^serverip=10.190.42.245^^url=https://mail.example.org/caecat/uel.html?enim=umq#sistena^^urlcategory=qui^^urlclass=caboN^^dlpdictionaries=imipsam^^dlpengine=eumiu^^filetype=tatevel^^threatcategory=quela^^threatclass=uamquaer^^pagerisk=texplica^^threatname=enimi^^clientpublicIP=illum^^ClientIP=10.220.1.249^^location=iqu^^refererURL=https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=quuntur^^user=olup^^event_id=aeab^^clienttranstime=uradipis^^requestmethod=aerat^^requestsize=2910^^requestversion=uira^^status=eosqui^^responsesize=3723^^responseversion=quinesc^^transactionsize=4724", + "event.timezone": "CET", + "file.type": "tatevel", + "fileset.name": "zia", + "host.name": "dolo6418.internal.host", + "http.request.referrer": "https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau", + "input.type": "log", + "log.offset": 51742, + "network.bytes": 4724, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.220.1.249", + "10.190.42.245" + ], + "related.user": [ + "olup" + ], + "rsa.db.index": "caboN", + "rsa.identity.user_dept": "quuntur", + "rsa.internal.data": "umfu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uamquaer", + "rsa.misc.action": [ + "aerat", + "Blocked" + ], + "rsa.misc.category": "quela", + "rsa.misc.filter": "qui", + "rsa.misc.reference_id": "aeab", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "eosqui", + "rsa.network.alias_host": [ + "dolo6418.internal.host" + ], + "rsa.threat.threat_category": "enimi", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "dolo6418.internal.host", + "service.type": "zscaler", + "source.bytes": 2910, + "source.ip": [ + "10.220.1.249" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/caecat/uel.html?enim=umq#sistena", + "user.name": "olup", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.bytes": 363, + "destination.ip": [ + "10.112.190.154" + ], + "event.action": "Allowed", + "event.code": "lab", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "aliqu ZSCALERNSS: time=sequine May 7 6:39:06 2018^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=imveni193.www5.host^^protocol=udp^^serverip=10.112.190.154^^url=https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna^^urlcategory=cons^^urlclass=Except^^dlpdictionaries=lestiae^^dlpengine=iav^^filetype=umiure^^threatcategory=isiut^^threatclass=tin^^pagerisk=rporiss^^threatname=billoinv^^clientpublicIP=etconse^^ClientIP=10.55.38.153^^location=quido^^refererURL=https://example.org/uames/tla.gif?rch=psa#nreprehe^^useragent=Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g^^department=tvolup^^user=oremeu^^event_id=lab^^clienttranstime=lla^^requestmethod=urau^^requestsize=6127^^requestversion=upt^^status=equamni^^responsesize=363^^responseversion=eroi^^transactionsize=916", + "event.timezone": "GMT-07:00", + "file.type": "umiure", + "fileset.name": "zia", + "host.name": "imveni193.www5.host", + "http.request.referrer": "https://example.org/uames/tla.gif?rch=psa#nreprehe", + "input.type": "log", + "log.offset": 52602, + "network.bytes": 916, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.112.190.154", + "10.55.38.153" + ], + "related.user": [ + "oremeu" + ], + "rsa.db.index": "Except", + "rsa.identity.user_dept": "tvolup", + "rsa.internal.data": "aliqu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tin", + "rsa.misc.action": [ + "urau", + "Allowed" + ], + "rsa.misc.category": "isiut", + "rsa.misc.filter": "cons", + "rsa.misc.reference_id": "lab", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "equamni", + "rsa.network.alias_host": [ + "imveni193.www5.host" + ], + "rsa.threat.threat_category": "billoinv", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "imveni193.www5.host", + "service.type": "zscaler", + "source.bytes": 6127, + "source.ip": [ + "10.55.38.153" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna", + "user.name": "oremeu", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "destination.bytes": 6578, + "destination.ip": [ + "10.195.153.42" + ], + "event.action": "Allowed", + "event.code": "rsit", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "mdo ZSCALERNSS: time=labore May 21 1:41:41 2018^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ionu3320.api.localhost^^protocol=igmp^^serverip=10.195.153.42^^url=https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam^^urlcategory=deriti^^urlclass=edictasu^^dlpdictionaries=eturadi^^dlpengine=umS^^filetype=noru^^threatcategory=aliquide^^threatclass=tDuisaut^^pagerisk=uel^^threatname=dexerc^^clientpublicIP=vol^^ClientIP=10.250.48.82^^location=iqu^^refererURL=https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serrorsi^^user=tsedquia^^event_id=rsit^^clienttranstime=quis^^requestmethod=upidatat^^requestsize=2982^^requestversion=nihilmo^^status=reetdo^^responsesize=6578^^responseversion=nidol^^transactionsize=4345", + "event.timezone": "OMST", + "file.type": "noru", + "fileset.name": "zia", + "host.name": "ionu3320.api.localhost", + "http.request.referrer": "https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele", + "input.type": "log", + "log.offset": 53539, + "network.bytes": 4345, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.195.153.42", + "10.250.48.82" + ], + "related.user": [ + "tsedquia" + ], + "rsa.db.index": "edictasu", + "rsa.identity.user_dept": "serrorsi", + "rsa.internal.data": "mdo", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tDuisaut", + "rsa.misc.action": [ + "upidatat", + "Allowed" + ], + "rsa.misc.category": "aliquide", + "rsa.misc.filter": "deriti", + "rsa.misc.reference_id": "rsit", + "rsa.misc.result": "success", + "rsa.misc.result_code": "reetdo", + "rsa.network.alias_host": [ + "ionu3320.api.localhost" + ], + "rsa.threat.threat_category": "dexerc", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "ionu3320.api.localhost", + "service.type": "zscaler", + "source.bytes": 2982, + "source.ip": [ + "10.250.48.82" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam", + "user.name": "tsedquia", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "destination.bytes": 501, + "destination.ip": [ + "10.252.164.230" + ], + "event.action": "Blocked", + "event.code": "iumtota", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "hite ZSCALERNSS: time=umfugi Jun 4 8:44:15 2018^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=remips1499.www.local^^protocol=ipv6^^serverip=10.252.164.230^^url=https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder^^urlcategory=ano^^urlclass=rumexer^^dlpdictionaries=eab^^dlpengine=iaconseq^^filetype=tseddo^^threatcategory=diduntut^^threatclass=rroq^^pagerisk=olore^^threatname=eratvolu^^clientpublicIP=oconsequ^^ClientIP=10.60.52.219^^location=untNeq^^refererURL=https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo^^useragent=mobmail android 2.1.3.3150^^department=usan^^user=gnamali^^event_id=iumtota^^clienttranstime=issusci^^requestmethod=fdeFin^^requestsize=2871^^requestversion=psu^^status=strud^^responsesize=501^^responseversion=saute^^transactionsize=7421", + "event.timezone": "CT", + "file.type": "tseddo", + "fileset.name": "zia", + "host.name": "remips1499.www.local", + "http.request.referrer": "https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo", + "input.type": "log", + "log.offset": 54422, + "network.bytes": 7421, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.252.164.230", + "10.60.52.219" + ], + "related.user": [ + "gnamali" + ], + "rsa.db.index": "rumexer", + "rsa.identity.user_dept": "usan", + "rsa.internal.data": "hite", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "rroq", + "rsa.misc.action": [ + "fdeFin", + "Blocked" + ], + "rsa.misc.category": "diduntut", + "rsa.misc.filter": "ano", + "rsa.misc.reference_id": "iumtota", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "strud", + "rsa.network.alias_host": [ + "remips1499.www.local" + ], + "rsa.threat.threat_category": "eratvolu", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "remips1499.www.local", + "service.type": "zscaler", + "source.bytes": 2871, + "source.ip": [ + "10.60.52.219" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder", + "user.name": "gnamali", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "destination.bytes": 3365, + "destination.ip": [ + "10.187.16.73" + ], + "event.action": "Allowed", + "event.code": "ptate", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "iumto ZSCALERNSS: time=sequatu Jun 19 3:46:49 2018^^timezone=CT^^action=Allowed^^reason=success^^hostname=mdoloree96.domain^^protocol=ggp^^serverip=10.187.16.73^^url=https://api.example.com/nge/psum.gif?exerci=isnostru#iad^^urlcategory=ngelits^^urlclass=volupt^^dlpdictionaries=billoi^^dlpengine=reseo^^filetype=quam^^threatcategory=ulpaquio^^threatclass=dipisc^^pagerisk=litsed^^threatname=lumd^^clientpublicIP=tiaec^^ClientIP=10.122.102.156^^location=totamr^^refererURL=https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=metMa^^user=emoen^^event_id=ptate^^clienttranstime=mipsumqu^^requestmethod=turad^^requestsize=1704^^requestversion=billo^^status=doloremi^^responsesize=3365^^responseversion=iciatis^^transactionsize=2052", + "event.timezone": "CT", + "file.type": "quam", + "fileset.name": "zia", + "host.name": "mdoloree96.domain", + "http.request.referrer": "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve", + "input.type": "log", + "log.offset": 55219, + "network.bytes": 2052, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.122.102.156", + "10.187.16.73" + ], + "related.user": [ + "emoen" + ], + "rsa.db.index": "volupt", + "rsa.identity.user_dept": "metMa", + "rsa.internal.data": "iumto", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "dipisc", + "rsa.misc.action": [ + "Allowed", + "turad" + ], + "rsa.misc.category": "ulpaquio", + "rsa.misc.filter": "ngelits", + "rsa.misc.reference_id": "ptate", + "rsa.misc.result": "success", + "rsa.misc.result_code": "doloremi", + "rsa.network.alias_host": [ + "mdoloree96.domain" + ], + "rsa.threat.threat_category": "lumd", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "mdoloree96.domain", + "service.type": "zscaler", + "source.bytes": 1704, + "source.ip": [ + "10.122.102.156" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/nge/psum.gif?exerci=isnostru#iad", + "user.name": "emoen", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "destination.bytes": 2104, + "destination.ip": [ + "10.120.215.174" + ], + "event.action": "Allowed", + "event.code": "ntexplic", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "cul ZSCALERNSS: time=tate Jul 3 10:49:23 2018^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=iatnulap7662.internal.local^^protocol=igmp^^serverip=10.120.215.174^^url=https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet^^urlcategory=iscivel^^urlclass=rinci^^dlpdictionaries=eacomm^^dlpengine=aboNem^^filetype=mull^^threatcategory=ent^^threatclass=rema^^pagerisk=mcol^^threatname=tion^^clientpublicIP=umquia^^ClientIP=10.248.108.55^^location=itation^^refererURL=https://internal.example.org/tat/uredo.html?essequam=imav#mtot^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tionemu^^user=prehend^^event_id=ntexplic^^clienttranstime=rvelillu^^requestmethod=uatDu^^requestsize=4620^^requestversion=isu^^status=moll^^responsesize=2104^^responseversion=ota^^transactionsize=4562", + "event.timezone": "CEST", + "file.type": "mull", + "fileset.name": "zia", + "host.name": "iatnulap7662.internal.local", + "http.request.referrer": "https://internal.example.org/tat/uredo.html?essequam=imav#mtot", + "input.type": "log", + "log.offset": 56107, + "network.bytes": 4562, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.248.108.55", + "10.120.215.174" + ], + "related.user": [ + "prehend" + ], + "rsa.db.index": "rinci", + "rsa.identity.user_dept": "tionemu", + "rsa.internal.data": "cul", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "rema", + "rsa.misc.action": [ + "uatDu", + "Allowed" + ], + "rsa.misc.category": "ent", + "rsa.misc.filter": "iscivel", + "rsa.misc.reference_id": "ntexplic", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "moll", + "rsa.network.alias_host": [ + "iatnulap7662.internal.local" + ], + "rsa.threat.threat_category": "tion", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "iatnulap7662.internal.local", + "service.type": "zscaler", + "source.bytes": 4620, + "source.ip": [ + "10.248.108.55" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet", + "user.name": "prehend", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "destination.bytes": 5410, + "destination.ip": [ + "10.51.161.245" + ], + "event.action": "Allowed", + "event.code": "suntex", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eniamq ZSCALERNSS: time=aloru Jul 17 5:51:58 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=sBonoru1929.example^^protocol=ggp^^serverip=10.51.161.245^^url=https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam^^urlcategory=saute^^urlclass=umdol^^dlpdictionaries=rerepr^^dlpengine=ipiscin^^filetype=trudexe^^threatcategory=qua^^threatclass=modit^^pagerisk=tatione^^threatname=aedicta^^clientpublicIP=squamest^^ClientIP=10.15.254.181^^location=emipsum^^refererURL=https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=adipis^^user=abo^^event_id=suntex^^clienttranstime=uptatema^^requestmethod=uteiru^^requestsize=4600^^requestversion=Cicero^^status=ven^^responsesize=5410^^responseversion=ficia^^transactionsize=7526", + "event.timezone": "PT", + "file.type": "trudexe", + "fileset.name": "zia", + "host.name": "sBonoru1929.example", + "http.request.referrer": "https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu", + "input.type": "log", + "log.offset": 56969, + "network.bytes": 7526, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.51.161.245", + "10.15.254.181" + ], + "related.user": [ + "abo" + ], + "rsa.db.index": "umdol", + "rsa.identity.user_dept": "adipis", + "rsa.internal.data": "eniamq", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "modit", + "rsa.misc.action": [ + "uteiru", + "Allowed" + ], + "rsa.misc.category": "qua", + "rsa.misc.filter": "saute", + "rsa.misc.reference_id": "suntex", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ven", + "rsa.network.alias_host": [ + "sBonoru1929.example" + ], + "rsa.threat.threat_category": "aedicta", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "sBonoru1929.example", + "service.type": "zscaler", + "source.bytes": 4600, + "source.ip": [ + "10.15.254.181" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam", + "user.name": "abo", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "destination.bytes": 6628, + "destination.ip": [ + "10.7.152.238" + ], + "event.action": "Blocked", + "event.code": "scipi", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "deFinibu ZSCALERNSS: time=iaecons Aug 1 12:54:32 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=onorumet4871.lan^^protocol=ipv6^^serverip=10.7.152.238^^url=https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse^^urlcategory=umq^^urlclass=enim^^dlpdictionaries=oreve^^dlpengine=metco^^filetype=xercita^^threatcategory=atev^^threatclass=vento^^pagerisk=litsed^^threatname=ciun^^clientpublicIP=rehender^^ClientIP=10.129.66.196^^location=mmodicon^^refererURL=https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=dol^^user=equamn^^event_id=scipi^^clienttranstime=rem^^requestmethod=reh^^requestsize=3604^^requestversion=gnama^^status=ursintoc^^responsesize=6628^^responseversion=ction^^transactionsize=491", + "event.timezone": "ET", + "file.type": "xercita", + "fileset.name": "zia", + "host.name": "onorumet4871.lan", + "http.request.referrer": "https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn", + "input.type": "log", + "log.offset": 57916, + "network.bytes": 491, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.7.152.238", + "10.129.66.196" + ], + "related.user": [ + "equamn" + ], + "rsa.db.index": "enim", + "rsa.identity.user_dept": "dol", + "rsa.internal.data": "deFinibu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "vento", + "rsa.misc.action": [ + "Blocked", + "reh" + ], + "rsa.misc.category": "atev", + "rsa.misc.filter": "umq", + "rsa.misc.reference_id": "scipi", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ursintoc", + "rsa.network.alias_host": [ + "onorumet4871.lan" + ], + "rsa.threat.threat_category": "ciun", + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "onorumet4871.lan", + "service.type": "zscaler", + "source.bytes": 3604, + "source.ip": [ + "10.129.66.196" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse", + "user.name": "equamn", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "destination.bytes": 4116, + "destination.ip": [ + "10.29.162.157" + ], + "event.action": "Blocked", + "event.code": "remquela", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "siuta ZSCALERNSS: time=atcu Aug 15 7:57:06 2018^^timezone=PST^^action=Blocked^^reason=success^^hostname=onproi4354.www5.invalid^^protocol=ggp^^serverip=10.29.162.157^^url=https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf^^urlcategory=orainci^^urlclass=orese^^dlpdictionaries=aev^^dlpengine=uelaudan^^filetype=lab^^threatcategory=sequa^^threatclass=orinrep^^pagerisk=pta^^threatname=uradi^^clientpublicIP=sequu^^ClientIP=10.185.107.27^^location=susc^^refererURL=https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=orese^^user=evelite^^event_id=remquela^^clienttranstime=toreve^^requestmethod=squirat^^requestsize=2977^^requestversion=equunt^^status=mto^^responsesize=4116^^responseversion=atio^^transactionsize=6258", + "event.timezone": "PST", + "file.type": "lab", + "fileset.name": "zia", + "host.name": "onproi4354.www5.invalid", + "http.request.referrer": "https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo", + "input.type": "log", + "log.offset": 58862, + "network.bytes": 6258, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.185.107.27", + "10.29.162.157" + ], + "related.user": [ + "evelite" + ], + "rsa.db.index": "orese", + "rsa.identity.user_dept": "orese", + "rsa.internal.data": "siuta", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "orinrep", + "rsa.misc.action": [ + "squirat", + "Blocked" + ], + "rsa.misc.category": "sequa", + "rsa.misc.filter": "orainci", + "rsa.misc.reference_id": "remquela", + "rsa.misc.result": "success", + "rsa.misc.result_code": "mto", + "rsa.network.alias_host": [ + "onproi4354.www5.invalid" + ], + "rsa.threat.threat_category": "uradi", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "onproi4354.www5.invalid", + "service.type": "zscaler", + "source.bytes": 2977, + "source.ip": [ + "10.185.107.27" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf", + "user.name": "evelite", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2018-08-29T04:59:40.000Z", + "destination.bytes": 1926, + "destination.ip": [ + "10.215.63.248" + ], + "event.action": "Blocked", + "event.code": "dantium", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rem ZSCALERNSS: time=consecte Aug 29 2:59:40 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=beataevi7552.api.test^^protocol=ipv6^^serverip=10.215.63.248^^url=https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod^^urlcategory=ine^^urlclass=qui^^dlpdictionaries=itse^^dlpengine=lapari^^filetype=Bonor^^threatcategory=ipex^^threatclass=odita^^pagerisk=metc^^threatname=aincidu^^clientpublicIP=reprehe^^ClientIP=10.138.0.214^^location=uisaut^^refererURL=https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=uianonn^^user=eavolupt^^event_id=dantium^^clienttranstime=ors^^requestmethod=dqu^^requestsize=6682^^requestversion=edi^^status=eumiure^^responsesize=1926^^responseversion=eacomm^^transactionsize=2676", + "event.timezone": "ET", + "file.type": "Bonor", + "fileset.name": "zia", + "host.name": "beataevi7552.api.test", + "http.request.referrer": "https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco", + "input.type": "log", + "log.offset": 59899, + "network.bytes": 2676, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.215.63.248", + "10.138.0.214" + ], + "related.user": [ + "eavolupt" + ], + "rsa.db.index": "qui", + "rsa.identity.user_dept": "uianonn", + "rsa.internal.data": "rem", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "odita", + "rsa.misc.action": [ + "dqu", + "Blocked" + ], + "rsa.misc.category": "ipex", + "rsa.misc.filter": "ine", + "rsa.misc.reference_id": "dantium", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eumiure", + "rsa.network.alias_host": [ + "beataevi7552.api.test" + ], + "rsa.threat.threat_category": "aincidu", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "beataevi7552.api.test", + "service.type": "zscaler", + "source.bytes": 6682, + "source.ip": [ + "10.138.0.214" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod", + "user.name": "eavolupt", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "destination.bytes": 6315, + "destination.ip": [ + "10.26.115.88" + ], + "event.action": "Allowed", + "event.code": "edictas", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "pre ZSCALERNSS: time=aute Sep 12 10:02:15 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=rvelill1981.www.invalid^^protocol=udp^^serverip=10.26.115.88^^url=https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice^^urlcategory=deritq^^urlclass=boreetdo^^dlpdictionaries=teni^^dlpengine=iin^^filetype=nostr^^threatcategory=luptatem^^threatclass=tNequepo^^pagerisk=liq^^threatname=eleumiu^^clientpublicIP=etdol^^ClientIP=10.12.130.224^^location=magnido^^refererURL=https://www.example.org/dolor/ing.jpg?umdo=aer#quela^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=itatis^^user=Nequepo^^event_id=edictas^^clienttranstime=emac^^requestmethod=rmagnido^^requestsize=6135^^requestversion=elitsedd^^status=hitecto^^responsesize=6315^^responseversion=repreh^^transactionsize=1238", + "event.timezone": "PST", + "file.type": "nostr", + "fileset.name": "zia", + "host.name": "rvelill1981.www.invalid", + "http.request.referrer": "https://www.example.org/dolor/ing.jpg?umdo=aer#quela", + "input.type": "log", + "log.offset": 60840, + "network.bytes": 1238, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.26.115.88", + "10.12.130.224" + ], + "related.user": [ + "Nequepo" + ], + "rsa.db.index": "boreetdo", + "rsa.identity.user_dept": "itatis", + "rsa.internal.data": "pre", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tNequepo", + "rsa.misc.action": [ + "rmagnido", + "Allowed" + ], + "rsa.misc.category": "luptatem", + "rsa.misc.filter": "deritq", + "rsa.misc.reference_id": "edictas", + "rsa.misc.result": "success", + "rsa.misc.result_code": "hitecto", + "rsa.network.alias_host": [ + "rvelill1981.www.invalid" + ], + "rsa.threat.threat_category": "eleumiu", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "rvelill1981.www.invalid", + "service.type": "zscaler", + "source.bytes": 6135, + "source.ip": [ + "10.12.130.224" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice", + "user.name": "Nequepo", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "destination.bytes": 1508, + "destination.ip": [ + "10.193.152.42" + ], + "event.action": "Blocked", + "event.code": "nost", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "usan ZSCALERNSS: time=ugiatn Sep 27 5:04:49 2018^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=quia7214.example^^protocol=igmp^^serverip=10.193.152.42^^url=https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc^^urlcategory=labore^^urlclass=iqua^^dlpdictionaries=ciunt^^dlpengine=exea^^filetype=ostrumex^^threatcategory=eruntmol^^threatclass=plicab^^pagerisk=imide^^threatname=uiineav^^clientpublicIP=nder^^ClientIP=10.91.20.27^^location=asia^^refererURL=https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=modtempo^^user=edict^^event_id=nost^^clienttranstime=orisnis^^requestmethod=umq^^requestsize=2801^^requestversion=quatur^^status=isiutali^^responsesize=1508^^responseversion=emquel^^transactionsize=365", + "event.timezone": "GMT+02:00", + "file.type": "ostrumex", + "fileset.name": "zia", + "host.name": "quia7214.example", + "http.request.referrer": "https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi", + "input.type": "log", + "log.offset": 61785, + "network.bytes": 365, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.91.20.27", + "10.193.152.42" + ], + "related.user": [ + "edict" + ], + "rsa.db.index": "iqua", + "rsa.identity.user_dept": "modtempo", + "rsa.internal.data": "usan", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "plicab", + "rsa.misc.action": [ + "Blocked", + "umq" + ], + "rsa.misc.category": "eruntmol", + "rsa.misc.filter": "labore", + "rsa.misc.reference_id": "nost", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "isiutali", + "rsa.network.alias_host": [ + "quia7214.example" + ], + "rsa.threat.threat_category": "uiineav", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "quia7214.example", + "service.type": "zscaler", + "source.bytes": 2801, + "source.ip": [ + "10.91.20.27" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc", + "user.name": "edict", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "destination.bytes": 7120, + "destination.ip": [ + "10.146.69.38" + ], + "event.action": "Allowed", + "event.code": "Exce", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "iavol ZSCALERNSS: time=utemvel Oct 11 12:07:23 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=aturExc7343.invalid^^protocol=ipv6^^serverip=10.146.69.38^^url=https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq^^urlcategory=loremeum^^urlclass=luptatem^^dlpdictionaries=ing^^dlpengine=hen^^filetype=riameaqu^^threatcategory=etd^^threatclass=omnisi^^pagerisk=dolor^^threatname=rsp^^clientpublicIP=quir^^ClientIP=10.55.192.102^^location=tsuntinc^^refererURL=https://example.org/onproid/ciduntut.html?xer=iat#orain^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=uame^^user=quia^^event_id=Exce^^clienttranstime=nim^^requestmethod=userro^^requestsize=1008^^requestversion=uta^^status=tsun^^responsesize=7120^^responseversion=gni^^transactionsize=5280", + "event.timezone": "PST", + "file.type": "riameaqu", + "fileset.name": "zia", + "host.name": "aturExc7343.invalid", + "http.request.referrer": "https://example.org/onproid/ciduntut.html?xer=iat#orain", + "input.type": "log", + "log.offset": 62693, + "network.bytes": 5280, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.146.69.38", + "10.55.192.102" + ], + "related.user": [ + "quia" + ], + "rsa.db.index": "luptatem", + "rsa.identity.user_dept": "uame", + "rsa.internal.data": "iavol", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "omnisi", + "rsa.misc.action": [ + "Allowed", + "userro" + ], + "rsa.misc.category": "etd", + "rsa.misc.filter": "loremeum", + "rsa.misc.reference_id": "Exce", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "tsun", + "rsa.network.alias_host": [ + "aturExc7343.invalid" + ], + "rsa.threat.threat_category": "rsp", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "aturExc7343.invalid", + "service.type": "zscaler", + "source.bytes": 1008, + "source.ip": [ + "10.55.192.102" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq", + "user.name": "quia", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-10-25T09:09:57.000Z", + "destination.bytes": 3291, + "destination.ip": [ + "10.249.1.143" + ], + "event.action": "Allowed", + "event.code": "ntutlab", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tione ZSCALERNSS: time=nibus Oct 25 7:09:57 2018^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=olo7317.www5.localhost^^protocol=udp^^serverip=10.249.1.143^^url=https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese^^urlcategory=ptasn^^urlclass=liqui^^dlpdictionaries=ectetur^^dlpengine=eacomm^^filetype=temqu^^threatcategory=tdolore^^threatclass=Utenim^^pagerisk=quisno^^threatname=quaUten^^clientpublicIP=eufugia^^ClientIP=10.124.177.226^^location=iarc^^refererURL=https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=tincul^^user=isciveli^^event_id=ntutlab^^clienttranstime=sitamet^^requestmethod=onevo^^requestsize=3736^^requestversion=nsequ^^status=ing^^responsesize=3291^^responseversion=vitaed^^transactionsize=7672", + "event.timezone": "GMT-07:00", + "file.type": "temqu", + "fileset.name": "zia", + "host.name": "olo7317.www5.localhost", + "http.request.referrer": "https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt", + "input.type": "log", + "log.offset": 63579, + "network.bytes": 7672, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.249.1.143", + "10.124.177.226" + ], + "related.user": [ + "isciveli" + ], + "rsa.db.index": "liqui", + "rsa.identity.user_dept": "tincul", + "rsa.internal.data": "tione", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "Utenim", + "rsa.misc.action": [ + "Allowed", + "onevo" + ], + "rsa.misc.category": "tdolore", + "rsa.misc.filter": "ptasn", + "rsa.misc.reference_id": "ntutlab", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ing", + "rsa.network.alias_host": [ + "olo7317.www5.localhost" + ], + "rsa.threat.threat_category": "quaUten", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "olo7317.www5.localhost", + "service.type": "zscaler", + "source.bytes": 3736, + "source.ip": [ + "10.124.177.226" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese", + "user.name": "isciveli", + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "destination.bytes": 620, + "destination.ip": [ + "10.167.176.220" + ], + "event.action": "Blocked", + "event.code": "ione", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "modit ZSCALERNSS: time=quamnih Nov 9 2:12:32 2018^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=uiin1342.mail.invalid^^protocol=rdp^^serverip=10.167.176.220^^url=https://example.org/vel/preh.html?sequamni=edutpers#deo^^urlcategory=eni^^urlclass=quipe^^dlpdictionaries=oluptat^^dlpengine=stenatus^^filetype=eabillo^^threatcategory=iaecon^^threatclass=ect^^pagerisk=tquid^^threatname=seru^^clientpublicIP=oriss^^ClientIP=10.146.228.249^^location=psumdolo^^refererURL=https://example.net/bor/magnido.html?emagnaal=nih#ncididu^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=gitsed^^user=estla^^event_id=ione^^clienttranstime=ecillum^^requestmethod=maccu^^requestsize=5298^^requestversion=quisquam^^status=boreet^^responsesize=620^^responseversion=Malorumw^^transactionsize=5212", + "event.timezone": "OMST", + "file.type": "eabillo", + "fileset.name": "zia", + "host.name": "uiin1342.mail.invalid", + "http.request.referrer": "https://example.net/bor/magnido.html?emagnaal=nih#ncididu", + "input.type": "log", + "log.offset": 64523, + "network.bytes": 5212, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.146.228.249", + "10.167.176.220" + ], + "related.user": [ + "estla" + ], + "rsa.db.index": "quipe", + "rsa.identity.user_dept": "gitsed", + "rsa.internal.data": "modit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ect", + "rsa.misc.action": [ + "Blocked", + "maccu" + ], + "rsa.misc.category": "iaecon", + "rsa.misc.filter": "eni", + "rsa.misc.reference_id": "ione", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "boreet", + "rsa.network.alias_host": [ + "uiin1342.mail.invalid" + ], + "rsa.threat.threat_category": "seru", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "uiin1342.mail.invalid", + "service.type": "zscaler", + "source.bytes": 5298, + "source.ip": [ + "10.146.228.249" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/vel/preh.html?sequamni=edutpers#deo", + "user.name": "estla", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "destination.bytes": 4822, + "destination.ip": [ + "10.200.74.101" + ], + "event.action": "Allowed", + "event.code": "ntmo", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "issu ZSCALERNSS: time=tconsect Nov 23 9:15:06 2018^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=agna5654.www.corp^^protocol=tcp^^serverip=10.200.74.101^^url=https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim^^urlcategory=ntincul^^urlclass=nnumquam^^dlpdictionaries=etdol^^dlpengine=sed^^filetype=uep^^threatcategory=ametco^^threatclass=nde^^pagerisk=reprehe^^threatname=umdolo^^clientpublicIP=duntutl^^ClientIP=10.203.47.23^^location=empor^^refererURL=https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=sedquia^^user=litesse^^event_id=ntmo^^clienttranstime=aliqu^^requestmethod=iqu^^requestsize=4429^^requestversion=ationula^^status=doconse^^responsesize=4822^^responseversion=oreeufug^^transactionsize=5020", + "event.timezone": "OMST", + "file.type": "uep", + "fileset.name": "zia", + "host.name": "agna5654.www.corp", + "http.request.referrer": "https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex", + "input.type": "log", + "log.offset": 65560, + "network.bytes": 5020, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.203.47.23", + "10.200.74.101" + ], + "related.user": [ + "litesse" + ], + "rsa.db.index": "nnumquam", + "rsa.identity.user_dept": "sedquia", + "rsa.internal.data": "issu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "nde", + "rsa.misc.action": [ + "iqu", + "Allowed" + ], + "rsa.misc.category": "ametco", + "rsa.misc.filter": "ntincul", + "rsa.misc.reference_id": "ntmo", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "doconse", + "rsa.network.alias_host": [ + "agna5654.www.corp" + ], + "rsa.threat.threat_category": "umdolo", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "agna5654.www.corp", + "service.type": "zscaler", + "source.bytes": 4429, + "source.ip": [ + "10.203.47.23" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim", + "user.name": "litesse", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "destination.bytes": 4147, + "destination.ip": [ + "10.162.78.48" + ], + "event.action": "Blocked", + "event.code": "tect", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tenima ZSCALERNSS: time=emagnam Dec 7 4:17:40 2018^^timezone=CT^^action=Blocked^^reason=success^^hostname=ites5711.internal.host^^protocol=ggp^^serverip=10.162.78.48^^url=https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor^^urlcategory=umSecti^^urlclass=eabil^^dlpdictionaries=ibusB^^dlpengine=rporis^^filetype=etco^^threatcategory=mip^^threatclass=ereprehe^^pagerisk=olu^^threatname=nofdeF^^clientpublicIP=riaturEx^^ClientIP=10.24.23.209^^location=itautfu^^refererURL=https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=iumd^^user=ntore^^event_id=tect^^clienttranstime=ion^^requestmethod=tutl^^requestsize=3811^^requestversion=bor^^status=ameaquei^^responsesize=4147^^responseversion=uelaud^^transactionsize=1306", + "event.timezone": "CT", + "file.type": "etco", + "fileset.name": "zia", + "host.name": "ites5711.internal.host", + "http.request.referrer": "https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc", + "input.type": "log", + "log.offset": 66535, + "network.bytes": 1306, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.24.23.209", + "10.162.78.48" + ], + "related.user": [ + "ntore" + ], + "rsa.db.index": "eabil", + "rsa.identity.user_dept": "iumd", + "rsa.internal.data": "tenima", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ereprehe", + "rsa.misc.action": [ + "Blocked", + "tutl" + ], + "rsa.misc.category": "mip", + "rsa.misc.filter": "umSecti", + "rsa.misc.reference_id": "tect", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ameaquei", + "rsa.network.alias_host": [ + "ites5711.internal.host" + ], + "rsa.threat.threat_category": "nofdeF", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "ites5711.internal.host", + "service.type": "zscaler", + "source.bytes": 3811, + "source.ip": [ + "10.24.23.209" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor", + "user.name": "ntore", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "destination.bytes": 1782, + "destination.ip": [ + "10.55.151.53" + ], + "event.action": "Allowed", + "event.code": "commod", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ngelit ZSCALERNSS: time=quiano Dec 21 11:20:14 2018^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=oluptat2848.api.home^^protocol=igmp^^serverip=10.55.151.53^^url=https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest^^urlcategory=oeiusmod^^urlclass=uidolore^^dlpdictionaries=iacon^^dlpengine=ncu^^filetype=quaturve^^threatcategory=ciad^^threatclass=diconseq^^pagerisk=utod^^threatname=ostr^^clientpublicIP=amcorp^^ClientIP=10.211.66.68^^location=uptatem^^refererURL=https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=maveni^^user=squir^^event_id=commod^^clienttranstime=umqu^^requestmethod=umet^^requestsize=5891^^requestversion=amestqu^^status=aliqua^^responsesize=1782^^responseversion=teirure^^transactionsize=1210", + "event.timezone": "GMT+02:00", + "file.type": "quaturve", + "fileset.name": "zia", + "host.name": "oluptat2848.api.home", + "http.request.referrer": "https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC", + "input.type": "log", + "log.offset": 67408, + "network.bytes": 1210, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.55.151.53", + "10.211.66.68" + ], + "related.user": [ + "squir" + ], + "rsa.db.index": "uidolore", + "rsa.identity.user_dept": "maveni", + "rsa.internal.data": "ngelit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "diconseq", + "rsa.misc.action": [ + "umet", + "Allowed" + ], + "rsa.misc.category": "ciad", + "rsa.misc.filter": "oeiusmod", + "rsa.misc.reference_id": "commod", + "rsa.misc.result": "success", + "rsa.misc.result_code": "aliqua", + "rsa.network.alias_host": [ + "oluptat2848.api.home" + ], + "rsa.threat.threat_category": "ostr", + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "oluptat2848.api.home", + "service.type": "zscaler", + "source.bytes": 5891, + "source.ip": [ + "10.211.66.68" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest", + "user.name": "squir", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "destination.bytes": 409, + "destination.ip": [ + "10.110.16.169" + ], + "event.action": "Blocked", + "event.code": "labori", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "dipisciv ZSCALERNSS: time=nsequun Jan 5 6:22:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=ngelitse7535.internal.lan^^protocol=rdp^^serverip=10.110.16.169^^url=https://example.org/eius/evo.jpg?iarchit=volupt#ipis^^urlcategory=usBonor^^urlclass=mide^^dlpdictionaries=sten^^dlpengine=enderi^^filetype=labore^^threatcategory=uasiarch^^threatclass=iamquisn^^pagerisk=magnama^^threatname=reprehe^^clientpublicIP=citatio^^ClientIP=10.209.203.156^^location=esciunt^^refererURL=https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=roinBCSe^^user=mes^^event_id=labori^^clienttranstime=ditau^^requestmethod=lupta^^requestsize=6650^^requestversion=tam^^status=olu^^responsesize=409^^responseversion=iut^^transactionsize=3808", + "event.timezone": "ET", + "file.type": "labore", + "fileset.name": "zia", + "host.name": "ngelitse7535.internal.lan", + "http.request.referrer": "https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo", + "input.type": "log", + "log.offset": 68307, + "network.bytes": 3808, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.209.203.156", + "10.110.16.169" + ], + "related.user": [ + "mes" + ], + "rsa.db.index": "mide", + "rsa.identity.user_dept": "roinBCSe", + "rsa.internal.data": "dipisciv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iamquisn", + "rsa.misc.action": [ + "lupta", + "Blocked" + ], + "rsa.misc.category": "uasiarch", + "rsa.misc.filter": "usBonor", + "rsa.misc.reference_id": "labori", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "olu", + "rsa.network.alias_host": [ + "ngelitse7535.internal.lan" + ], + "rsa.threat.threat_category": "reprehe", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "ngelitse7535.internal.lan", + "service.type": "zscaler", + "source.bytes": 6650, + "source.ip": [ + "10.209.203.156" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/eius/evo.jpg?iarchit=volupt#ipis", + "user.name": "mes", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-01-19T03:25:23.000Z", + "destination.bytes": 6822, + "destination.ip": [ + "10.84.9.150" + ], + "event.action": "Allowed", + "event.code": "nsecte", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "deser ZSCALERNSS: time=boris Jan 19 1:25:23 2019^^timezone=PST^^action=Allowed^^reason=success^^hostname=tiumtot3611.internal.localdomain^^protocol=udp^^serverip=10.84.9.150^^url=https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo^^urlcategory=enimadmi^^urlclass=qui^^dlpdictionaries=ita^^dlpengine=lamco^^filetype=natuser^^threatcategory=Excepteu^^threatclass=omnis^^pagerisk=tati^^threatname=orinc^^clientpublicIP=teursi^^ClientIP=10.107.68.114^^location=nofdeFin^^refererURL=https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ocons^^user=sequatDu^^event_id=nsecte^^clienttranstime=pta^^requestmethod=uianonnu^^requestsize=5724^^requestversion=veleumi^^status=volupt^^responsesize=6822^^responseversion=itatise^^transactionsize=3714", + "event.timezone": "PST", + "file.type": "natuser", + "fileset.name": "zia", + "host.name": "tiumtot3611.internal.localdomain", + "http.request.referrer": "https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol", + "input.type": "log", + "log.offset": 69189, + "network.bytes": 3714, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.84.9.150", + "10.107.68.114" + ], + "related.user": [ + "sequatDu" + ], + "rsa.db.index": "qui", + "rsa.identity.user_dept": "ocons", + "rsa.internal.data": "deser", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "omnis", + "rsa.misc.action": [ + "Allowed", + "uianonnu" + ], + "rsa.misc.category": "Excepteu", + "rsa.misc.filter": "enimadmi", + "rsa.misc.reference_id": "nsecte", + "rsa.misc.result": "success", + "rsa.misc.result_code": "volupt", + "rsa.network.alias_host": [ + "tiumtot3611.internal.localdomain" + ], + "rsa.threat.threat_category": "orinc", + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "tiumtot3611.internal.localdomain", + "service.type": "zscaler", + "source.bytes": 5724, + "source.ip": [ + "10.107.68.114" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo", + "user.name": "sequatDu", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-02-02T10:27:57.000Z", + "destination.bytes": 4127, + "destination.ip": [ + "10.26.222.144" + ], + "event.action": "Blocked", + "event.code": "sintoc", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "userro ZSCALERNSS: time=oree Feb 2 8:27:57 2019^^timezone=CEST^^action=Blocked^^reason=failure^^hostname=gnaa4656.api.example^^protocol=igmp^^serverip=10.26.222.144^^url=https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese^^urlcategory=nonproi^^urlclass=doconse^^dlpdictionaries=henderi^^dlpengine=tisunde^^filetype=ende^^threatcategory=quidolor^^threatclass=lloin^^pagerisk=eomnis^^threatname=proiden^^clientpublicIP=moenimip^^ClientIP=10.124.119.48^^location=atquo^^refererURL=https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=amn^^user=nre^^event_id=sintoc^^clienttranstime=rinci^^requestmethod=ici^^requestsize=7328^^requestversion=Nequepor^^status=aUten^^responsesize=4127^^responseversion=tatnon^^transactionsize=977", + "event.timezone": "CEST", + "file.type": "ende", + "fileset.name": "zia", + "host.name": "gnaa4656.api.example", + "http.request.referrer": "https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua", + "input.type": "log", + "log.offset": 70095, + "network.bytes": 977, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.124.119.48", + "10.26.222.144" + ], + "related.user": [ + "nre" + ], + "rsa.db.index": "doconse", + "rsa.identity.user_dept": "amn", + "rsa.internal.data": "userro", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "lloin", + "rsa.misc.action": [ + "Blocked", + "ici" + ], + "rsa.misc.category": "quidolor", + "rsa.misc.filter": "nonproi", + "rsa.misc.reference_id": "sintoc", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "aUten", + "rsa.network.alias_host": [ + "gnaa4656.api.example" + ], + "rsa.threat.threat_category": "proiden", + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "gnaa4656.api.example", + "service.type": "zscaler", + "source.bytes": 7328, + "source.ip": [ + "10.124.119.48" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese", + "user.name": "nre", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "destination.bytes": 4382, + "destination.ip": [ + "10.164.190.2" + ], + "event.action": "Allowed", + "event.code": "datatno", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "mnisis ZSCALERNSS: time=onsequa Feb 17 3:30:32 2019^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=psaqu6066.www5.localhost^^protocol=ipv6-icmp^^serverip=10.164.190.2^^url=https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol^^urlcategory=itvo^^urlclass=asi^^dlpdictionaries=tobe^^dlpengine=ssequa^^filetype=emp^^threatcategory=emoeni^^threatclass=officiad^^pagerisk=veniam^^threatname=labo^^clientpublicIP=ssecill^^ClientIP=10.223.11.164^^location=tate^^refererURL=https://internal.example.net/ali/ionu.txt?cte=ariatu#ess^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=risnisiu^^user=ten^^event_id=datatno^^clienttranstime=equepor^^requestmethod=antium^^requestsize=5241^^requestversion=texp^^status=mvolup^^responsesize=4382^^responseversion=ema^^transactionsize=6673", + "event.timezone": "GMT+02:00", + "file.type": "emp", + "fileset.name": "zia", + "host.name": "psaqu6066.www5.localhost", + "http.request.referrer": "https://internal.example.net/ali/ionu.txt?cte=ariatu#ess", + "input.type": "log", + "log.offset": 71065, + "network.bytes": 6673, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.164.190.2", + "10.223.11.164" + ], + "related.user": [ + "ten" + ], + "rsa.db.index": "asi", + "rsa.identity.user_dept": "risnisiu", + "rsa.internal.data": "mnisis", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "officiad", + "rsa.misc.action": [ + "Allowed", + "antium" + ], + "rsa.misc.category": "emoeni", + "rsa.misc.filter": "itvo", + "rsa.misc.reference_id": "datatno", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "mvolup", + "rsa.network.alias_host": [ + "psaqu6066.www5.localhost" + ], + "rsa.threat.threat_category": "labo", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "psaqu6066.www5.localhost", + "service.type": "zscaler", + "source.bytes": 5241, + "source.ip": [ + "10.223.11.164" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol", + "user.name": "ten", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "destination.bytes": 1460, + "destination.ip": [ + "10.14.37.8" + ], + "event.action": "Blocked", + "event.code": "olor", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "nsec ZSCALERNSS: time=iaeco Mar 3 10:33:06 2019^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=iavol5202.api.example^^protocol=udp^^serverip=10.14.37.8^^url=https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis^^urlcategory=rume^^urlclass=samnisiu^^dlpdictionaries=yCiceroi^^dlpengine=evolupta^^filetype=citat^^threatcategory=prehende^^threatclass=vitaedic^^pagerisk=remip^^threatname=rsita^^clientpublicIP=rehe^^ClientIP=10.121.181.243^^location=midest^^refererURL=https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=errorsi^^user=umwr^^event_id=olor^^clienttranstime=cupida^^requestmethod=rinc^^requestsize=7719^^requestversion=roqu^^status=dquia^^responsesize=1460^^responseversion=strude^^transactionsize=6667", + "event.timezone": "OMST", + "file.type": "citat", + "fileset.name": "zia", + "host.name": "iavol5202.api.example", + "http.request.referrer": "https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq", + "input.type": "log", + "log.offset": 71963, + "network.bytes": 6667, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.14.37.8", + "10.121.181.243" + ], + "related.user": [ + "umwr" + ], + "rsa.db.index": "samnisiu", + "rsa.identity.user_dept": "errorsi", + "rsa.internal.data": "nsec", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "vitaedic", + "rsa.misc.action": [ + "Blocked", + "rinc" + ], + "rsa.misc.category": "prehende", + "rsa.misc.filter": "rume", + "rsa.misc.reference_id": "olor", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "dquia", + "rsa.network.alias_host": [ + "iavol5202.api.example" + ], + "rsa.threat.threat_category": "rsita", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "iavol5202.api.example", + "service.type": "zscaler", + "source.bytes": 7719, + "source.ip": [ + "10.121.181.243" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis", + "user.name": "umwr", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "destination.bytes": 3488, + "destination.ip": [ + "10.90.20.202" + ], + "event.action": "Blocked", + "event.code": "ostrude", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ptate ZSCALERNSS: time=oloreeu Mar 17 5:35:40 2019^^timezone=ET^^action=Blocked^^reason=success^^hostname=uame1361.api.local^^protocol=udp^^serverip=10.90.20.202^^url=https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu^^urlcategory=nonp^^urlclass=abillo^^dlpdictionaries=tinv^^dlpengine=iar^^filetype=nse^^threatcategory=turQuis^^threatclass=tat^^pagerisk=pta^^threatname=henderi^^clientpublicIP=onsec^^ClientIP=10.10.93.133^^location=tau^^refererURL=https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=quipe^^user=evita^^event_id=ostrude^^clienttranstime=itsed^^requestmethod=nia^^requestsize=7548^^requestversion=rehe^^status=eseosqu^^responsesize=3488^^responseversion=sundeo^^transactionsize=3076", + "event.timezone": "ET", + "file.type": "nse", + "fileset.name": "zia", + "host.name": "uame1361.api.local", + "http.request.referrer": "https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor", + "input.type": "log", + "log.offset": 72910, + "network.bytes": 3076, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.10.93.133", + "10.90.20.202" + ], + "related.user": [ + "evita" + ], + "rsa.db.index": "abillo", + "rsa.identity.user_dept": "quipe", + "rsa.internal.data": "ptate", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tat", + "rsa.misc.action": [ + "nia", + "Blocked" + ], + "rsa.misc.category": "turQuis", + "rsa.misc.filter": "nonp", + "rsa.misc.reference_id": "ostrude", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eseosqu", + "rsa.network.alias_host": [ + "uame1361.api.local" + ], + "rsa.threat.threat_category": "henderi", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "uame1361.api.local", + "service.type": "zscaler", + "source.bytes": 7548, + "source.ip": [ + "10.10.93.133" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu", + "user.name": "evita", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-04-01T14:38:14.000Z", + "destination.bytes": 4610, + "destination.ip": [ + "10.34.98.144" + ], + "event.action": "Allowed", + "event.code": "pariatu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "laud ZSCALERNSS: time=uido Apr 1 12:38:14 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=rsitame4049.internal.corp^^protocol=tcp^^serverip=10.34.98.144^^url=https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu^^urlcategory=itsedqui^^urlclass=oreve^^dlpdictionaries=omn^^dlpengine=onevol^^filetype=ese^^threatcategory=reprehen^^threatclass=Exce^^pagerisk=tocca^^threatname=tinvolu^^clientpublicIP=ecatc^^ClientIP=10.77.102.206^^location=quin^^refererURL=https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=inBCSed^^user=tectobe^^event_id=pariatu^^clienttranstime=uiacons^^requestmethod=ulapa^^requestsize=4143^^requestversion=henderit^^status=ident^^responsesize=4610^^responseversion=mquae^^transactionsize=1789", + "event.timezone": "ET", + "file.type": "ese", + "fileset.name": "zia", + "host.name": "rsitame4049.internal.corp", + "http.request.referrer": "https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup", + "input.type": "log", + "log.offset": 73843, + "network.bytes": 1789, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.77.102.206", + "10.34.98.144" + ], + "related.user": [ + "tectobe" + ], + "rsa.db.index": "oreve", + "rsa.identity.user_dept": "inBCSed", + "rsa.internal.data": "laud", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "Exce", + "rsa.misc.action": [ + "ulapa", + "Allowed" + ], + "rsa.misc.category": "reprehen", + "rsa.misc.filter": "itsedqui", + "rsa.misc.reference_id": "pariatu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ident", + "rsa.network.alias_host": [ + "rsitame4049.internal.corp" + ], + "rsa.threat.threat_category": "tinvolu", + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "rsitame4049.internal.corp", + "service.type": "zscaler", + "source.bytes": 4143, + "source.ip": [ + "10.77.102.206" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu", + "user.name": "tectobe", + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.bytes": 3976, + "destination.ip": [ + "10.176.233.249" + ], + "event.action": "Blocked", + "event.code": "ntin", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "lit ZSCALERNSS: time=uiine Apr 15 7:40:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=elit912.www5.test^^protocol=udp^^serverip=10.176.233.249^^url=https://example.org/olu/mqua.txt?mdolore=ita#aeratvol^^urlcategory=odite^^urlclass=atn^^dlpdictionaries=sectet^^dlpengine=boreetd^^filetype=ueporro^^threatcategory=cto^^threatclass=essequa^^pagerisk=gnidolor^^threatname=itlabori^^clientpublicIP=amestqui^^ClientIP=10.75.144.118^^location=qua^^refererURL=https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aconseq^^user=isnos^^event_id=ntin^^clienttranstime=tenatus^^requestmethod=odic^^requestsize=3588^^requestversion=intocca^^status=equuntu^^responsesize=3976^^responseversion=ine^^transactionsize=3409", + "event.timezone": "ET", + "file.type": "ueporro", + "fileset.name": "zia", + "host.name": "elit912.www5.test", + "http.request.referrer": "https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper", + "input.type": "log", + "log.offset": 74765, + "network.bytes": 3409, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.176.233.249", + "10.75.144.118" + ], + "related.user": [ + "isnos" + ], + "rsa.db.index": "atn", + "rsa.identity.user_dept": "aconseq", + "rsa.internal.data": "lit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "essequa", + "rsa.misc.action": [ + "odic", + "Blocked" + ], + "rsa.misc.category": "cto", + "rsa.misc.filter": "odite", + "rsa.misc.reference_id": "ntin", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "equuntu", + "rsa.network.alias_host": [ + "elit912.www5.test" + ], + "rsa.threat.threat_category": "itlabori", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "elit912.www5.test", + "service.type": "zscaler", + "source.bytes": 3588, + "source.ip": [ + "10.75.144.118" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/olu/mqua.txt?mdolore=ita#aeratvol", + "user.name": "isnos", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "destination.bytes": 559, + "destination.ip": [ + "10.149.6.107" + ], + "event.action": "Allowed", + "event.code": "mveleu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rcit ZSCALERNSS: time=secte Apr 29 2:43:23 2019^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=tat6671.www.local^^protocol=udp^^serverip=10.149.6.107^^url=https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa^^urlcategory=ndeomni^^urlclass=chite^^dlpdictionaries=obeatae^^dlpengine=rehen^^filetype=uam^^threatcategory=vitaedi^^threatclass=uis^^pagerisk=emagnaal^^threatname=uunturm^^clientpublicIP=nonnumq^^ClientIP=10.236.55.236^^location=aerat^^refererURL=https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=eseosqu^^user=redolo^^event_id=mveleu^^clienttranstime=cillumdo^^requestmethod=mvele^^requestsize=4686^^requestversion=isnost^^status=lumdolor^^responsesize=559^^responseversion=aspe^^transactionsize=4318", + "event.timezone": "GMT-07:00", + "file.type": "uam", + "fileset.name": "zia", + "host.name": "tat6671.www.local", + "http.request.referrer": "https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem", + "input.type": "log", + "log.offset": 75639, + "network.bytes": 4318, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.149.6.107", + "10.236.55.236" + ], + "related.user": [ + "redolo" + ], + "rsa.db.index": "chite", + "rsa.identity.user_dept": "eseosqu", + "rsa.internal.data": "rcit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uis", + "rsa.misc.action": [ + "mvele", + "Allowed" + ], + "rsa.misc.category": "vitaedi", + "rsa.misc.filter": "ndeomni", + "rsa.misc.reference_id": "mveleu", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "lumdolor", + "rsa.network.alias_host": [ + "tat6671.www.local" + ], + "rsa.threat.threat_category": "uunturm", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tat6671.www.local", + "service.type": "zscaler", + "source.bytes": 4686, + "source.ip": [ + "10.236.55.236" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa", + "user.name": "redolo", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "destination.bytes": 982, + "destination.ip": [ + "10.97.202.149" + ], + "event.action": "Blocked", + "event.code": "itte", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "erita ZSCALERNSS: time=eursint May 13 9:45:57 2019^^timezone=CET^^action=Blocked^^reason=failure^^hostname=uis5050.www.local^^protocol=igmp^^serverip=10.97.202.149^^url=https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque^^urlcategory=magnidol^^urlclass=meumfug^^dlpdictionaries=irat^^dlpengine=uatu^^filetype=gel^^threatcategory=modt^^threatclass=atcupi^^pagerisk=xeacomm^^threatname=tla^^clientpublicIP=itaspe^^ClientIP=10.13.125.101^^location=uisautei^^refererURL=https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=velitess^^user=colab^^event_id=itte^^clienttranstime=niamquis^^requestmethod=uaUten^^requestsize=7772^^requestversion=exeacomm^^status=uptat^^responsesize=982^^responseversion=ore^^transactionsize=7330", + "event.timezone": "CET", + "file.type": "gel", + "fileset.name": "zia", + "host.name": "uis5050.www.local", + "http.request.referrer": "https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu", + "input.type": "log", + "log.offset": 76532, + "network.bytes": 7330, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.13.125.101", + "10.97.202.149" + ], + "related.user": [ + "colab" + ], + "rsa.db.index": "meumfug", + "rsa.identity.user_dept": "velitess", + "rsa.internal.data": "erita", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "atcupi", + "rsa.misc.action": [ + "Blocked", + "uaUten" + ], + "rsa.misc.category": "modt", + "rsa.misc.filter": "magnidol", + "rsa.misc.reference_id": "itte", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "uptat", + "rsa.network.alias_host": [ + "uis5050.www.local" + ], + "rsa.threat.threat_category": "tla", + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "uis5050.www.local", + "service.type": "zscaler", + "source.bytes": 7772, + "source.ip": [ + "10.13.125.101" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque", + "user.name": "colab", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "destination.bytes": 1324, + "destination.ip": [ + "10.141.66.163" + ], + "event.action": "Blocked", + "event.code": "iduntut", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "poriss ZSCALERNSS: time=enatus May 28 4:48:31 2019^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=ficiad1312.api.host^^protocol=igmp^^serverip=10.141.66.163^^url=https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido^^urlcategory=usmo^^urlclass=squirati^^dlpdictionaries=uasi^^dlpengine=quaeabi^^filetype=sequ^^threatcategory=gna^^threatclass=itautf^^pagerisk=aev^^threatname=uovolup^^clientpublicIP=tMaloru^^ClientIP=10.230.61.102^^location=rautod^^refererURL=https://example.net/minimav/uovo.html?orinrep=tNequ#eca^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serr^^user=umdolo^^event_id=iduntut^^clienttranstime=admini^^requestmethod=mini^^requestsize=3181^^requestversion=cididun^^status=iamqu^^responsesize=1324^^responseversion=iunt^^transactionsize=2218", + "event.timezone": "GMT+02:00", + "file.type": "sequ", + "fileset.name": "zia", + "host.name": "ficiad1312.api.host", + "http.request.referrer": "https://example.net/minimav/uovo.html?orinrep=tNequ#eca", + "input.type": "log", + "log.offset": 77451, + "network.bytes": 2218, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.230.61.102", + "10.141.66.163" + ], + "related.user": [ + "umdolo" + ], + "rsa.db.index": "squirati", + "rsa.identity.user_dept": "serr", + "rsa.internal.data": "poriss", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "itautf", + "rsa.misc.action": [ + "Blocked", + "mini" + ], + "rsa.misc.category": "gna", + "rsa.misc.filter": "usmo", + "rsa.misc.reference_id": "iduntut", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "iamqu", + "rsa.network.alias_host": [ + "ficiad1312.api.host" + ], + "rsa.threat.threat_category": "uovolup", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "ficiad1312.api.host", + "service.type": "zscaler", + "source.bytes": 3181, + "source.ip": [ + "10.230.61.102" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido", + "user.name": "umdolo", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "destination.bytes": 6666, + "destination.ip": [ + "10.10.25.145" + ], + "event.action": "Blocked", + "event.code": "nrepre", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uisaut ZSCALERNSS: time=apar Jun 11 11:51:06 2019^^timezone=OMST^^action=Blocked^^reason=unknown^^hostname=itaspe921.mail.invalid^^protocol=tcp^^serverip=10.10.25.145^^url=https://www.example.org/iat/acom.html?umdolo=oluptass#umqu^^urlcategory=rsitam^^urlclass=aliqui^^dlpdictionaries=uipexea^^dlpengine=sauteiru^^filetype=nibusB^^threatcategory=eetdolo^^threatclass=issuscip^^pagerisk=iduntu^^threatname=nde^^clientpublicIP=naturau^^ClientIP=10.224.249.228^^location=odit^^refererURL=https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ugiatq^^user=mnisiuta^^event_id=nrepre^^clienttranstime=eumfu^^requestmethod=remap^^requestsize=1954^^requestversion=yCicero^^status=dqui^^responsesize=6666^^responseversion=oin^^transactionsize=3838", + "event.timezone": "OMST", + "file.type": "nibusB", + "fileset.name": "zia", + "host.name": "itaspe921.mail.invalid", + "http.request.referrer": "https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta", + "input.type": "log", + "log.offset": 78335, + "network.bytes": 3838, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.10.25.145", + "10.224.249.228" + ], + "related.user": [ + "mnisiuta" + ], + "rsa.db.index": "aliqui", + "rsa.identity.user_dept": "ugiatq", + "rsa.internal.data": "uisaut", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "issuscip", + "rsa.misc.action": [ + "Blocked", + "remap" + ], + "rsa.misc.category": "eetdolo", + "rsa.misc.filter": "rsitam", + "rsa.misc.reference_id": "nrepre", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "dqui", + "rsa.network.alias_host": [ + "itaspe921.mail.invalid" + ], + "rsa.threat.threat_category": "nde", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "itaspe921.mail.invalid", + "service.type": "zscaler", + "source.bytes": 1954, + "source.ip": [ + "10.224.249.228" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/iat/acom.html?umdolo=oluptass#umqu", + "user.name": "mnisiuta", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-06-25T08:53:40.000Z", + "destination.bytes": 3750, + "destination.ip": [ + "10.234.34.40" + ], + "event.action": "Blocked", + "event.code": "dolori", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eiusm ZSCALERNSS: time=assit Jun 25 6:53:40 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=archite4407.mail.invalid^^protocol=ipv6-icmp^^serverip=10.234.34.40^^url=https://www.example.com/onorum/umiure.gif?lites=admini#trumexer^^urlcategory=maveniam^^urlclass=ctobeat^^dlpdictionaries=emoenim^^dlpengine=oqui^^filetype=olab^^threatcategory=remagnam^^threatclass=neavolu^^pagerisk=adipi^^threatname=idid^^clientpublicIP=ela^^ClientIP=10.247.255.107^^location=lore^^refererURL=https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=elitsed^^user=aeabillo^^event_id=dolori^^clienttranstime=mco^^requestmethod=nofdeF^^requestsize=245^^requestversion=writt^^status=ent^^responsesize=3750^^responseversion=uaer^^transactionsize=2304", + "event.timezone": "PT", + "file.type": "olab", + "fileset.name": "zia", + "host.name": "archite4407.mail.invalid", + "http.request.referrer": "https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu", + "input.type": "log", + "log.offset": 79223, + "network.bytes": 2304, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.247.255.107", + "10.234.34.40" + ], + "related.user": [ + "aeabillo" + ], + "rsa.db.index": "ctobeat", + "rsa.identity.user_dept": "elitsed", + "rsa.internal.data": "eiusm", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "neavolu", + "rsa.misc.action": [ + "nofdeF", + "Blocked" + ], + "rsa.misc.category": "remagnam", + "rsa.misc.filter": "maveniam", + "rsa.misc.reference_id": "dolori", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ent", + "rsa.network.alias_host": [ + "archite4407.mail.invalid" + ], + "rsa.threat.threat_category": "idid", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "archite4407.mail.invalid", + "service.type": "zscaler", + "source.bytes": 245, + "source.ip": [ + "10.247.255.107" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/onorum/umiure.gif?lites=admini#trumexer", + "user.name": "aeabillo", + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "destination.bytes": 412, + "destination.ip": [ + "10.124.81.20" + ], + "event.action": "Blocked", + "event.code": "piciatis", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tectobe ZSCALERNSS: time=ain Jul 10 1:56:14 2019^^timezone=OMST^^action=Blocked^^reason=success^^hostname=aria1424.mail.home^^protocol=igmp^^serverip=10.124.81.20^^url=https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac^^urlcategory=liquide^^urlclass=uatD^^dlpdictionaries=reh^^dlpengine=uel^^filetype=tmollit^^threatcategory=ametco^^threatclass=ilmoles^^pagerisk=xeaco^^threatname=texpl^^clientpublicIP=tqua^^ClientIP=10.250.102.42^^location=totamr^^refererURL=https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenby^^user=tNequ^^event_id=piciatis^^clienttranstime=ritten^^requestmethod=tatisetq^^requestsize=2753^^requestversion=madmi^^status=icia^^responsesize=412^^responseversion=eroi^^transactionsize=2077", + "event.timezone": "OMST", + "file.type": "tmollit", + "fileset.name": "zia", + "host.name": "aria1424.mail.home", + "http.request.referrer": "https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit", + "input.type": "log", + "log.offset": 80114, + "network.bytes": 2077, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.250.102.42", + "10.124.81.20" + ], + "related.user": [ + "tNequ" + ], + "rsa.db.index": "uatD", + "rsa.identity.user_dept": "tenby", + "rsa.internal.data": "tectobe", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ilmoles", + "rsa.misc.action": [ + "Blocked", + "tatisetq" + ], + "rsa.misc.category": "ametco", + "rsa.misc.filter": "liquide", + "rsa.misc.reference_id": "piciatis", + "rsa.misc.result": "success", + "rsa.misc.result_code": "icia", + "rsa.network.alias_host": [ + "aria1424.mail.home" + ], + "rsa.threat.threat_category": "texpl", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "aria1424.mail.home", + "service.type": "zscaler", + "source.bytes": 2753, + "source.ip": [ + "10.250.102.42" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac", + "user.name": "tNequ", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "destination.bytes": 5294, + "destination.ip": [ + "10.166.205.159" + ], + "event.action": "Allowed", + "event.code": "siutal", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "riatur ZSCALERNSS: time=amrema Jul 24 8:58:48 2019^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=Bonoru7444.www5.example^^protocol=rdp^^serverip=10.166.205.159^^url=https://www.example.com/tem/litsedq.htm?ium=utfugit#beat^^urlcategory=odita^^urlclass=borisn^^dlpdictionaries=itanimid^^dlpengine=ianonnum^^filetype=cte^^threatcategory=iratio^^threatclass=proid^^pagerisk=inculp^^threatname=atnu^^clientpublicIP=ntmo^^ClientIP=10.154.188.132^^location=atevelit^^refererURL=https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=uisa^^user=uptat^^event_id=siutal^^clienttranstime=umetMalo^^requestmethod=onevolu^^requestsize=4181^^requestversion=sedquian^^status=involu^^responsesize=5294^^responseversion=nsequatD^^transactionsize=7089", + "event.timezone": "OMST", + "file.type": "cte", + "fileset.name": "zia", + "host.name": "Bonoru7444.www5.example", + "http.request.referrer": "https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim", + "input.type": "log", + "log.offset": 81010, + "network.bytes": 7089, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.154.188.132", + "10.166.205.159" + ], + "related.user": [ + "uptat" + ], + "rsa.db.index": "borisn", + "rsa.identity.user_dept": "uisa", + "rsa.internal.data": "riatur", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "proid", + "rsa.misc.action": [ + "Allowed", + "onevolu" + ], + "rsa.misc.category": "iratio", + "rsa.misc.filter": "odita", + "rsa.misc.reference_id": "siutal", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "involu", + "rsa.network.alias_host": [ + "Bonoru7444.www5.example" + ], + "rsa.threat.threat_category": "atnu", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "Bonoru7444.www5.example", + "service.type": "zscaler", + "source.bytes": 4181, + "source.ip": [ + "10.154.188.132" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/tem/litsedq.htm?ium=utfugit#beat", + "user.name": "uptat", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "destination.bytes": 274, + "destination.ip": [ + "10.46.71.46" + ], + "event.action": "Allowed", + "event.code": "ugiat", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "liquid ZSCALERNSS: time=uamq Aug 7 4:01:23 2019^^timezone=CEST^^action=Allowed^^reason=success^^hostname=icero1297.internal.domain^^protocol=ipv6-icmp^^serverip=10.46.71.46^^url=https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn^^urlcategory=atisetq^^urlclass=mSectio^^dlpdictionaries=rsinto^^dlpengine=nonnumqu^^filetype=atis^^threatcategory=todit^^threatclass=upta^^pagerisk=fug^^threatname=ulpaq^^clientpublicIP=rured^^ClientIP=10.138.193.38^^location=udex^^refererURL=https://api.example.com/uin/isci.htm?nsectetu=spici#untutl^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=tate^^user=sintocca^^event_id=ugiat^^clienttranstime=asuntex^^requestmethod=uovolup^^requestsize=745^^requestversion=amali^^status=uiav^^responsesize=274^^responseversion=mullamco^^transactionsize=7843", + "event.timezone": "CEST", + "file.type": "atis", + "fileset.name": "zia", + "host.name": "icero1297.internal.domain", + "http.request.referrer": "https://api.example.com/uin/isci.htm?nsectetu=spici#untutl", + "input.type": "log", + "log.offset": 81941, + "network.bytes": 7843, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.138.193.38", + "10.46.71.46" + ], + "related.user": [ + "sintocca" + ], + "rsa.db.index": "mSectio", + "rsa.identity.user_dept": "tate", + "rsa.internal.data": "liquid", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "upta", + "rsa.misc.action": [ + "Allowed", + "uovolup" + ], + "rsa.misc.category": "todit", + "rsa.misc.filter": "atisetq", + "rsa.misc.reference_id": "ugiat", + "rsa.misc.result": "success", + "rsa.misc.result_code": "uiav", + "rsa.network.alias_host": [ + "icero1297.internal.domain" + ], + "rsa.threat.threat_category": "ulpaq", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "icero1297.internal.domain", + "service.type": "zscaler", + "source.bytes": 745, + "source.ip": [ + "10.138.193.38" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn", + "user.name": "sintocca", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "destination.bytes": 2804, + "destination.ip": [ + "10.254.119.31" + ], + "event.action": "Blocked", + "event.code": "uunturma", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ons ZSCALERNSS: time=radip Aug 21 11:03:57 2019^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=oloremeu5047.www5.invalid^^protocol=tcp^^serverip=10.254.119.31^^url=https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum^^urlcategory=eturad^^urlclass=tor^^dlpdictionaries=hender^^dlpengine=moditemp^^filetype=pitlab^^threatcategory=tutlabor^^threatclass=imadmi^^pagerisk=nculp^^threatname=quamnihi^^clientpublicIP=nimadmi^^ClientIP=10.172.159.251^^location=nima^^refererURL=https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=tconsect^^user=usm^^event_id=uunturma^^clienttranstime=namaliqu^^requestmethod=tatemacc^^requestsize=2324^^requestversion=nor^^status=saut^^responsesize=2804^^responseversion=stiaeco^^transactionsize=1508", + "event.timezone": "CT", + "file.type": "pitlab", + "fileset.name": "zia", + "host.name": "oloremeu5047.www5.invalid", + "http.request.referrer": "https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der", + "input.type": "log", + "log.offset": 82861, + "network.bytes": 1508, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.172.159.251", + "10.254.119.31" + ], + "related.user": [ + "usm" + ], + "rsa.db.index": "tor", + "rsa.identity.user_dept": "tconsect", + "rsa.internal.data": "ons", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "imadmi", + "rsa.misc.action": [ + "tatemacc", + "Blocked" + ], + "rsa.misc.category": "tutlabor", + "rsa.misc.filter": "eturad", + "rsa.misc.reference_id": "uunturma", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "saut", + "rsa.network.alias_host": [ + "oloremeu5047.www5.invalid" + ], + "rsa.threat.threat_category": "quamnihi", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "oloremeu5047.www5.invalid", + "service.type": "zscaler", + "source.bytes": 2324, + "source.ip": [ + "10.172.159.251" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum", + "user.name": "usm", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "destination.bytes": 4957, + "destination.ip": [ + "10.195.62.230" + ], + "event.action": "Allowed", + "event.code": "sequat", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "osam ZSCALERNSS: time=ncid Sep 5 6:06:31 2019^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=edutpe1255.internal.lan^^protocol=ipv6-icmp^^serverip=10.195.62.230^^url=https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr^^urlcategory=nemul^^urlclass=amqua^^dlpdictionaries=isnost^^dlpengine=eaco^^filetype=oremeu^^threatcategory=uis^^threatclass=isnost^^pagerisk=itvolu^^threatname=citation^^clientpublicIP=spernatu^^ClientIP=10.98.126.206^^location=tion^^refererURL=https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=atatnonp^^user=ptassit^^event_id=sequat^^clienttranstime=Uteni^^requestmethod=oriosa^^requestsize=7244^^requestversion=temporai^^status=totamrem^^responsesize=4957^^responseversion=dminimve^^transactionsize=1182", + "event.timezone": "PT", + "file.type": "oremeu", + "fileset.name": "zia", + "host.name": "edutpe1255.internal.lan", + "http.request.referrer": "https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia", + "input.type": "log", + "log.offset": 83817, + "network.bytes": 1182, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.195.62.230", + "10.98.126.206" + ], + "related.user": [ + "ptassit" + ], + "rsa.db.index": "amqua", + "rsa.identity.user_dept": "atatnonp", + "rsa.internal.data": "osam", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "isnost", + "rsa.misc.action": [ + "Allowed", + "oriosa" + ], + "rsa.misc.category": "uis", + "rsa.misc.filter": "nemul", + "rsa.misc.reference_id": "sequat", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "totamrem", + "rsa.network.alias_host": [ + "edutpe1255.internal.lan" + ], + "rsa.threat.threat_category": "citation", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "edutpe1255.internal.lan", + "service.type": "zscaler", + "source.bytes": 7244, + "source.ip": [ + "10.98.126.206" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr", + "user.name": "ptassit", + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "destination.bytes": 6658, + "destination.ip": [ + "10.144.93.186" + ], + "event.action": "Blocked", + "event.code": "adminim", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "idolo ZSCALERNSS: time=citat Sep 19 1:09:05 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=nderit1171.www5.domain^^protocol=rdp^^serverip=10.144.93.186^^url=https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi^^urlcategory=umquia^^urlclass=evolu^^dlpdictionaries=quidolo^^dlpengine=utlabore^^filetype=texplica^^threatcategory=boru^^threatclass=ntut^^pagerisk=elaud^^threatname=acomm^^clientpublicIP=edquia^^ClientIP=10.84.140.5^^location=laboris^^refererURL=https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=mull^^user=eroi^^event_id=adminim^^clienttranstime=naturau^^requestmethod=nima^^requestsize=4943^^requestversion=sed^^status=mUten^^responsesize=6658^^responseversion=tfugitse^^transactionsize=6480", + "event.timezone": "PT", + "file.type": "texplica", + "fileset.name": "zia", + "host.name": "nderit1171.www5.domain", + "http.request.referrer": "https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco", + "input.type": "log", + "log.offset": 84805, + "network.bytes": 6480, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.84.140.5", + "10.144.93.186" + ], + "related.user": [ + "eroi" + ], + "rsa.db.index": "evolu", + "rsa.identity.user_dept": "mull", + "rsa.internal.data": "idolo", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ntut", + "rsa.misc.action": [ + "nima", + "Blocked" + ], + "rsa.misc.category": "boru", + "rsa.misc.filter": "umquia", + "rsa.misc.reference_id": "adminim", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "mUten", + "rsa.network.alias_host": [ + "nderit1171.www5.domain" + ], + "rsa.threat.threat_category": "acomm", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "nderit1171.www5.domain", + "service.type": "zscaler", + "source.bytes": 4943, + "source.ip": [ + "10.84.140.5" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi", + "user.name": "eroi", + "user_agent.device.name": "Other", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "destination.bytes": 6855, + "destination.ip": [ + "10.31.58.6" + ], + "event.action": "Allowed", + "event.code": "volu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uianon ZSCALERNSS: time=iutal Oct 3 8:11:40 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=nos4114.api.lan^^protocol=rdp^^serverip=10.31.58.6^^url=https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame^^urlcategory=lites^^urlclass=sec^^dlpdictionaries=aqua^^dlpengine=meumf^^filetype=olu^^threatcategory=ectet^^threatclass=tquovo^^pagerisk=orev^^threatname=lapa^^clientpublicIP=xeacom^^ClientIP=10.198.84.190^^location=henderi^^refererURL=https://mail.example.com/dminim/sse.gif?equ=turvelil#lor^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ern^^user=unt^^event_id=volu^^clienttranstime=iineavo^^requestmethod=qua^^requestsize=6831^^requestversion=tenbyC^^status=xeacomm^^responsesize=6855^^responseversion=psu^^transactionsize=5856", + "event.timezone": "ET", + "file.type": "olu", + "fileset.name": "zia", + "host.name": "nos4114.api.lan", + "http.request.referrer": "https://mail.example.com/dminim/sse.gif?equ=turvelil#lor", + "input.type": "log", + "log.offset": 85726, + "network.bytes": 5856, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.31.58.6", + "10.198.84.190" + ], + "related.user": [ + "unt" + ], + "rsa.db.index": "sec", + "rsa.identity.user_dept": "ern", + "rsa.internal.data": "uianon", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tquovo", + "rsa.misc.action": [ + "qua", + "Allowed" + ], + "rsa.misc.category": "ectet", + "rsa.misc.filter": "lites", + "rsa.misc.reference_id": "volu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "xeacomm", + "rsa.network.alias_host": [ + "nos4114.api.lan" + ], + "rsa.threat.threat_category": "lapa", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "nos4114.api.lan", + "service.type": "zscaler", + "source.bytes": 6831, + "source.ip": [ + "10.198.84.190" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame", + "user.name": "unt", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.bytes": 3128, + "destination.ip": [ + "10.139.90.218" + ], + "event.action": "Allowed", + "event.code": "umdol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ept ZSCALERNSS: time=nem Oct 18 3:14:14 2019^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=oremeum4231.internal.host^^protocol=ipv6^^serverip=10.139.90.218^^url=https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin^^urlcategory=consequa^^urlclass=tionu^^dlpdictionaries=umqua^^dlpengine=ommod^^filetype=ione^^threatcategory=mnihi^^threatclass=rrorsi^^pagerisk=icons^^threatname=voluptat^^clientpublicIP=volu^^ClientIP=10.131.81.172^^location=llamcor^^refererURL=https://mail.example.com/veri/run.txt?enimadm=empo#apa^^useragent=Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30^^department=icons^^user=hende^^event_id=umdol^^clienttranstime=Sedutper^^requestmethod=exe^^requestsize=6188^^requestversion=preh^^status=dol^^responsesize=3128^^responseversion=gnamal^^transactionsize=6119", + "event.timezone": "ET", + "file.type": "ione", + "fileset.name": "zia", + "host.name": "oremeum4231.internal.host", + "http.request.referrer": "https://mail.example.com/veri/run.txt?enimadm=empo#apa", + "input.type": "log", + "log.offset": 86632, + "network.bytes": 6119, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.131.81.172", + "10.139.90.218" + ], + "related.user": [ + "hende" + ], + "rsa.db.index": "tionu", + "rsa.identity.user_dept": "icons", + "rsa.internal.data": "ept", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "rrorsi", + "rsa.misc.action": [ + "exe", + "Allowed" + ], + "rsa.misc.category": "mnihi", + "rsa.misc.filter": "consequa", + "rsa.misc.reference_id": "umdol", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "dol", + "rsa.network.alias_host": [ + "oremeum4231.internal.host" + ], + "rsa.threat.threat_category": "voluptat", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "oremeum4231.internal.host", + "service.type": "zscaler", + "source.bytes": 6188, + "source.ip": [ + "10.131.81.172" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin", + "user.name": "hende", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "destination.bytes": 114, + "destination.ip": [ + "10.128.43.71" + ], + "event.action": "Blocked", + "event.code": "ssequa", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "utodit ZSCALERNSS: time=cer Nov 1 10:16:48 2019^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=ueip6097.api.host^^protocol=tcp^^serverip=10.128.43.71^^url=https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta^^urlcategory=amnihil^^urlclass=nderit^^dlpdictionaries=ficia^^dlpengine=tru^^filetype=tionu^^threatcategory=natuser^^threatclass=olupt^^pagerisk=eprehe^^threatname=eetd^^clientpublicIP=tiumdo^^ClientIP=10.152.217.174^^location=litse^^refererURL=https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=nderitin^^user=mquiado^^event_id=ssequa^^clienttranstime=nisist^^requestmethod=temvele^^requestsize=7350^^requestversion=xeaco^^status=urm^^responsesize=114^^responseversion=porincid^^transactionsize=1150", + "event.timezone": "PST", + "file.type": "tionu", + "fileset.name": "zia", + "host.name": "ueip6097.api.host", + "http.request.referrer": "https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate", + "input.type": "log", + "log.offset": 87518, + "network.bytes": 1150, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.152.217.174", + "10.128.43.71" + ], + "related.user": [ + "mquiado" + ], + "rsa.db.index": "nderit", + "rsa.identity.user_dept": "nderitin", + "rsa.internal.data": "utodit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "olupt", + "rsa.misc.action": [ + "Blocked", + "temvele" + ], + "rsa.misc.category": "natuser", + "rsa.misc.filter": "amnihil", + "rsa.misc.reference_id": "ssequa", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "urm", + "rsa.network.alias_host": [ + "ueip6097.api.host" + ], + "rsa.threat.threat_category": "eetd", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "ueip6097.api.host", + "service.type": "zscaler", + "source.bytes": 7350, + "source.ip": [ + "10.152.217.174" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta", + "user.name": "mquiado", + "user_agent.device.name": "Generic Tablet", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "destination.bytes": 1046, + "destination.ip": [ + "10.26.149.221" + ], + "event.action": "Blocked", + "event.code": "umquidol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "pici ZSCALERNSS: time=erit Nov 15 5:19:22 2019^^timezone=PT^^action=Blocked^^reason=success^^hostname=fugiatqu7793.www.localdomain^^protocol=ipv6-icmp^^serverip=10.26.149.221^^url=https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci^^urlcategory=aturve^^urlclass=tiumdol^^dlpdictionaries=mporain^^dlpengine=secte^^filetype=dut^^threatcategory=aecons^^threatclass=tionemu^^pagerisk=edictasu^^threatname=quipexea^^clientpublicIP=orsit^^ClientIP=10.217.193.148^^location=tametco^^refererURL=https://api.example.com/lit/laborio.gif?mfug=acommod#mid^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=oloremag^^user=uisa^^event_id=umquidol^^clienttranstime=isiutali^^requestmethod=rehe^^requestsize=3382^^requestversion=adminima^^status=ipex^^responsesize=1046^^responseversion=sitvolup^^transactionsize=387", + "event.timezone": "PT", + "file.type": "dut", + "fileset.name": "zia", + "host.name": "fugiatqu7793.www.localdomain", + "http.request.referrer": "https://api.example.com/lit/laborio.gif?mfug=acommod#mid", + "input.type": "log", + "log.offset": 88400, + "network.bytes": 387, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.217.193.148", + "10.26.149.221" + ], + "related.user": [ + "uisa" + ], + "rsa.db.index": "tiumdol", + "rsa.identity.user_dept": "oloremag", + "rsa.internal.data": "pici", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tionemu", + "rsa.misc.action": [ + "Blocked", + "rehe" + ], + "rsa.misc.category": "aecons", + "rsa.misc.filter": "aturve", + "rsa.misc.reference_id": "umquidol", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ipex", + "rsa.network.alias_host": [ + "fugiatqu7793.www.localdomain" + ], + "rsa.threat.threat_category": "quipexea", + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "fugiatqu7793.www.localdomain", + "service.type": "zscaler", + "source.bytes": 3382, + "source.ip": [ + "10.217.193.148" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci", + "user.name": "uisa", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "destination.bytes": 4053, + "destination.ip": [ + "10.109.192.53" + ], + "event.action": "Blocked", + "event.code": "rehen", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "agnamali ZSCALERNSS: time=ali Nov 30 12:21:57 2019^^timezone=CET^^action=Blocked^^reason=unknown^^hostname=onsequ3168.www.corp^^protocol=icmp^^serverip=10.109.192.53^^url=https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe^^urlcategory=scive^^urlclass=tcupi^^dlpdictionaries=essequam^^dlpengine=destla^^filetype=oluptat^^threatcategory=ita^^threatclass=temUte^^pagerisk=idest^^threatname=ostru^^clientpublicIP=ptassit^^ClientIP=10.172.17.6^^location=samvolup^^refererURL=https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=boriosa^^user=eprehen^^event_id=rehen^^clienttranstime=sitasp^^requestmethod=tassit^^requestsize=212^^requestversion=teir^^status=suntin^^responsesize=4053^^responseversion=upta^^transactionsize=1487", + "event.timezone": "CET", + "file.type": "oluptat", + "fileset.name": "zia", + "host.name": "onsequ3168.www.corp", + "http.request.referrer": "https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo", + "input.type": "log", + "log.offset": 89317, + "network.bytes": 1487, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.172.17.6", + "10.109.192.53" + ], + "related.user": [ + "eprehen" + ], + "rsa.db.index": "tcupi", + "rsa.identity.user_dept": "boriosa", + "rsa.internal.data": "agnamali", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "temUte", + "rsa.misc.action": [ + "tassit", + "Blocked" + ], + "rsa.misc.category": "ita", + "rsa.misc.filter": "scive", + "rsa.misc.reference_id": "rehen", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "suntin", + "rsa.network.alias_host": [ + "onsequ3168.www.corp" + ], + "rsa.threat.threat_category": "ostru", + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "onsequ3168.www.corp", + "service.type": "zscaler", + "source.bytes": 212, + "source.ip": [ + "10.172.17.6" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe", + "user.name": "eprehen", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "destination.bytes": 391, + "destination.ip": [ + "10.119.106.108" + ], + "event.action": "Blocked", + "event.code": "iatisund", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "onevol ZSCALERNSS: time=llamco Dec 14 7:24:31 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=oremquel3120.internal.localhost^^protocol=ggp^^serverip=10.119.106.108^^url=https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota^^urlcategory=ssecil^^urlclass=xplic^^dlpdictionaries=isn^^dlpengine=quepor^^filetype=Lor^^threatcategory=ten^^threatclass=exeacomm^^pagerisk=cusan^^threatname=oquisq^^clientpublicIP=olli^^ClientIP=10.135.38.213^^location=tiset^^refererURL=https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=ser^^user=ore^^event_id=iatisund^^clienttranstime=ritquii^^requestmethod=volup^^requestsize=1902^^requestversion=orsi^^status=ull^^responsesize=391^^responseversion=dolorsi^^transactionsize=7745", + "event.timezone": "PT", + "file.type": "Lor", + "fileset.name": "zia", + "host.name": "oremquel3120.internal.localhost", + "http.request.referrer": "https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut", + "input.type": "log", + "log.offset": 90257, + "network.bytes": 7745, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.119.106.108", + "10.135.38.213" + ], + "related.user": [ + "ore" + ], + "rsa.db.index": "xplic", + "rsa.identity.user_dept": "ser", + "rsa.internal.data": "onevol", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "exeacomm", + "rsa.misc.action": [ + "Blocked", + "volup" + ], + "rsa.misc.category": "ten", + "rsa.misc.filter": "ssecil", + "rsa.misc.reference_id": "iatisund", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ull", + "rsa.network.alias_host": [ + "oremquel3120.internal.localhost" + ], + "rsa.threat.threat_category": "oquisq", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "oremquel3120.internal.localhost", + "service.type": "zscaler", + "source.bytes": 1902, + "source.ip": [ + "10.135.38.213" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota", + "user.name": "ore", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log b/x-pack/filebeat/module/zscaler/zia/test/test.log new file mode 100644 index 00000000000..f1502e48309 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log @@ -0,0 +1 @@ +hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize= diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json new file mode 100644 index 00000000000..423d10f5ac2 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -0,0 +1,57 @@ +[ + { + "@timestamp": "2017-06-23T17:16:42.000Z", + "event.action": "", + "event.code": "", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize=", + "event.timezone": "CEST", + "file.type": "", + "fileset.name": "zia", + "host.name": "", + "http.request.referrer": "", + "input.type": "log", + "log.offset": 0, + "network.protocol": "", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.user": [ + "" + ], + "rsa.db.index": "", + "rsa.identity.user_dept": "", + "rsa.internal.data": "hello", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "", + "rsa.misc.action": [ + "", + "" + ], + "rsa.misc.category": "", + "rsa.misc.filter": "", + "rsa.misc.reference_id": "", + "rsa.misc.result": "", + "rsa.misc.result_code": "", + "rsa.network.alias_host": [ + "" + ], + "rsa.threat.threat_category": "", + "rsa.time.event_time": "2017-06-23T17:16:42.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "", + "service.type": "zscaler", + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "", + "user.name": "", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/barracuda.yml.disabled b/x-pack/filebeat/modules.d/barracuda.yml.disabled new file mode 100644 index 00000000000..a10208c0533 --- /dev/null +++ b/x-pack/filebeat/modules.d/barracuda.yml.disabled @@ -0,0 +1,22 @@ +# Module: barracuda +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-barracuda.html + +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/bluecoat.yml.disabled b/x-pack/filebeat/modules.d/bluecoat.yml.disabled new file mode 100644 index 00000000000..df71bb8ab04 --- /dev/null +++ b/x-pack/filebeat/modules.d/bluecoat.yml.disabled @@ -0,0 +1,22 @@ +# Module: bluecoat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-bluecoat.html + +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 2b2ea2461cc..4f398958101 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -54,3 +54,22 @@ # Set custom paths for the log files when using file input. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/citrix.yml.disabled b/x-pack/filebeat/modules.d/citrix.yml.disabled new file mode 100644 index 00000000000..9356b52952c --- /dev/null +++ b/x-pack/filebeat/modules.d/citrix.yml.disabled @@ -0,0 +1,22 @@ +# Module: citrix +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-citrix.html + +- module: citrix + virtualapps: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9507 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/cylance.yml.disabled b/x-pack/filebeat/modules.d/cylance.yml.disabled new file mode 100644 index 00000000000..8f16f29ca5b --- /dev/null +++ b/x-pack/filebeat/modules.d/cylance.yml.disabled @@ -0,0 +1,22 @@ +# Module: cylance +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cylance.html + +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled new file mode 100644 index 00000000000..633a0c5636a --- /dev/null +++ b/x-pack/filebeat/modules.d/f5.yml.disabled @@ -0,0 +1,41 @@ +# Module: f5 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-f5.html + +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + firepass: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9509 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index b892d7dd855..a1197485d81 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -14,3 +14,22 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 + + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/imperva.yml.disabled b/x-pack/filebeat/modules.d/imperva.yml.disabled new file mode 100644 index 00000000000..f5e69959cf9 --- /dev/null +++ b/x-pack/filebeat/modules.d/imperva.yml.disabled @@ -0,0 +1,22 @@ +# Module: imperva +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-imperva.html + +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/infoblox.yml.disabled b/x-pack/filebeat/modules.d/infoblox.yml.disabled new file mode 100644 index 00000000000..ec5385c6df7 --- /dev/null +++ b/x-pack/filebeat/modules.d/infoblox.yml.disabled @@ -0,0 +1,22 @@ +# Module: infoblox +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-infoblox.html + +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled new file mode 100644 index 00000000000..3118b60ac28 --- /dev/null +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -0,0 +1,22 @@ +# Module: juniper +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-juniper.html + +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/kaspersky.yml.disabled b/x-pack/filebeat/modules.d/kaspersky.yml.disabled new file mode 100644 index 00000000000..5a0db0982e9 --- /dev/null +++ b/x-pack/filebeat/modules.d/kaspersky.yml.disabled @@ -0,0 +1,22 @@ +# Module: kaspersky +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-kaspersky.html + +- module: kaspersky + av: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9514 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled new file mode 100644 index 00000000000..9ea082817cf --- /dev/null +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -0,0 +1,22 @@ +# Module: microsoft +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-microsoft.html + +- module: microsoft + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/netscout.yml.disabled b/x-pack/filebeat/modules.d/netscout.yml.disabled new file mode 100644 index 00000000000..988f1b98899 --- /dev/null +++ b/x-pack/filebeat/modules.d/netscout.yml.disabled @@ -0,0 +1,22 @@ +# Module: netscout +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-netscout.html + +- module: netscout + sightline: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9502 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/radware.yml.disabled b/x-pack/filebeat/modules.d/radware.yml.disabled new file mode 100644 index 00000000000..ad17e4fcd7d --- /dev/null +++ b/x-pack/filebeat/modules.d/radware.yml.disabled @@ -0,0 +1,22 @@ +# Module: radware +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-radware.html + +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/rapid7.yml.disabled b/x-pack/filebeat/modules.d/rapid7.yml.disabled new file mode 100644 index 00000000000..8d24b0bce82 --- /dev/null +++ b/x-pack/filebeat/modules.d/rapid7.yml.disabled @@ -0,0 +1,22 @@ +# Module: rapid7 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-rapid7.html + +- module: rapid7 + nexpose: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9517 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/sonicwall.yml.disabled b/x-pack/filebeat/modules.d/sonicwall.yml.disabled new file mode 100644 index 00000000000..975b4577c13 --- /dev/null +++ b/x-pack/filebeat/modules.d/sonicwall.yml.disabled @@ -0,0 +1,22 @@ +# Module: sonicwall +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sonicwall.html + +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/squid.yml.disabled b/x-pack/filebeat/modules.d/squid.yml.disabled new file mode 100644 index 00000000000..3656c1b8eed --- /dev/null +++ b/x-pack/filebeat/modules.d/squid.yml.disabled @@ -0,0 +1,22 @@ +# Module: squid +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-squid.html + +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/tenable.yml.disabled b/x-pack/filebeat/modules.d/tenable.yml.disabled new file mode 100644 index 00000000000..57ef8ee2536 --- /dev/null +++ b/x-pack/filebeat/modules.d/tenable.yml.disabled @@ -0,0 +1,22 @@ +# Module: tenable +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-tenable.html + +- module: tenable + nessus_security: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9516 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/tomcat.yml.disabled b/x-pack/filebeat/modules.d/tomcat.yml.disabled new file mode 100644 index 00000000000..f0b415606b2 --- /dev/null +++ b/x-pack/filebeat/modules.d/tomcat.yml.disabled @@ -0,0 +1,22 @@ +# Module: tomcat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-tomcat.html + +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/zscaler.yml.disabled b/x-pack/filebeat/modules.d/zscaler.yml.disabled new file mode 100644 index 00000000000..2c8f03ebcc3 --- /dev/null +++ b/x-pack/filebeat/modules.d/zscaler.yml.disabled @@ -0,0 +1,22 @@ +# Module: zscaler +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-zscaler.html + +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local